Merge pull request from GHSA-4j93-fm92-rp4m

julienrbrt · mmsqe · commit 463f184c598e · 2024-02-20T09:04:03.000+08:00
* fix(x/auth/vesting): Add `BlockedAddr` check in `CreatePeriodicVestingAccount`

* updates
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -41,6 +41,7 @@ Ref: https://keepachangelog.com/en/1.0.0/
 
 ### Bug Fixes
 
+* (x/auth/vesting) [GHSA-4j93-fm92-rp4m](#bug-fixes) Add `BlockedAddr` check in `CreatePeriodicVestingAccount`.
 * (baseapp) [#19177](https://github.com/cosmos/cosmos-sdk/pull/19177) Fix baseapp `DefaultProposalHandler` same-sender non-sequential sequence.
 
 ## [v0.47.8](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.47.8) - 2024-01-22
diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
@@ -4,9 +4,10 @@
 
 ## 🚀 Highlights
 
-This patch release includes a fix in baseapp in `DefaultProposalHandler` and <>.
+This patch release includes a fix in baseapp in `DefaultProposalHandler` and fixes [GHSA-4j93-fm92-rp4m](https://github.com/cosmos/cosmos-sdk/security/advisories/GHSA-4j93-fm92-rp4m).
 
 We recommended to upgrade to this patch release as soon as possible.
+When upgrading from <= v0.47.8, please ensure that 2/3 of the validator power upgrade to v0.47.9.
 
 Curious? Check out the [changelog](https://github.com/cosmos/cosmos-sdk/blob/v0.47.9/CHANGELOG.md) for an exhaustive list of changes or [compare changes](https://github.com/cosmos/cosmos-sdk/compare/v0.47.8...v0.47.9) from last release.
 
diff --git a/x/auth/vesting/msg_server.go b/x/auth/vesting/msg_server.go
@@ -154,6 +154,10 @@ func (s msgServer) CreatePeriodicVestingAccount(goCtx context.Context, msg *type
 		return nil, err
 	}
 
+	if s.BankKeeper.BlockedAddr(to) {
+		return nil, sdkerrors.Wrapf(sdkerrors.ErrUnauthorized, "%s is not allowed to receive funds", msg.ToAddress)
+	}
+
 	if acc := ak.GetAccount(ctx, to); acc != nil {
 		return nil, sdkerrors.Wrapf(sdkerrors.ErrInvalidRequest, "account %s already exists", msg.ToAddress)
 	}
diff --git a/x/auth/vesting/msg_server_test.go b/x/auth/vesting/msg_server_test.go
@@ -85,6 +85,21 @@ func (s *VestingTestSuite) TestCreateVestingAccount() {
 			expErr:    true,
 			expErrMsg: "already exists",
 		},
+		"create for blocked account": {
+			preRun: func() {
+				s.bankKeeper.EXPECT().IsSendEnabledCoins(gomock.Any(), fooCoin).Return(nil)
+				s.bankKeeper.EXPECT().BlockedAddr(to1Addr).Return(true)
+			},
+			input: vestingtypes.NewMsgCreateVestingAccount(
+				fromAddr,
+				to1Addr,
+				sdk.Coins{fooCoin},
+				time.Now().Unix(),
+				true,
+			),
+			expErr:    true,
+			expErrMsg: "not allowed to receive funds",
+		},
 		"create a valid delayed vesting account": {
 			preRun: func() {
 				s.bankKeeper.EXPECT().IsSendEnabledCoins(gomock.Any(), fooCoin).Return(nil)
@@ -155,6 +170,22 @@ func (s *VestingTestSuite) TestCreatePermanentLockedAccount() {
 			expErr:    true,
 			expErrMsg: "already exists",
 		},
+		"create for blocked account": {
+			preRun: func() {
+				toAcc := s.accountKeeper.NewAccountWithAddress(s.ctx, to1Addr)
+				s.bankKeeper.EXPECT().IsSendEnabledCoins(gomock.Any(), fooCoin).Return(nil)
+				s.bankKeeper.EXPECT().BlockedAddr(to1Addr).Return(true)
+				s.accountKeeper.SetAccount(s.ctx, toAcc)
+			},
+			input: vestingtypes.NewMsgCreatePermanentLockedAccount(
+				fromAddr,
+				to1Addr,
+				sdk.Coins{fooCoin},
+			),
+			expErr:    true,
+			expErrMsg: "not allowed to receive funds",
+		},
+
 		"create a valid permanent locked account": {
 			preRun: func() {
 				s.bankKeeper.EXPECT().IsSendEnabledCoins(gomock.Any(), fooCoin).Return(nil)
@@ -196,6 +227,7 @@ func (s *VestingTestSuite) TestCreatePeriodicVestingAccount() {
 		{
 			name: "create for existing account",
 			preRun: func() {
+				s.bankKeeper.EXPECT().BlockedAddr(to1Addr).Return(false)
 				toAcc := s.accountKeeper.NewAccountWithAddress(s.ctx, to1Addr)
 				s.accountKeeper.SetAccount(s.ctx, toAcc)
 			},
@@ -213,10 +245,34 @@ func (s *VestingTestSuite) TestCreatePeriodicVestingAccount() {
 			expErr:    true,
 			expErrMsg: "already exists",
 		},
+		{
+			name: "create for blocked address",
+			preRun: func() {
+				s.bankKeeper.EXPECT().BlockedAddr(to2Addr).Return(true)
+			},
+			input: vestingtypes.NewMsgCreatePeriodicVestingAccount(
+				fromAddr,
+				to2Addr,
+				time.Now().Unix(),
+				[]vestingtypes.Period{
+					{
+						Length: 10,
+						Amount: sdk.NewCoins(periodCoin),
+					},
+					{
+						Length: 20,
+						Amount: sdk.NewCoins(fooCoin),
+					},
+				},
+			),
+			expErr:    true,
+			expErrMsg: "not allowed to receive funds",
+		},
 		{
 			name: "create a valid periodic vesting account",
 			preRun: func() {
 				s.bankKeeper.EXPECT().IsSendEnabledCoins(gomock.Any(), periodCoin.Add(fooCoin)).Return(nil)
+				s.bankKeeper.EXPECT().BlockedAddr(to2Addr).Return(false)
 				s.bankKeeper.EXPECT().SendCoins(gomock.Any(), fromAddr, to2Addr, gomock.Any()).Return(nil)
 			},
 			input: vestingtypes.NewMsgCreatePeriodicVestingAccount(

Original file line number	Diff line number	Diff line change
`@@ -154,6 +154,10 @@ func (s msgServer) CreatePeriodicVestingAccount(goCtx context.Context, msg *type`
`154`	`154`	`return nil, err`
`155`	`155`	`}`
`156`	`156`
	`157`	`+ if s.BankKeeper.BlockedAddr(to) {`
	`158`	`+ return nil, sdkerrors.Wrapf(sdkerrors.ErrUnauthorized, "%s is not allowed to receive funds", msg.ToAddress)`
	`159`	`+ }`
	`160`	`+`
`157`	`161`	`if acc := ak.GetAccount(ctx, to); acc != nil {`
`158`	`162`	`return nil, sdkerrors.Wrapf(sdkerrors.ErrInvalidRequest, "account %s already exists", msg.ToAddress)`
`159`	`163`	`}`