fix(plugins): reject symlinks in keystore directory scans

Earlier commits hardened --password-file / --key-file reads against
symlink-following, but the keystore-directory scans in list, import
(duplicate check), and update (findKeystoreByAddress) still called
MAPPER.readValue(file, ...) on every *.json entry without a symlink
guard. In a hostile or group-writable keystore directory, a planted
symlink could redirect deserialization to arbitrary files, and FIFOs
or devices could block the scan indefinitely.

- Add KeystoreCliUtils.isSafeRegularFile(file, err) helper that stats
  with LinkOption.NOFOLLOW_LINKS and rejects symbolic links,
  directories, FIFOs, and devices with a warning to err
- Apply it before MAPPER.readValue in KeystoreList.call,
  KeystoreImport.findExistingKeystore, and
  KeystoreUpdate.findKeystoreByAddress
- Add three end-to-end tests (one per command) that plant a .json
  symlink in the keystore dir and verify each command warns and
  continues without reading the symlink target

Author: Barbatos

plugins/src/main/java/common/org/tron/plugins/KeystoreCliUtils.java

@@ -188,6 +188,35 @@ static boolean checkFileExists(File file, String label, PrintWriter err) {
     return true;
   }
 
+  /**
+   * Returns true iff {@code file} exists, is not a symbolic link, and is a
+   * regular file (not a directory, FIFO, or device). Used to filter keystore
+   * directory scans before {@code MAPPER.readValue(file, ...)} so a hostile
+   * or group-writable keystore directory cannot redirect reads to arbitrary
+   * files (e.g. {@code /etc/shadow}) or block on non-regular files
+   * (e.g. a FIFO) via planted entries.
+   *
+   * <p>Writes a warning to {@code err} when the entry is skipped.
+   */
+  static boolean isSafeRegularFile(File file, PrintWriter err) {
+    try {
+      BasicFileAttributes attrs = Files.readAttributes(file.toPath(),
+          BasicFileAttributes.class, LinkOption.NOFOLLOW_LINKS);
+      if (attrs.isSymbolicLink()) {
+        err.println("Warning: skipping symbolic link: " + file.getName());
+        return false;
+      }
+      if (!attrs.isRegularFile()) {
+        err.println("Warning: skipping non-regular file: " + file.getName());
+        return false;
+      }
+      return true;
+    } catch (IOException e) {
+      err.println("Warning: skipping unreadable file: " + file.getName());
+      return false;
+    }
+  }
+
   static void printSecurityTips(PrintWriter out, String address, String fileName) {
     out.println();
     out.println("Public address of the key:   " + address);

plugins/src/main/java/common/org/tron/plugins/KeystoreImport.java

@@ -169,6 +169,9 @@ private String findExistingKeystore(File dir, String address, PrintWriter err) {
     com.fasterxml.jackson.databind.ObjectMapper mapper =
         KeystoreCliUtils.mapper();
     for (File file : files) {
+      if (!KeystoreCliUtils.isSafeRegularFile(file, err)) {
+        continue;
+      }
       try {
         WalletFile wf = mapper.readValue(file, WalletFile.class);
         if (KeystoreCliUtils.isValidKeystoreFile(wf)

plugins/src/main/java/common/org/tron/plugins/KeystoreList.java

@@ -59,6 +59,9 @@ public Integer call() {
 
     List<Map<String, String>> entries = new ArrayList<>();
     for (File file : files) {
+      if (!KeystoreCliUtils.isSafeRegularFile(file, err)) {
+        continue;
+      }
       try {
         WalletFile walletFile = MAPPER.readValue(file, WalletFile.class);
         if (!KeystoreCliUtils.isValidKeystoreFile(walletFile)) {

plugins/src/main/java/common/org/tron/plugins/KeystoreUpdate.java

@@ -199,6 +199,9 @@ private File findKeystoreByAddress(String targetAddress, PrintWriter err) {
     }
     java.util.List<File> matches = new java.util.ArrayList<>();
     for (File file : files) {
+      if (!KeystoreCliUtils.isSafeRegularFile(file, err)) {
+        continue;
+      }
       try {
         WalletFile wf = MAPPER.readValue(file, WalletFile.class);
         if (KeystoreCliUtils.isValidKeystoreFile(wf)

plugins/src/test/java/org/tron/plugins/KeystoreImportTest.java

@@ -464,4 +464,41 @@ public void testImportDuplicateCheckSkipsInvalidVersion() throws Exception {
     assertEquals("Import should succeed — invalid-version file is not a real duplicate", 0,
         exitCode);
   }
+
+  @Test
+  public void testImportDuplicateScanSkipsSymlinkedEntry() throws Exception {
+    org.junit.Assume.assumeTrue("Symlinks only tested on POSIX",
+        !System.getProperty("os.name").toLowerCase().contains("win"));
+
+    File dir = tempFolder.newFolder("keystore-dup-symlink");
+
+    SignInterface keyPair = SignUtils.getGeneratedRandomSign(
+        SecureRandom.getInstance("NativePRNG"), true);
+    String privateKeyHex = ByteArray.toHexString(keyPair.getPrivateKey());
+
+    File target = tempFolder.newFile("outside.json");
+    Files.write(target.toPath(),
+        "{\"not\":\"a keystore\"}".getBytes(StandardCharsets.UTF_8));
+    File symlink = new File(dir, "evil.json");
+    Files.createSymbolicLink(symlink.toPath(), target.toPath());
+
+    File keyFile = tempFolder.newFile("dup-sym.key");
+    Files.write(keyFile.toPath(),
+        privateKeyHex.getBytes(StandardCharsets.UTF_8));
+    File pwFile = tempFolder.newFile("pw-dup-sym.txt");
+    Files.write(pwFile.toPath(), "test123456".getBytes(StandardCharsets.UTF_8));
+
+    java.io.StringWriter err = new java.io.StringWriter();
+    CommandLine cmd = new CommandLine(new Toolkit());
+    cmd.setErr(new java.io.PrintWriter(err));
+    int exitCode = cmd.execute("keystore", "import",
+        "--keystore-dir", dir.getAbsolutePath(),
+        "--key-file", keyFile.getAbsolutePath(),
+        "--password-file", pwFile.getAbsolutePath());
+
+    assertEquals("Import should succeed with symlink present", 0, exitCode);
+    assertTrue("Duplicate scan must warn about the symlinked entry, got: "
+            + err.toString(),
+        err.toString().contains("Warning: skipping symbolic link: evil.json"));
+  }
 }

plugins/src/test/java/org/tron/plugins/KeystoreListTest.java

@@ -240,4 +240,43 @@ public void testListSkipsInvalidVersionKeystores() throws Exception {
     assertEquals("Should list only the valid v3 keystore, not v2 or no-crypto",
         1, lines.length);
   }
+
+  @Test
+  public void testListSkipsSymlinkedKeystoreFile() throws Exception {
+    org.junit.Assume.assumeTrue("Symlinks only tested on POSIX",
+        !System.getProperty("os.name").toLowerCase().contains("win"));
+
+    File dir = tempFolder.newFolder("keystore-symlink-scan");
+    String password = "test123456";
+
+    SignInterface key = SignUtils.getGeneratedRandomSign(
+        SecureRandom.getInstance("NativePRNG"), true);
+    WalletUtils.generateWalletFile(password, key, dir, false);
+
+    // A JSON file elsewhere (simulates "target we should not be tricked
+    // into reading") — placed outside the keystore dir.
+    File target = tempFolder.newFile("outside.json");
+    Files.write(target.toPath(),
+        "{\"secret\":\"should not appear in list output\"}"
+            .getBytes(StandardCharsets.UTF_8));
+
+    // Plant a .json symlink in the keystore dir
+    File symlink = new File(dir, "evil.json");
+    Files.createSymbolicLink(symlink.toPath(), target.toPath());
+
+    StringWriter out = new StringWriter();
+    StringWriter err = new StringWriter();
+    CommandLine cmd = new CommandLine(new Toolkit());
+    cmd.setOut(new PrintWriter(out));
+    cmd.setErr(new PrintWriter(err));
+    int exitCode = cmd.execute("keystore", "list",
+        "--keystore-dir", dir.getAbsolutePath());
+
+    assertEquals(0, exitCode);
+    assertTrue("Should warn about symbolic link, got err: " + err.toString(),
+        err.toString().contains("Warning: skipping symbolic link: evil.json"));
+    String output = out.toString().trim();
+    String[] lines = output.split("\\n");
+    assertEquals("Should list only the real keystore", 1, lines.length);
+  }
 }

plugins/src/test/java/org/tron/plugins/KeystoreUpdateTest.java

@@ -736,4 +736,41 @@ public void testUpdateLegacyTipSuppressedWhenPasswordHasNoWhitespace() throws Ex
     assertFalse("Legacy-truncation tip should NOT fire for whitespace-free password",
         err.toString().contains("first whitespace-separated word"));
   }
+
+  @Test
+  public void testUpdateScanSkipsSymlinkedEntry() throws Exception {
+    org.junit.Assume.assumeTrue("Symlinks only tested on POSIX",
+        !System.getProperty("os.name").toLowerCase().contains("win"));
+
+    File dir = tempFolder.newFolder("keystore-update-symlink");
+    String oldPassword = "oldpass123";
+    String newPassword = "newpass456";
+
+    SignInterface keyPair = SignUtils.getGeneratedRandomSign(
+        SecureRandom.getInstance("NativePRNG"), true);
+    String fileName = WalletUtils.generateWalletFile(oldPassword, keyPair, dir, true);
+    Credentials creds = WalletUtils.loadCredentials(oldPassword,
+        new File(dir, fileName), true);
+
+    File target = tempFolder.newFile("outside.json");
+    Files.write(target.toPath(),
+        "{\"not\":\"a keystore\"}".getBytes(StandardCharsets.UTF_8));
+    File symlink = new File(dir, "evil.json");
+    Files.createSymbolicLink(symlink.toPath(), target.toPath());
+
+    File pwFile = tempFolder.newFile("pw-update-sym.txt");
+    Files.write(pwFile.toPath(),
+        (oldPassword + "\n" + newPassword).getBytes(StandardCharsets.UTF_8));
+
+    StringWriter err = new StringWriter();
+    CommandLine cmd = new CommandLine(new Toolkit());
+    cmd.setErr(new PrintWriter(err));
+    int exitCode = cmd.execute("keystore", "update", creds.getAddress(),
+        "--keystore-dir", dir.getAbsolutePath(),
+        "--password-file", pwFile.getAbsolutePath());
+
+    assertEquals("Update should succeed; symlinked entry must not break scan", 0, exitCode);
+    assertTrue("Scan must warn about the symlinked entry, got: " + err.toString(),
+        err.toString().contains("Warning: skipping symbolic link: evil.json"));
+  }
 }