Relative Path Traversal vulnerability in fabric-private-chaincode

Unsanitized input from `os.Args[3] : 75` CLI argument flows into `os.OpenFile`, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to open arbitrary files. The following steps of code lines with respective code confirm the issue: - utils/fabric/peer-cli-assist.src/peer-cli-assist.go ##Data flow - **5 steps in 1 file** - Step (1,2) - Line 75:49 - `os.Args[3], os.Args[3]` (**SOURCE**) 1 - 2 [Data is 'tainted' if it comes from an insecure source such as a file, the network, or the user.] - Step (3) - Line 85:71 - `resultPipeName - Step (4,5) - Line 87:37 - `resultPipeNameos.OpenFile(resultPipeName, os.O_APPEND|os.O_WRONLY, 0644)` Line :37 - `resultPipeName` Line :25 - `os.OpenFile(resultPipeName, os.O_APPEND|os.O_WRONLY, 0644)`[the operations that must receive clean data and that you wouldn't want an attacker to be able to manipulate] References : https://cwe.mitre.org/data/definitions/23.html Example fixes : [Link 1](https://github.com/pacolang/paco/commit/d05f41cb0aa3167b86bd3b1063d07d7e64bec86f?diff=split#diff-7ddfb3e035b42cd70649cc33393fe32cR26) [Link 2](https://github.com/trinchan/slackbot/commit/c8350a18049c609ef7b6847666d07e69aca9fb46?diff=split#diff-f2f667c6f0bb538d9d35241bd93421fcL18) [Link 3](https://github.com/ketchuphq/ketchup/commit/31630fa4703d23c6055439536fd661d3c47da038?diff=split#diff-d72b60c856c1aa9b8e14c2c3c4b221abL59) ## Impact **Writing arbitrary files:** Allows the attacker to create or replace existing files.