fix(plugins): close TOCTOU window in keystore directory scans

The plugins CLI scans (KeystoreList, KeystoreImport.findExistingKeystore,
KeystoreUpdate.findKeystoreByAddress) and the second keystore read in
KeystoreUpdate.call previously combined a NOFOLLOW lstat check with a
subsequent MAPPER.readValue(file, ...). Jackson's File overload uses
FileInputStream → open(2) without O_NOFOLLOW, so an attacker who can
write in the keystore directory could swap a regular file for a symlink
between the stat and the read.

Replace the check-then-use pattern with a single read that pushes the
NOFOLLOW flag down to the open syscall:

- New KeystoreCliUtils.readKeystoreFile(File, PrintWriter) opens via
  Files.newByteChannel(path, READ, NOFOLLOW_LINKS), reads at most
  MAX_KEYSTORE_SIZE (8 KiB) bytes, and returns the byte[] for the
  caller to feed into MAPPER.readValue(byte[], Class) — no second
  file handle, no follow-symlink window.
- Drop isSafeRegularFile (now subsumed by readKeystoreFile).
- All four call sites switched: list, import duplicate scan, update
  lookup scan, and update's re-read after lookup at KeystoreUpdate
  .call line 141.

Also adds an explicit oversized-file warning ("skipping oversized
file") so a hostile directory of large planted files surfaces clearly
rather than silently consuming memory.

Note: this hardens the plugins CLI scenario specifically. The SR
startup path through WalletUtils.loadCredentials uses a different
policy (warn + follow, see commit df91f45) — that path explicitly
configures a single keystore file, parallel to Lighthouse's
voting_keystore_path, where symlink support is part of the contract.

Author: Barbatos

plugins/src/main/java/common/org/tron/plugins/KeystoreCliUtils.java

@@ -29,6 +29,14 @@ final class KeystoreCliUtils {
 
   private static final long MAX_FILE_SIZE = 1024;
 
+  /**
+   * Cap on the size of a single keystore JSON read during directory scans.
+   * Standard V3 keystores are ~500–700 bytes; 8 KiB leaves headroom for
+   * unusual scrypt parameter combinations while bounding the memory cost
+   * of scanning a hostile directory of planted oversized files.
+   */
+  static final long MAX_KEYSTORE_SIZE = 8 * 1024;
+
   private KeystoreCliUtils() {
   }
 
@@ -202,31 +210,65 @@ static boolean checkFileExists(File file, String label, PrintWriter err) {
   }
 
   /**
-   * Returns true iff {@code file} exists, is not a symbolic link, and is a
-   * regular file (not a directory, FIFO, or device). Used to filter keystore
-   * directory scans before {@code MAPPER.readValue(file, ...)} so a hostile
-   * or group-writable keystore directory cannot redirect reads to arbitrary
-   * files (e.g. {@code /etc/shadow}) or block on non-regular files
-   * (e.g. a FIFO) via planted entries.
+   * Read the bytes of a keystore-directory entry, refusing to follow
+   * symbolic links and rejecting non-regular files. Returns {@code null}
+   * (with a warning to {@code err}) when the entry should be skipped.
    *
-   * <p>Writes a warning to {@code err} when the entry is skipped.
+   * <p>Unlike {@code Files.readAttributes(...) + MAPPER.readValue(file, ...)},
+   * this opens the channel with {@link LinkOption#NOFOLLOW_LINKS} so the
+   * {@code O_NOFOLLOW} flag is enforced atomically by the kernel at
+   * {@code open(2)} — closing the TOCTOU window between an lstat-style
+   * check and a follow-symlink {@code FileInputStream} open. The caller
+   * then deserializes the bytes via {@code ObjectMapper.readValue(byte[],
+   * Class)}.
+   *
+   * <p>Files larger than {@link #MAX_KEYSTORE_SIZE} are skipped to bound
+   * memory cost when scanning a hostile or oversized directory.
    */
-  static boolean isSafeRegularFile(File file, PrintWriter err) {
+  static byte[] readKeystoreFile(File file, PrintWriter err) {
+    Path path = file.toPath();
+    BasicFileAttributes attrs;
     try {
-      BasicFileAttributes attrs = Files.readAttributes(file.toPath(),
-          BasicFileAttributes.class, LinkOption.NOFOLLOW_LINKS);
-      if (attrs.isSymbolicLink()) {
-        err.println("Warning: skipping symbolic link: " + file.getName());
-        return false;
+      attrs = Files.readAttributes(path, BasicFileAttributes.class,
+          LinkOption.NOFOLLOW_LINKS);
+    } catch (IOException e) {
+      err.println("Warning: skipping unreadable file: " + file.getName());
+      return null;
+    }
+    if (attrs.isSymbolicLink()) {
+      err.println("Warning: skipping symbolic link: " + file.getName());
+      return null;
+    }
+    if (!attrs.isRegularFile()) {
+      err.println("Warning: skipping non-regular file: " + file.getName());
+      return null;
+    }
+    if (attrs.size() > MAX_KEYSTORE_SIZE) {
+      err.println("Warning: skipping oversized file (>" + MAX_KEYSTORE_SIZE
+          + " bytes): " + file.getName());
+      return null;
+    }
+
+    int size = (int) attrs.size();
+    java.util.Set<OpenOption> openOptions = new HashSet<>();
+    openOptions.add(StandardOpenOption.READ);
+    openOptions.add(LinkOption.NOFOLLOW_LINKS);
+    try (SeekableByteChannel ch = Files.newByteChannel(path, openOptions)) {
+      ByteBuffer buf = ByteBuffer.allocate(size);
+      while (buf.hasRemaining()) {
+        if (ch.read(buf) < 0) {
+          break;
+        }
       }
-      if (!attrs.isRegularFile()) {
-        err.println("Warning: skipping non-regular file: " + file.getName());
-        return false;
+      if (buf.position() < size) {
+        byte[] actual = new byte[buf.position()];
+        System.arraycopy(buf.array(), 0, actual, 0, buf.position());
+        return actual;
       }
-      return true;
+      return buf.array();
     } catch (IOException e) {
       err.println("Warning: skipping unreadable file: " + file.getName());
-      return false;
+      return null;
     }
   }
 

plugins/src/main/java/common/org/tron/plugins/KeystoreImport.java

@@ -169,11 +169,12 @@ private String findExistingKeystore(File dir, String address, PrintWriter err) {
     com.fasterxml.jackson.databind.ObjectMapper mapper =
         KeystoreCliUtils.mapper();
     for (File file : files) {
-      if (!KeystoreCliUtils.isSafeRegularFile(file, err)) {
+      byte[] bytes = KeystoreCliUtils.readKeystoreFile(file, err);
+      if (bytes == null) {
         continue;
       }
       try {
-        WalletFile wf = mapper.readValue(file, WalletFile.class);
+        WalletFile wf = mapper.readValue(bytes, WalletFile.class);
         if (KeystoreCliUtils.isValidKeystoreFile(wf)
             && address.equals(wf.getAddress())) {
           return file.getName();

plugins/src/main/java/common/org/tron/plugins/KeystoreList.java

@@ -59,11 +59,12 @@ public Integer call() {
 
     List<Map<String, String>> entries = new ArrayList<>();
     for (File file : files) {
-      if (!KeystoreCliUtils.isSafeRegularFile(file, err)) {
+      byte[] bytes = KeystoreCliUtils.readKeystoreFile(file, err);
+      if (bytes == null) {
         continue;
       }
       try {
-        WalletFile walletFile = MAPPER.readValue(file, WalletFile.class);
+        WalletFile walletFile = MAPPER.readValue(bytes, WalletFile.class);
         if (!KeystoreCliUtils.isValidKeystoreFile(walletFile)) {
           continue;
         }

plugins/src/main/java/common/org/tron/plugins/KeystoreUpdate.java

@@ -138,7 +138,15 @@ public Integer call() {
       }
 
       boolean ecKey = !sm2;
-      WalletFile walletFile = MAPPER.readValue(keystoreFile, WalletFile.class);
+      // Re-read via NOFOLLOW byte channel to close the TOCTOU window between
+      // findKeystoreByAddress and this read — an attacker with directory
+      // write access could otherwise swap the file for a symlink in between.
+      byte[] keystoreBytes = KeystoreCliUtils.readKeystoreFile(keystoreFile, err);
+      if (keystoreBytes == null) {
+        // readKeystoreFile already printed the specific reason
+        return 1;
+      }
+      WalletFile walletFile = MAPPER.readValue(keystoreBytes, WalletFile.class);
       SignInterface keyPair = Wallet.decrypt(oldPassword, walletFile, ecKey);
 
       // createStandard already sets the correctly-derived address. Do NOT override
@@ -199,11 +207,12 @@ private File findKeystoreByAddress(String targetAddress, PrintWriter err) {
     }
     java.util.List<File> matches = new java.util.ArrayList<>();
     for (File file : files) {
-      if (!KeystoreCliUtils.isSafeRegularFile(file, err)) {
+      byte[] bytes = KeystoreCliUtils.readKeystoreFile(file, err);
+      if (bytes == null) {
         continue;
       }
       try {
-        WalletFile wf = MAPPER.readValue(file, WalletFile.class);
+        WalletFile wf = MAPPER.readValue(bytes, WalletFile.class);
         if (KeystoreCliUtils.isValidKeystoreFile(wf)
             && targetAddress.equals(wf.getAddress())) {
           matches.add(file);