Merge pull request from GHSA-4j93-fm92-rp4m

* fix(x/auth/vesting): Add `BlockedAddr` check in `CreatePeriodicVestingAccount` * updates
2024-02-19 17:56:39 +01:00 · 2024-02-19 17:56:39 +01:00 · 54120626e9
parent f80c985adb
commit 54120626e9
4 changed files with 63 additions and 1 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -41,6 +41,7 @@ Ref: https://keepachangelog.com/en/1.0.0/

 ### Bug Fixes

+* (x/auth/vesting) [GHSA-4j93-fm92-rp4m](#bug-fixes) Add `BlockedAddr` check in `CreatePeriodicVestingAccount`.
 * (baseapp) [#19177](https://github.com/cosmos/cosmos-sdk/pull/19177) Fix baseapp `DefaultProposalHandler` same-sender non-sequential sequence.

 ## [v0.47.8](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.47.8) - 2024-01-22
--- a/RELEASE_NOTES.md
+++ b/RELEASE_NOTES.md
@ -4,9 +4,10 @@

 ## 🚀 Highlights

-This patch release includes a fix in baseapp in `DefaultProposalHandler` and <>.
+This patch release includes a fix in baseapp in `DefaultProposalHandler` and fixes [GHSA-4j93-fm92-rp4m](https://github.com/cosmos/cosmos-sdk/security/advisories/GHSA-4j93-fm92-rp4m).

 We recommended to upgrade to this patch release as soon as possible.
+When upgrading from <= v0.47.8, please ensure that 2/3 of the validator power upgrade to v0.47.9.

 Curious? Check out the [changelog](https://github.com/cosmos/cosmos-sdk/blob/v0.47.9/CHANGELOG.md) for an exhaustive list of changes or [compare changes](https://github.com/cosmos/cosmos-sdk/compare/v0.47.8...v0.47.9) from last release.

--- a/x/auth/vesting/msg_server.go
+++ b/x/auth/vesting/msg_server.go
@ -154,6 +154,10 @@ func (s msgServer) CreatePeriodicVestingAccount(goCtx context.Context, msg *type
 		return nil, err
 	}

+	if s.BankKeeper.BlockedAddr(to) {
+		return nil, sdkerrors.Wrapf(sdkerrors.ErrUnauthorized, "%s is not allowed to receive funds", msg.ToAddress)
+	}
+
 	if acc := ak.GetAccount(ctx, to); acc != nil {
 		return nil, sdkerrors.Wrapf(sdkerrors.ErrInvalidRequest, "account %s already exists", msg.ToAddress)
 	}
--- a/x/auth/vesting/msg_server_test.go
+++ b/x/auth/vesting/msg_server_test.go
@ -85,6 +85,21 @@ func (s *VestingTestSuite) TestCreateVestingAccount() {
 			expErr:    true,
 			expErrMsg: "already exists",
 		},
+		"create for blocked account": {
+			preRun: func() {
+				s.bankKeeper.EXPECT().IsSendEnabledCoins(gomock.Any(), fooCoin).Return(nil)
+				s.bankKeeper.EXPECT().BlockedAddr(to1Addr).Return(true)
+			},
+			input: vestingtypes.NewMsgCreateVestingAccount(
+				fromAddr,
+				to1Addr,
+				sdk.Coins{fooCoin},
+				time.Now().Unix(),
+				true,
+			),
+			expErr:    true,
+			expErrMsg: "not allowed to receive funds",
+		},
 		"create a valid delayed vesting account": {
 			preRun: func() {
 				s.bankKeeper.EXPECT().IsSendEnabledCoins(gomock.Any(), fooCoin).Return(nil)
@ -155,6 +170,22 @@ func (s *VestingTestSuite) TestCreatePermanentLockedAccount() {
 			expErr:    true,
 			expErrMsg: "already exists",
 		},
+		"create for blocked account": {
+			preRun: func() {
+				toAcc := s.accountKeeper.NewAccountWithAddress(s.ctx, to1Addr)
+				s.bankKeeper.EXPECT().IsSendEnabledCoins(gomock.Any(), fooCoin).Return(nil)
+				s.bankKeeper.EXPECT().BlockedAddr(to1Addr).Return(true)
+				s.accountKeeper.SetAccount(s.ctx, toAcc)
+			},
+			input: vestingtypes.NewMsgCreatePermanentLockedAccount(
+				fromAddr,
+				to1Addr,
+				sdk.Coins{fooCoin},
+			),
+			expErr:    true,
+			expErrMsg: "not allowed to receive funds",
+		},
+
 		"create a valid permanent locked account": {
 			preRun: func() {
 				s.bankKeeper.EXPECT().IsSendEnabledCoins(gomock.Any(), fooCoin).Return(nil)
@ -196,6 +227,7 @@ func (s *VestingTestSuite) TestCreatePeriodicVestingAccount() {
 		{
 			name: "create for existing account",
 			preRun: func() {
+				s.bankKeeper.EXPECT().BlockedAddr(to1Addr).Return(false)
 				toAcc := s.accountKeeper.NewAccountWithAddress(s.ctx, to1Addr)
 				s.accountKeeper.SetAccount(s.ctx, toAcc)
 			},
@ -213,10 +245,34 @@ func (s *VestingTestSuite) TestCreatePeriodicVestingAccount() {
 			expErr:    true,
 			expErrMsg: "already exists",
 		},
+		{
+			name: "create for blocked address",
+			preRun: func() {
+				s.bankKeeper.EXPECT().BlockedAddr(to2Addr).Return(true)
+			},
+			input: vestingtypes.NewMsgCreatePeriodicVestingAccount(
+				fromAddr,
+				to2Addr,
+				time.Now().Unix(),
+				[]vestingtypes.Period{
+					{
+						Length: 10,
+						Amount: sdk.NewCoins(periodCoin),
+					},
+					{
+						Length: 20,
+						Amount: sdk.NewCoins(fooCoin),
+					},
+				},
+			),
+			expErr:    true,
+			expErrMsg: "not allowed to receive funds",
+		},
 		{
 			name: "create a valid periodic vesting account",
 			preRun: func() {
 				s.bankKeeper.EXPECT().IsSendEnabledCoins(gomock.Any(), periodCoin.Add(fooCoin)).Return(nil)
+				s.bankKeeper.EXPECT().BlockedAddr(to2Addr).Return(false)
 				s.bankKeeper.EXPECT().SendCoins(gomock.Any(), fromAddr, to2Addr, gomock.Any()).Return(nil)
 			},
 			input: vestingtypes.NewMsgCreatePeriodicVestingAccount(