return fix for Arbitrary Path Access

cli/flags/base.go

@@ -3,7 +3,6 @@ package flags
 import (
 	"fmt"
 	"path/filepath"
-	"strings"
 
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
@@ -64,8 +63,8 @@ func BindBaseFlags(cmd *cobra.Command) error {
 	if OutputPath != "" {
 		OutputPath = filepath.Clean(OutputPath)
 	}
-	if strings.Contains(OutputPath, "..") {
-		return fmt.Errorf("😥 outputPath cant contain traversal")
+	if !filepath.IsLocal(OutputPath) {
+		return fmt.Errorf("😥 wrong OutputPath flag")
 	}
 	if err := cli_utils.CreateDirIfNotExist(OutputPath); err != nil {
 		return err
@@ -74,8 +73,8 @@ func BindBaseFlags(cmd *cobra.Command) error {
 	LogFormat = viper.GetString("logFormat")
 	LogLevelFormat = viper.GetString("logLevelFormat")
 	LogFilePath = viper.GetString("logFilePath")
-	if strings.Contains(LogFilePath, "..") {
-		return fmt.Errorf("😥 logFilePath cant contain traversal")
+	if !filepath.IsLocal(LogFilePath) {
+		return fmt.Errorf("😥 wrong logFilePath flag")
 	}
 	return nil
 }

cli/flags/init.go

@@ -4,7 +4,6 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
-	"strings"
 
 	"github.com/attestantio/go-eth2-client/spec/phase0"
 	"github.com/ethereum/go-ethereum/common"
@@ -103,7 +102,7 @@ func BindInitiatorBaseFlags(cmd *cobra.Command) error {
 	if OperatorsInfoPath == "" && OperatorsInfo == "" {
 		return fmt.Errorf("😥 operators info should be provided either as a raw JSON string, or path to a file")
 	}
-	if OperatorsInfoPath != "" && strings.Contains(OperatorsInfoPath, "..") {
+	if OperatorsInfoPath != "" && !filepath.IsLocal(OperatorsInfoPath) {
 		return fmt.Errorf("😥 wrong operatorsInfoPath flag")
 	}
 	owner := viper.GetString("owner")
@@ -129,8 +128,8 @@ func BindInitiatorBaseFlags(cmd *cobra.Command) error {
 			return fmt.Errorf("😥 TLS CA certs path should be provided, overwise set 'TLSInsecure' flag to true")
 		} else {
 			for _, certPath := range ClientCACertPath {
-				if strings.Contains(filepath.Clean(certPath), "..") {
-					return fmt.Errorf("😥 wrong clientCACertPath flag, should not contain '..' path traversal")
+				if !filepath.IsLocal(certPath) {
+					return fmt.Errorf("😥 wrong clientCACertPath flag")
 				}
 			}
 		}
@@ -180,7 +179,7 @@ func SetViperConfig(cmd *cobra.Command) error {
 		return err
 	}
 	ConfigPath = viper.GetString("configPath")
-	if ConfigPath != "" && filepath.Clean(ConfigPath) != "" && !strings.Contains(ConfigPath, "..") {
+	if ConfigPath != "" && filepath.Clean(ConfigPath) != "" && filepath.IsLocal(ConfigPath) {
 		stat, err := os.Stat(ConfigPath)
 		if err != nil {
 			return err

cli/flags/operator.go

@@ -3,7 +3,6 @@ package flags
 import (
 	"fmt"
 	"path/filepath"
-	"strings"
 
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
@@ -72,26 +71,26 @@ func BindOperatorFlags(cmd *cobra.Command) error {
 	}
 	PrivKey = filepath.Clean(viper.GetString("privKey"))
 	PrivKeyPassword = filepath.Clean(viper.GetString("privKeyPassword"))
-	if strings.Contains(PrivKey, "..") {
-		return fmt.Errorf("😥 Failed to get private key path flag value")
+	if !filepath.IsLocal(PrivKey) {
+		return fmt.Errorf("😥 wrong key path flag value")
 	}
-	if strings.Contains(PrivKeyPassword, "..") {
-		return fmt.Errorf("😥 Failed to get password for private key flag value")
+	if !filepath.IsLocal(PrivKeyPassword) {
+		return fmt.Errorf("😥 wrong password for private key flag value")
 	}
 	Port = viper.GetUint64("port")
 	if Port == 0 {
-		return fmt.Errorf("😥 Wrong port provided")
+		return fmt.Errorf("😥 wrong port provided")
 	}
 	OperatorID = viper.GetUint64("operatorID")
 	if OperatorID == 0 {
-		return fmt.Errorf("😥 Wrong operator ID provided")
+		return fmt.Errorf("😥 wrong operator ID provided")
 	}
 	ServerTLSCertPath = filepath.Clean(viper.GetString("serverTLSCertPath"))
-	if strings.Contains(ServerTLSCertPath, "..") {
+	if !filepath.IsLocal(ServerTLSCertPath) {
 		return fmt.Errorf("😥 wrong serverTLSCertPath flag")
 	}
 	ServerTLSKeyPath = filepath.Clean(viper.GetString("serverTLSKeyPath"))
-	if strings.Contains(ServerTLSKeyPath, "..") {
+	if !filepath.IsLocal(ServerTLSKeyPath) {
 		return fmt.Errorf("😥 wrong serverTLSKeyPath flag")
 	}
 	EthEndpointURL = viper.GetString("ethEndpointURL")

cli/flags/reshare.go

@@ -3,7 +3,6 @@ package flags
 import (
 	"fmt"
 	"path/filepath"
-	"strings"
 
 	"github.com/attestantio/go-eth2-client/spec/phase0"
 	"github.com/spf13/cobra"
@@ -103,7 +102,7 @@ func BindGenerateReshareMsgFlags(cmd *cobra.Command) error {
 	if OperatorsInfoPath == "" && OperatorsInfo == "" {
 		return fmt.Errorf("😥 operators info should be provided either as a raw JSON string, or path to a file")
 	}
-	if OperatorsInfoPath != "" && strings.Contains(OperatorsInfoPath, "..") {
+	if OperatorsInfoPath != "" && !filepath.IsLocal(OperatorsInfoPath) {
 		return fmt.Errorf("😥 wrong operatorsInfoPath flag")
 	}
 	OperatorIDs = viper.GetStringSlice("operatorIDs")
@@ -125,7 +124,7 @@ func BindGenerateReshareMsgFlags(cmd *cobra.Command) error {
 	if ProofsFilePath != "" && ProofsString != "" {
 		return fmt.Errorf("😥 proofs can be provided either as a string, or path to a file, not both")
 	}
-	if ProofsFilePath != "" && strings.Contains(ProofsFilePath, "..") {
+	if !filepath.IsLocal(ProofsFilePath) {
 		return fmt.Errorf("😥 wrong proofsFilePath flag")
 	}
 	withdrawAddr := viper.GetString("withdrawAddress")
@@ -182,8 +181,8 @@ func BindReshareFlags(cmd *cobra.Command) error {
 			return fmt.Errorf("😥 TLS CA certs path should be provided, overwise set 'TLSInsecure' flag to true")
 		} else {
 			for _, certPath := range ClientCACertPath {
-				if strings.Contains(filepath.Clean(certPath), "..") {
-					return fmt.Errorf("😥 wrong clientCACertPath flag, should not contain '..' path traversal")
+				if !filepath.IsLocal(certPath) {
+					return fmt.Errorf("😥 wrong clientCACertPath flag")
 				}
 			}
 		}

cli/flags/resign.go

@@ -3,7 +3,6 @@ package flags
 import (
 	"fmt"
 	"path/filepath"
-	"strings"
 
 	"github.com/attestantio/go-eth2-client/spec/phase0"
 	"github.com/spf13/cobra"
@@ -87,7 +86,7 @@ func BindGenerateResignMsgFlags(cmd *cobra.Command) error {
 	if OperatorsInfoPath == "" && OperatorsInfo == "" {
 		return fmt.Errorf("😥 operators info should be provided either as a raw JSON string, or path to a file")
 	}
-	if OperatorsInfoPath != "" && strings.Contains(OperatorsInfoPath, "..") {
+	if OperatorsInfoPath != "" && !filepath.IsLocal(OperatorsInfoPath) {
 		return fmt.Errorf("😥 wrong operatorsInfoPath flag")
 	}
 	owner := viper.GetString("owner")
@@ -110,7 +109,7 @@ func BindGenerateResignMsgFlags(cmd *cobra.Command) error {
 	if ProofsFilePath != "" && ProofsString != "" {
 		return fmt.Errorf("😥 proofs can be provided either as a string, or path to a file, not both")
 	}
-	if ProofsFilePath != "" && strings.Contains(ProofsFilePath, "..") {
+	if !filepath.IsLocal(ProofsFilePath) {
 		return fmt.Errorf("😥 wrong proofsFilePath flag")
 	}
 	withdrawAddr := viper.GetString("withdrawAddress")
@@ -158,8 +157,8 @@ func BindResigningFlags(cmd *cobra.Command) error {
 			return fmt.Errorf("😥 TLS CA certs path should be provided, overwise set 'TLSInsecure' flag to true")
 		} else {
 			for _, certPath := range ClientCACertPath {
-				if strings.Contains(filepath.Clean(certPath), "..") {
-					return fmt.Errorf("😥 wrong clientCACertPath flag, should not contain '..' path traversal")
+				if !filepath.IsLocal(certPath) {
+					return fmt.Errorf("😥 wrong clientCACertPath flag")
 				}
 			}
 		}

cli/flags/verify.go

@@ -3,7 +3,6 @@ package flags
 import (
 	"fmt"
 	"path/filepath"
-	"strings"
 
 	"github.com/attestantio/go-eth2-client/spec/phase0"
 	"github.com/spf13/cobra"
@@ -48,7 +47,7 @@ func BindVerifyFlags(cmd *cobra.Command) error {
 		return err
 	}
 	CeremonyDir = filepath.Clean(viper.GetString("ceremonyDir"))
-	if strings.Contains(CeremonyDir, "..") {
+	if !filepath.IsLocal(CeremonyDir) {
 		return fmt.Errorf("😥 wrong CeremonyDir flag")
 	}
 	owner := viper.GetString("owner")