diff --git a/Changelog.md b/Changelog.md index eccf292..3e66050 100644 --- a/Changelog.md +++ b/Changelog.md @@ -5,8 +5,9 @@ **更新** * log4j版本升级至2.19 +* 更新gson、snakeyaml版本以修复安全问题 * WeCross stub 版本号更新到1.3.0 - *去除netty和tcnative的依赖 + * 去除netty和tcnative的依赖 ### v1.2.1 diff --git a/build.gradle b/build.gradle index f4717c3..1798e16 100644 --- a/build.gradle +++ b/build.gradle @@ -55,10 +55,13 @@ List logger = [ dependencies { compile logger - implementation 'com.moandjiezana.toml:toml4j:0.7.2' + implementation ('com.moandjiezana.toml:toml4j:0.7.2') { + exclude group: 'com.google.code.gson', module: 'gson' + } + implementation 'com.google.code.gson:gson:2.8.9' implementation 'org.slf4j:slf4j-api:1.7.36' implementation 'com.google.guava:guava:30.1-jre' - implementation 'org.yaml:snakeyaml:1.27' + implementation 'org.yaml:snakeyaml:2.0' // Fabric implementation 'javassist:javassist:3.12.1.GA' diff --git a/src/main/java/com/webank/wecross/account/FabricAccountFactory.java b/src/main/java/com/webank/wecross/account/FabricAccountFactory.java index 38e7b9a..d6b3ff5 100644 --- a/src/main/java/com/webank/wecross/account/FabricAccountFactory.java +++ b/src/main/java/com/webank/wecross/account/FabricAccountFactory.java @@ -265,6 +265,9 @@ public static PrivateKey buildPemPrivateKey(String keyContent) throws Exception } public static String loadPemCert(String certPath) throws Exception { + + // to avoid path manipulation + certPath = certPath.replace("..", ""); if (certPath.indexOf("classpath:") == 0) { PathMatchingResourcePatternResolver resolver = new PathMatchingResourcePatternResolver(); diff --git a/src/main/java/com/webank/wecross/utils/FabricUtils.java b/src/main/java/com/webank/wecross/utils/FabricUtils.java index ac56f8f..160f43c 100644 --- a/src/main/java/com/webank/wecross/utils/FabricUtils.java +++ b/src/main/java/com/webank/wecross/utils/FabricUtils.java @@ -44,6 +44,8 @@ public static long bytesToLong(byte[] bytes) { public static String getPath(String fileName) throws Exception { try { + // to avoid path manipulation + fileName = fileName.replace("..", ""); if (fileName.indexOf("classpath:") != 0) { return fileName; } @@ -62,6 +64,8 @@ public static String getPath(String fileName) throws Exception { public static String readFileContent(String fileName) throws Exception { try { + // to avoid path manipulation + fileName = fileName.replace("..", ""); Path path; if (fileName.indexOf("classpath:") != 0) {