Problem: In cli/utils/utils.go at line 260, the tool defends against path traversal. However, OutputPath could be an absolute path, such as /etc/passwd, defeating the defense. Severity is informational since in our model, the configuration values are not controlled by an adversary. This also applies to ConfigPath, LogFilePath, OperatorsInfoPath, elements of ClientCACertPath, ProofsFilePath, KeystorePath, ServerTLSCertPath, ServerTLSKeyPath, and CeremonyDir.
Solution: use filepath.IsLocal
filepath.IsLocal("/foo") // false: is an absolute path
filepath.IsLocal("../foo") // false: is not within the subtree rooted at the directory in which path is evaluated
filepath.IsLocal("") // false: is empty
filepath.IsLocal("foo/bar") // true
Problem: In cli/utils/utils.go at line 260, the tool defends against path traversal. However, OutputPath could be an absolute path, such as /etc/passwd, defeating the defense. Severity is informational since in our model, the configuration values are not controlled by an adversary. This also applies to ConfigPath, LogFilePath, OperatorsInfoPath, elements of ClientCACertPath, ProofsFilePath, KeystorePath, ServerTLSCertPath, ServerTLSKeyPath, and CeremonyDir.
Solution: use filepath.IsLocal