chore: backport release-v0.44.2 (#10349)

* chore: Cosmos SDK v0.44.1 release notes (#10345) * v0.44.1 Release Notes * Merge pull request from GHSA-2p6r-37p9-89p2 * test: adding authz grant tests * fix TestCLITxGrantAuthorization/Invalid_expiration_time test case * comment out the test * reenable test
2021-10-15 20:17:53 +02:00 · 2021-10-15 20:17:53 +02:00 · f537f99ecb
parent 6079fe1888
commit f537f99ecb
7 changed files with 62 additions and 28 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -50,6 +50,10 @@ Ref: https://keepachangelog.com/en/1.0.0/

 * (client) [#10226](https://github.com/cosmos/cosmos-sdk/pull/10226) Fix --home flag parsing.

+## [v0.44.2](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.44.2) - 2021-10-12
+
+Security Release. No breaking changes related to 0.44.x.
+
 ## [v0.44.1](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.44.1) - 2021-09-29

 ### Improvements
--- a/RELEASE_NOTES.md
+++ b/RELEASE_NOTES.md
@ -1,21 +1,7 @@
-# Cosmos SDK v0.44.1 Release Notes
+# Cosmos SDK v0.44.2 Release Notes

-This release introduces bug fixes and improvements on the Cosmos SDK v0.44 series.
+Recently, the Cosmos-SDK team became aware of a high-severity security vulnerability that impacts Cosmos-SDK v0.43.x and v0.44.x and can result in a consensus halt. User funds are NOT at risk; however, the vulnerability can result in a chain halt. This vulnerability does not impact the current Cosmos Hub, though other Cosmos-SDK based blockchains using v0.43.x or v0.44.x may be affected and are advised to update to v0.44.2 immediately.

-The main bug fix concerns all users performing in-place store migrations from v0.42 to v0.44. A source of non-determinism in the upgrade process has been [detected and fixed](https://github.com/cosmos/cosmos-sdk/pull/10189) in this release, causing consensus errors. As such, **v0.44.0 is not safe to use when performing v0.42->v0.44 in-place store upgrades**, please use this release v0.44.1 instead. This does not impact genesis JSON dump upgrades nor fresh chains starting with v0.44.
+Nodes can update their software independently of each other (no coordinated chain restart necessary), but should do so as soon as they are able.

-Another bug fix concerns calling the ABCI `Query` method using `client.Context`. We modified ABCI queries to use `abci.QueryRequest`'s `Height` field if it is non-zero, otherwise continue using `client.Context`'s height. This is a minor client-breaking change for users of the `client.Context`.
-
-Some CLI fixes are also included, such as:
-
- using pre-configured data for the CLI `add-genesis-account` command ([\#9969](https://github.com/cosmos/cosmos-sdk/pull/9969)),
- ensuring the `init` command reads the `--home` flag value correctly ([#10104](https://github.com/cosmos/cosmos-sdk/pull/10104)),
- fixing the error message when `period` or `period-limit` flag is not set on a feegrant grant transaction [\#10049](https://github.com/cosmos/cosmos-sdk/issues/10049).
-
-v0.44.1 also includes performance improvements, namely:
-
- IAVL update to v0.17.1 which includes performance improvements on a batch load [\#10040](https://github.com/cosmos/cosmos-sdk/pull/10040),
- Speedup coins.AmountOf(), by removing many intermittent regex calls [\#10021](https://github.com/cosmos/cosmos-sdk/pull/10021),
- Improve CacheKVStore datastructures / algorithms, to no longer take O(N^2) time when interleaving iterators and insertions [\#10026](https://github.com/cosmos/cosmos-sdk/pull/10026).
-
-See the [Cosmos SDK v0.44.1 milestone](https://github.com/cosmos/cosmos-sdk/milestone/56?closed=1) on our issue tracker for the exhaustive list of all changes.
+A full disclosure will be published a week after the release.
--- a/x/authz/authorization_grant.go
+++ b/x/authz/authorization_grant.go
@ -10,7 +10,11 @@ import (
 )

 // NewGrant returns new Grant
-func NewGrant(a Authorization, expiration time.Time) (Grant, error) {
+func NewGrant( /*blockTime time.Time, */ a Authorization, expiration time.Time) (Grant, error) {
+	// TODO: add this for 0.45
+	// if !expiration.After(blockTime) {
+	// 	return Grant{}, sdkerrors.ErrInvalidRequest.Wrapf("expiration must be after the current block time (%v), got %v", blockTime.Format(time.RFC3339), expiration.Format(time.RFC3339))
+	// }
 	g := Grant{
 		Expiration: expiration,
 	}
@ -51,10 +55,6 @@ func (g Grant) GetAuthorization() Authorization {
 }

 func (g Grant) ValidateBasic() error {
-	if g.Expiration.Unix() < time.Now().Unix() {
-		return sdkerrors.Wrap(ErrInvalidExpirationTime, "Time can't be in the past")
-	}
-
 	av := g.Authorization.GetCachedValue()
 	a, ok := av.(Authorization)
 	if !ok {
--- a/x/authz/authorization_grant_test.go
+++ b/x/authz/authorization_grant_test.go
@ -0,0 +1,44 @@
+package authz
+
+import (
+	"testing"
+	"time"
+
+	// banktypes "github.com/cosmos/cosmos-sdk/x/bank/types"
+	"github.com/stretchr/testify/require"
+)
+
+func expecError(r *require.Assertions, expected string, received error) {
+	if expected == "" {
+		r.NoError(received)
+	} else {
+		r.Error(received)
+		r.Contains(received.Error(), expected)
+	}
+}
+
+func TestNewGrant(t *testing.T) {
+	// ba := banktypes.NewSendAuthorization(sdk.NewCoins(sdk.NewInt64Coin("foo", 123)))
+	a := NewGenericAuthorization("some-type")
+	var tcs = []struct {
+		title     string
+		a         Authorization
+		blockTime time.Time
+		expire    time.Time
+		err       string
+	}{
+		// {"wrong expire time (1)", a, time.Unix(10, 0), time.Unix(8, 0), "expiration must be after"},
+		// {"wrong expire time (2)", a, time.Unix(10, 0), time.Unix(10, 0), "expiration must be after"},
+		{"good expire time (1)", a, time.Unix(10, 0), time.Unix(10, 1), ""},
+		{"good expire time (2)", a, time.Unix(10, 0), time.Unix(11, 0), ""},
+	}
+
+	for _, tc := range tcs {
+		t.Run(tc.title, func(t *testing.T) {
+			// _, err := NewGrant(tc.blockTime, tc.a, tc.expire)
+			_, err := NewGrant(tc.a, tc.expire)
+			expecError(require.New(t), tc.err, err)
+		})
+	}
+
+}
--- a/x/authz/client/testutil/tx.go
+++ b/x/authz/client/testutil/tx.go
@ -127,11 +127,11 @@ func (s *IntegrationTestSuite) TestCLITxGrantAuthorization() {
 				"send",
 				fmt.Sprintf("--%s=100steak", cli.FlagSpendLimit),
 				fmt.Sprintf("--%s=%s", flags.FlagFrom, val.Address.String()),
-				fmt.Sprintf("--%s=true", flags.FlagGenerateOnly),
+				fmt.Sprintf("--%s=true", flags.FlagSkipConfirmation),
 				fmt.Sprintf("--%s=%d", cli.FlagExpiration, pastHour),
 			},
-			0,
-			true,
+			0xd,
+			false, // TODO: enable in v0.45
 		},
 		{
 			"fail with error invalid msg-type",
--- a/x/authz/keeper/msg_server.go
+++ b/x/authz/keeper/msg_server.go
@ -10,7 +10,7 @@ import (

 var _ authz.MsgServer = Keeper{}

-// GrantAuthorization implements the MsgServer.Grant method.
+// GrantAuthorization implements the MsgServer.Grant method to create a new grant.
 func (k Keeper) Grant(goCtx context.Context, msg *authz.MsgGrant) (*authz.MsgGrantResponse, error) {
 	ctx := sdk.UnwrapSDKContext(goCtx)
 	grantee, err := sdk.AccAddressFromBech32(msg.Grantee)
--- a/x/authz/msgs_test.go
+++ b/x/authz/msgs_test.go
@ -80,7 +80,7 @@ func TestMsgGrantAuthorization(t *testing.T) {
 		{"nil granter and grantee address", nil, nil, &banktypes.SendAuthorization{SpendLimit: coinsPos}, time.Now(), false, false},
 		{"nil authorization", granter, grantee, nil, time.Now(), true, false},
 		{"valid test case", granter, grantee, &banktypes.SendAuthorization{SpendLimit: coinsPos}, time.Now().AddDate(0, 1, 0), false, true},
-		{"past time", granter, grantee, &banktypes.SendAuthorization{SpendLimit: coinsPos}, time.Now().AddDate(0, 0, -1), false, false},
+		{"past time", granter, grantee, &banktypes.SendAuthorization{SpendLimit: coinsPos}, time.Now().AddDate(0, 0, -1), false, true}, // TODO need 0.45
 	}
 	for i, tc := range tests {
 		msg, err := authz.NewMsgGrant(