<fix>(build,utils): upgrade dependencies, fix path manipulation bug. (#…

…27)
WeBankBlockchain · Mar 21, 2023 · 45a252b · 45a252b
1 parent 6c5ad1f
commit 45a252b
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 2 deletions.
diff --git a/Changelog.md b/Changelog.md
@@ -5,8 +5,9 @@
 **更新**
 
 * log4j版本升级至2.19
+* 更新gson、snakeyaml版本以修复安全问题
 * WeCross stub 版本号更新到1.3.0
-*去除netty和tcnative的依赖
+  * 去除netty和tcnative的依赖
 
 ### v1.2.1
 

diff --git a/build.gradle b/build.gradle
@@ -54,8 +54,12 @@ List logger = [
 dependencies {
     compile logger
 
-    implementation 'com.moandjiezana.toml:toml4j:0.7.2'
+    implementation ('com.moandjiezana.toml:toml4j:0.7.2') {
+        exclude group: 'com.google.code.gson', module: 'gson'
+    }
+    implementation 'com.google.code.gson:gson:2.8.9'
     implementation 'org.slf4j:slf4j-api:1.7.32'
+    implementation 'org.yaml:snakeyaml:2.0'
 
     // Fabric
     implementation 'javassist:javassist:3.12.1.GA'

diff --git a/src/main/java/com/webank/wecross/stub/fabric2/account/FabricAccountFactory.java b/src/main/java/com/webank/wecross/stub/fabric2/account/FabricAccountFactory.java
@@ -273,6 +273,8 @@ public static PrivateKey buildPemPrivateKey(String keyContent) throws Exception
     }
 
     public static String loadPemCert(String certPath) throws Exception {
+        // to avoid path manipulation
+        certPath = certPath.replace("..", "");
         if (certPath.indexOf("classpath:") == 0) {
             PathMatchingResourcePatternResolver resolver =
                     new PathMatchingResourcePatternResolver();

diff --git a/src/main/java/com/webank/wecross/stub/fabric2/utils/FabricUtils.java b/src/main/java/com/webank/wecross/stub/fabric2/utils/FabricUtils.java
@@ -44,6 +44,8 @@ public static long bytesToLong(byte[] bytes) {
 
     public static String getPath(String fileName) throws Exception {
         try {
+            // to avoid path manipulation
+            fileName = fileName.replace("..", "");
             if (fileName.indexOf("classpath:") != 0) {
                 return fileName;
             }
@@ -62,6 +64,8 @@ public static String getPath(String fileName) throws Exception {
 
     public static String readFileContent(String fileName) throws Exception {
         try {
+            // to avoid path manipulation
+            fileName = fileName.replace("..", "");
             Path path;
 
             if (fileName.indexOf("classpath:") != 0) {