fix: use expandTilde before expandFilename: to try to support both ~ and relative paths

alehander92 · alehander92 · commit 71a6fccdea13 · 2025-10-30T16:35:08.000+02:00
try to replace all usages in `ct`: hopefully it isn't a security issue
in any cases: e.g. some kind of injection?
diff --git a/src/ct/db_backend_record.nim b/src/ct/db_backend_record.nim
@@ -189,7 +189,7 @@ proc record(
   let shellArgs = @[cmd].concat(args)
   var executable = cmd.split(" ", 1)[0]
   try:
-    executable = expandFilename(executable)
+    executable = expandFilename(expandTilde(executable))
   except OsError:
     let foundExe = findExe(executable)
     if foundExe == "":
@@ -267,7 +267,7 @@ proc record(
       var activationPathResolved = pythonActivationPath
       if activationPathResolved.len > 0:
         try:
-          activationPathResolved = expandFilename(activationPathResolved)
+          activationPathResolved = expandFilename(expandTilde(activationPathResolved))
         except OsError:
           discard
 
@@ -336,7 +336,7 @@ proc exportRecord(
   #   trying to find full path
   #   a hack: writing first there, otherwise i think expandFilename fails in some cases, when no such file yets
   writeFile(exportZipPath, "")
-  let exportZipFullPath = expandFilename(exportZipPath)
+  let exportZipFullPath = expandFilename(expandTilde(exportZipPath))
   # otherwise zip seems to try to add to it and because it's not a valid archive, it leads to an error
   removeFile(exportZipPath)
 
@@ -395,7 +395,7 @@ proc main*(): Trace =
         displayHelp()
         return
       createDir args[i + 1]
-      outputFolder = expandFilename(args[i + 1])
+      outputFolder = expandFilename(expandTilde(args[i + 1]))
       i += 2
     elif arg == "-e" or arg == "--export":
       isExportedWithArg = true
@@ -545,7 +545,7 @@ proc main*(): Trace =
         createDir(exportFolder)
       exportRecord(program, recordArgs, traceId, exportZipPath, outputFolder, cleanupOutputFolder)
 
-      traceZipFullPath = expandFilename(exportZipPath)
+      traceZipFullPath = expandFilename(expandTilde(exportZipPath))
 
     if shouldSendEvents:
       let lastLine = loadLine(sessionId, sessionLogPath)
diff --git a/src/ct/trace/host.nim b/src/ct/trace/host.nim
@@ -53,7 +53,7 @@ proc hostCommand*(
     let traceFolder = traceArg
     var traceFolderFullPath = ""
     try:
-      traceFolderFullPath = expandFilename(traceFolder)
+      traceFolderFullPath = expandFilename(expandTilde(traceFolder))
     except OsError as e:
       echo "ct host error: folder os error: ", e.msg
       quit(1)
diff --git a/src/ct/trace/import_command.nim b/src/ct/trace/import_command.nim
@@ -28,5 +28,5 @@ proc importCommand*(traceZipPath: string, importedTraceFolder: string) =
   removeDir(outputFolder)
 
   createDir(outputFolder)
-  let outputFolderFullPath = expandFilename(outputFolder)
+  let outputFolderFullPath = expandFilename(expandTilde(outputFolder))
   importTraceInPreparedFolder(traceZipPath, outputFolderFullPath)
diff --git a/src/ct/trace/multitrace.nim b/src/ct/trace/multitrace.nim
@@ -13,7 +13,7 @@ proc findDiff(diffSpecification: string): string =
       var path = diffSpecification
       try:
         # try to support arguments like `~/<path>`
-        path = expandFileName(diffSpecification)
+        path = expandFileName(expandTilde(diffSpecification))
       except OsError:
         discard
 
diff --git a/src/ct/trace/replay.nim b/src/ct/trace/replay.nim
@@ -10,8 +10,9 @@ import std / [options, os, osproc, strutils, strformat ],
 
 proc replayMultitrace*(archivePath: string, indexDiff: bool = false): bool =
   # TODO: a more unique path? or is this enough
-  let outputFolder = getTempDir() / "codetracer" / archivePath.extractFilename.changeFileExt("")
-  unzipIntoFolder(archivePath, outputFolder)
+  let fullArchivePath = expandFilename(expandTilde(archivePath))
+  let outputFolder = getTempDir() / "codetracer" / fullArchivePath.extractFilename.changeFileExt("")
+  unzipIntoFolder(fullArchivePath, outputFolder)
 
   var traceDir = ""
   for kind, file in walkDir(outputFolder, relative=true):
diff --git a/src/ct/trace/shell.nim b/src/ct/trace/shell.nim
@@ -43,9 +43,9 @@ proc findTraceForArgs*(
       return nil
   elif traceFolderArg.isSome:
     let folder = traceFolderArg.get
-    var trace = trace_index.findByPath(expandFilename(folder), test=false)
+    var trace = trace_index.findByPath(expandFilename(expandTilde(folder)), test=false)
     if trace.isNil:
-      trace = trace_index.findByPath(expandFilename(folder) & "/", test=false)
+      trace = trace_index.findByPath(expandFilename(expandTilde(folder)) & "/", test=false)
     if not trace.isNil:
       return trace
     else:
diff --git a/src/ct/utilities/zip.nim b/src/ct/utilities/zip.nim
@@ -30,7 +30,7 @@ proc zipFolder*(source, output: string, onProgress: proc(progressPercent: int) =
 proc unzipIntoFolder*(zipPath, targetDir: string) {.raises: [IOError, OSError, Exception].} =
   var zip: ZipArchive
   if not zip.open(zipPath, fmRead):
-    raise newException(IOError, "Failed to open decrypted ZIP: " & zipPath)
+    raise newException(IOError, "Failed to open ZIP: " & zipPath)
 
   createDir(targetDir)
   zip.extractAll(targetDir)
