Skip to content

Commit

Permalink
Merge pull request from GHSA-4j93-fm92-rp4m
Browse files Browse the repository at this point in the history
* fix(x/auth/vesting): Add `BlockedAddr` check in `CreatePeriodicVestingAccount`

* updates
  • Loading branch information
julienrbrt authored and mmsqe committed Feb 20, 2024
1 parent 78c102b commit 463f184
Show file tree
Hide file tree
Showing 4 changed files with 63 additions and 1 deletion.
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ Ref: https://keepachangelog.com/en/1.0.0/

### Bug Fixes

* (x/auth/vesting) [GHSA-4j93-fm92-rp4m](#bug-fixes) Add `BlockedAddr` check in `CreatePeriodicVestingAccount`.
* (baseapp) [#19177](https://github.com/cosmos/cosmos-sdk/pull/19177) Fix baseapp `DefaultProposalHandler` same-sender non-sequential sequence.

## [v0.47.8](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.47.8) - 2024-01-22
Expand Down
3 changes: 2 additions & 1 deletion RELEASE_NOTES.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,10 @@

## 🚀 Highlights

This patch release includes a fix in baseapp in `DefaultProposalHandler` and <>.
This patch release includes a fix in baseapp in `DefaultProposalHandler` and fixes [GHSA-4j93-fm92-rp4m](https://github.com/cosmos/cosmos-sdk/security/advisories/GHSA-4j93-fm92-rp4m).

We recommended to upgrade to this patch release as soon as possible.
When upgrading from <= v0.47.8, please ensure that 2/3 of the validator power upgrade to v0.47.9.

Curious? Check out the [changelog](https://github.com/cosmos/cosmos-sdk/blob/v0.47.9/CHANGELOG.md) for an exhaustive list of changes or [compare changes](https://github.com/cosmos/cosmos-sdk/compare/v0.47.8...v0.47.9) from last release.

Expand Down
4 changes: 4 additions & 0 deletions x/auth/vesting/msg_server.go
Original file line number Diff line number Diff line change
Expand Up @@ -154,6 +154,10 @@ func (s msgServer) CreatePeriodicVestingAccount(goCtx context.Context, msg *type
return nil, err
}

if s.BankKeeper.BlockedAddr(to) {
return nil, sdkerrors.Wrapf(sdkerrors.ErrUnauthorized, "%s is not allowed to receive funds", msg.ToAddress)
}

if acc := ak.GetAccount(ctx, to); acc != nil {
return nil, sdkerrors.Wrapf(sdkerrors.ErrInvalidRequest, "account %s already exists", msg.ToAddress)
}
Expand Down
56 changes: 56 additions & 0 deletions x/auth/vesting/msg_server_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,21 @@ func (s *VestingTestSuite) TestCreateVestingAccount() {
expErr: true,
expErrMsg: "already exists",
},
"create for blocked account": {
preRun: func() {
s.bankKeeper.EXPECT().IsSendEnabledCoins(gomock.Any(), fooCoin).Return(nil)
s.bankKeeper.EXPECT().BlockedAddr(to1Addr).Return(true)
},
input: vestingtypes.NewMsgCreateVestingAccount(
fromAddr,
to1Addr,
sdk.Coins{fooCoin},
time.Now().Unix(),
true,
),
expErr: true,
expErrMsg: "not allowed to receive funds",
},
"create a valid delayed vesting account": {
preRun: func() {
s.bankKeeper.EXPECT().IsSendEnabledCoins(gomock.Any(), fooCoin).Return(nil)
Expand Down Expand Up @@ -155,6 +170,22 @@ func (s *VestingTestSuite) TestCreatePermanentLockedAccount() {
expErr: true,
expErrMsg: "already exists",
},
"create for blocked account": {
preRun: func() {
toAcc := s.accountKeeper.NewAccountWithAddress(s.ctx, to1Addr)
s.bankKeeper.EXPECT().IsSendEnabledCoins(gomock.Any(), fooCoin).Return(nil)
s.bankKeeper.EXPECT().BlockedAddr(to1Addr).Return(true)
s.accountKeeper.SetAccount(s.ctx, toAcc)
},
input: vestingtypes.NewMsgCreatePermanentLockedAccount(
fromAddr,
to1Addr,
sdk.Coins{fooCoin},
),
expErr: true,
expErrMsg: "not allowed to receive funds",
},

"create a valid permanent locked account": {
preRun: func() {
s.bankKeeper.EXPECT().IsSendEnabledCoins(gomock.Any(), fooCoin).Return(nil)
Expand Down Expand Up @@ -196,6 +227,7 @@ func (s *VestingTestSuite) TestCreatePeriodicVestingAccount() {
{
name: "create for existing account",
preRun: func() {
s.bankKeeper.EXPECT().BlockedAddr(to1Addr).Return(false)
toAcc := s.accountKeeper.NewAccountWithAddress(s.ctx, to1Addr)
s.accountKeeper.SetAccount(s.ctx, toAcc)
},
Expand All @@ -213,10 +245,34 @@ func (s *VestingTestSuite) TestCreatePeriodicVestingAccount() {
expErr: true,
expErrMsg: "already exists",
},
{
name: "create for blocked address",
preRun: func() {
s.bankKeeper.EXPECT().BlockedAddr(to2Addr).Return(true)
},
input: vestingtypes.NewMsgCreatePeriodicVestingAccount(
fromAddr,
to2Addr,
time.Now().Unix(),
[]vestingtypes.Period{
{
Length: 10,
Amount: sdk.NewCoins(periodCoin),
},
{
Length: 20,
Amount: sdk.NewCoins(fooCoin),
},
},
),
expErr: true,
expErrMsg: "not allowed to receive funds",
},
{
name: "create a valid periodic vesting account",
preRun: func() {
s.bankKeeper.EXPECT().IsSendEnabledCoins(gomock.Any(), periodCoin.Add(fooCoin)).Return(nil)
s.bankKeeper.EXPECT().BlockedAddr(to2Addr).Return(false)
s.bankKeeper.EXPECT().SendCoins(gomock.Any(), fromAddr, to2Addr, gomock.Any()).Return(nil)
},
input: vestingtypes.NewMsgCreatePeriodicVestingAccount(
Expand Down

0 comments on commit 463f184

Please sign in to comment.