From daf136f35c54771c3539f8033e600d870e7d17dd Mon Sep 17 00:00:00 2001
From: Bhaskara Ram <bhaskarvilles@yandex.com>
Date: Sun, 11 Aug 2024 22:36:34 +0530
Subject: [PATCH 1/2] Prevent Path Traversal

sanitizePath Function: This function checks if the file path is valid and safely contained within an allowed directory.
It converts the path to an absolute path, resolves any symlinks, and checks if the path starts with the specified allowed directory.
---
 venus-devtool/inline-gen/main.go | 27 ++++++++++++++++++++++++++-
 1 file changed, 26 insertions(+), 1 deletion(-)

diff --git a/venus-devtool/inline-gen/main.go b/venus-devtool/inline-gen/main.go
index cbaea8c209..8c64840ed5 100644
--- a/venus-devtool/inline-gen/main.go
+++ b/venus-devtool/inline-gen/main.go
@@ -20,7 +20,13 @@ const (
 var data = map[string]interface{}{}
 
 func main() {
-	db, err := os.ReadFile(os.Args[2])
+	// Validate and sanitize the file path
+	jsonFilePath, err := sanitizePath(os.Args[2])
+	if err != nil {
+		log.Fatalf("Invalid file path: %v", err)
+	}
+
+	db, err := os.ReadFile(jsonFilePath)
 	if err != nil {
 		log.Fatalf("Error reading file: %v", err)
 	}
@@ -34,6 +40,25 @@ func main() {
 	}
 }
 
+func sanitizePath(p string) (string, error) {
+	// Ensure the path is absolute
+	absPath, err := filepath.Abs(p)
+	if err != nil {
+		return "", err
+	}
+
+	// Resolve any symlinks and clean the path
+	cleanPath := filepath.Clean(absPath)
+
+	// Check if the path is within a specific allowed directory
+	allowedDir := "/your/safe/directory"
+	if !strings.HasPrefix(cleanPath, allowedDir) {
+		return "", fmt.Errorf("attempted path traversal outside of allowed directory")
+	}
+
+	return cleanPath, nil
+}
+
 func processFile(path string, info os.FileInfo, err error) error {
 	if err != nil {
 		return err

From 135c26f2ad3569a05a8baf4a400e51ca0aa7735f Mon Sep 17 00:00:00 2001
From: Bhaskara Ram <bhaskarvilles@yandex.com>
Date: Mon, 12 Aug 2024 16:03:07 +0530
Subject: [PATCH 2/2] FIX TYPO

---
 venus-devtool/inline-gen/main.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/venus-devtool/inline-gen/main.go b/venus-devtool/inline-gen/main.go
index 8c64840ed5..b997e6be0d 100644
--- a/venus-devtool/inline-gen/main.go
+++ b/venus-devtool/inline-gen/main.go
@@ -51,7 +51,7 @@ func sanitizePath(p string) (string, error) {
 	cleanPath := filepath.Clean(absPath)
 
 	// Check if the path is within a specific allowed directory
-	allowedDir := "/your/safe/directory"
+	allowedDir := "/venus/inline-gen/"
 	if !strings.HasPrefix(cleanPath, allowedDir) {
 		return "", fmt.Errorf("attempted path traversal outside of allowed directory")
 	}