fix filepath not cleaned from potential variable inclusion error

app/state.go

@@ -6,6 +6,7 @@ import (
 	"io"
 	"math/rand"
 	"os"
+	"path/filepath"
 	"time"
 
 	sdkmath "cosmossdk.io/math"
@@ -58,7 +59,7 @@ func StateFn(cdc codec.JSONCodec, simManager *module.SimulationManager) simtypes
 
 		case config.ParamsFile != "":
 			appParams := make(simtypes.AppParams)
-			bz, err := os.ReadFile(config.ParamsFile)
+			bz, err := os.ReadFile(filepath.Clean(config.ParamsFile))
 			if err != nil {
 				panic(err)
 			}
@@ -216,7 +217,7 @@ func StateRandomizedFn(
 // StateFromGenesisFileFn util function to generate the genesis AppState
 // from a genesis.json file.
 func StateFromGenesisFileFn(r io.Reader, cdc codec.JSONCodec, genesisFile string) (tmtypes.GenesisDoc, []simtypes.Account) {
-	bytes, err := os.ReadFile(genesisFile)
+	bytes, err := os.ReadFile(filepath.Clean(genesisFile))
 	if err != nil {
 		panic(err)
 	}

memiavl/mmap.go

@@ -2,6 +2,7 @@ package memiavl
 
 import (
 	"os"
+	"path/filepath"
 
 	"github.com/hashicorp/go-multierror"
 	"github.com/ledgerwatch/erigon-lib/mmap"
@@ -18,7 +19,7 @@ type MmapFile struct {
 // Open openes the file and create the mmap.
 // the mmap is created with flags: PROT_READ, MAP_SHARED, MADV_RANDOM.
 func NewMmap(path string) (*MmapFile, error) {
-	file, err := os.Open(path)
+	file, err := os.Open(filepath.Clean(path))
 	if err != nil {
 		return nil, err
 	}

memiavl/snapshot.go

@@ -67,7 +67,7 @@ func NewEmptySnapshot(version uint32) *Snapshot {
 // and mmap the other files.
 func OpenSnapshot(snapshotDir string) (*Snapshot, error) {
 	// read metadata file
-	bz, err := os.ReadFile(filepath.Join(snapshotDir, FileNameMetadata))
+	bz, err := os.ReadFile(filepath.Clean(filepath.Join(snapshotDir, FileNameMetadata)))
 	if err != nil {
 		return nil, err
 	}
@@ -306,7 +306,7 @@ func (t *Tree) WriteSnapshot(snapshotDir string) (returnErr error) {
 		}
 
 		// re-open kvs file for reading
-		input, err := os.Open(kvsFile)
+		input, err := os.Open(filepath.Clean(kvsFile))
 		if err != nil {
 			return err
 		}
@@ -501,5 +501,5 @@ func Mmap(f *os.File) ([]byte, *[mmap.MaxMapSize]byte, error) {
 }
 
 func createFile(name string) (*os.File, error) {
-	return os.OpenFile(name, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0o600)
+	return os.OpenFile(filepath.Clean(name), os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0o600)
 }

versiondb/client/changeset.go

@@ -8,6 +8,7 @@ import (
 	"io"
 	"math/bits"
 	"os"
+	"path/filepath"
 	"sort"
 	"strings"
 
@@ -199,7 +200,7 @@ func openChangeSetFile(fileName string) (ReadCloser, error) {
 	}
 
 	var reader Reader
-	fp, err := os.Open(fileName)
+	fp, err := os.Open(filepath.Clean(fileName))
 	if err != nil {
 		return nil, err
 	}

versiondb/client/dump.go

@@ -277,7 +277,7 @@ func (c *chunk) collect(outDir string, zlibLevel int) (returnErr error) {
 
 // copyTmpFile append the snappy compressed temporary file to writer
 func copyTmpFile(writer io.Writer, tmpFile string) error {
-	fp, err := os.Open(tmpFile)
+	fp, err := os.Open(filepath.Clean(tmpFile))
 	if err != nil {
 		return err
 	}
@@ -288,7 +288,7 @@ func copyTmpFile(writer io.Writer, tmpFile string) error {
 }
 
 func createFile(name string) (*os.File, error) {
-	return os.OpenFile(name, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0o600)
+	return os.OpenFile(filepath.Clean(name), os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0o600)
 }
 
 func getNextVersion(db dbm.DB, version int64) (int64, error) {

versiondb/client/verify.go

@@ -117,7 +117,7 @@ func VerifyChangeSetCmd(defaultStores []string) *cobra.Command {
 			verifiedFileName := filepath.Join(changeSetDir, fmt.Sprintf("verified-%d", commitInfo.Version))
 			if check {
 				// check commitInfo against the one stored in change set
-				bz, err := os.ReadFile(verifiedFileName)
+				bz, err := os.ReadFile(filepath.Clean(verifiedFileName))
 				if err != nil {
 					return err
 				}