From 9c962530c7db21791a42e4525eff501240831a48 Mon Sep 17 00:00:00 2001 From: Facundo Medica <14063057+facundomedica@users.noreply.github.com> Date: Thu, 16 Feb 2023 12:13:23 -0300 Subject: [PATCH 1/4] fix: avoid broadcasting tx through query (#15044) (cherry picked from commit c884e276f2c41477011dd160e23ff448d8c5db29) # Conflicts: # baseapp/abci.go --- baseapp/abci.go | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/baseapp/abci.go b/baseapp/abci.go index 985e4ae3b385..f5053829aa9b 100644 --- a/baseapp/abci.go +++ b/baseapp/abci.go @@ -435,6 +435,17 @@ func (app *BaseApp) Query(req abci.RequestQuery) (res abci.ResponseQuery) { req.Height = app.LastBlockHeight() } +<<<<<<< HEAD +======= + telemetry.IncrCounter(1, "query", "count") + telemetry.IncrCounter(1, "query", req.Path) + defer telemetry.MeasureSince(time.Now(), req.Path) + + if req.Path == "/cosmos.tx.v1beta1.Service/BroadcastTx" { + return sdkerrors.QueryResult(sdkerrors.Wrap(sdkerrors.ErrInvalidRequest, "can't route a broadcast tx message"), app.trace) + } + +>>>>>>> c884e276f (fix: avoid broadcasting tx through query (#15044)) // handle gRPC routes first rather than calling splitPath because '/' characters // are used as part of gRPC paths if grpcHandler := app.grpcQueryRouter.Route(req.Path); grpcHandler != nil { From 60943ac6444ac1af97486c37ea3542fe3469d74d Mon Sep 17 00:00:00 2001 From: Julien Robert Date: Thu, 16 Feb 2023 16:52:09 +0100 Subject: [PATCH 2/4] update changelog + release notes --- CHANGELOG.md | 16 +++++++++------- RELEASE_NOTES.md | 15 +++------------ baseapp/abci.go | 7 ------- 3 files changed, 12 insertions(+), 26 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3028545b4eee..9681d234a31a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -37,11 +37,13 @@ Ref: https://keepachangelog.com/en/1.0.0/ ## [Unreleased] +## [v0.45.14](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.45.14) - 2023-02-16 + ### Features * [#14583](https://github.com/cosmos/cosmos-sdk/pull/14583) Add support for Core API. -## v0.45.13 - 2023-02-09 +## [v0.45.13](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.45.13) - 2023-02-09 ### Improvements @@ -51,7 +53,7 @@ Ref: https://keepachangelog.com/en/1.0.0/ * (store) [#14798](https://github.com/cosmos/cosmos-sdk/pull/14798) Copy btree to avoid the problem of modify while iteration. -## v0.45.12 - 2023-01-23 +## [v0.45.12](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.45.12) - 2023-01-23 ### Improvements @@ -74,7 +76,7 @@ Ref: https://keepachangelog.com/en/1.0.0/ * (store) [#13516](https://github.com/cosmos/cosmos-sdk/pull/13516) Fix state listener that was observing writes at wrong time. * (store) [#12945](https://github.com/cosmos/cosmos-sdk/pull/12945) Fix nil end semantics in store/cachekv/iterator when iterating a dirty cache. -## v0.45.11 - 2022-11-09 +## [v0.45.11](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.45.11) - 2022-11-09 ### Improvements @@ -94,7 +96,7 @@ Ref: https://keepachangelog.com/en/1.0.0/ * [#13673](https://github.com/cosmos/cosmos-sdk/pull/13673) The `GetFromFields` function now takes `Context` as an argument and removes `genOnly`. -## v0.45.10 - 2022-10-24 +## [v0.45.10](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.45.10) - 2022-10-24 ### Features @@ -112,7 +114,7 @@ Ref: https://keepachangelog.com/en/1.0.0/ * [#13564](https://github.com/cosmos/cosmos-sdk/pull/13564) - Fix `make proto-gen`. * (server) [#13610](https://github.com/cosmos/cosmos-sdk/pull/13610) Read the pruning-keep-every field again. -## v0.45.9 - 2022-10-14 +## [v0.45.9](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.45.9) - 2022-10-14 ATTENTION: @@ -152,7 +154,7 @@ replace github.com/confio/ics23/go => github.com/cosmos/cosmos-sdk/ics23/go v0.8 Reverted #12437 due to API breaking changes. -## v0.45.8 - 2022-08-25 +## [v0.45.8](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.45.8) - 2022-08-25 ### Improvements @@ -167,7 +169,7 @@ Reverted #12437 due to API breaking changes. * [#13046](https://github.com/cosmos/cosmos-sdk/pull/13046) Fix missing return statement in BaseApp.Query. -## v0.45.7 - 2022-08-04 +## [v0.45.7](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.45.7) - 2022-08-04 ### Features diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md index 3b367ba1e5d8..cca2a17b0975 100644 --- a/RELEASE_NOTES.md +++ b/RELEASE_NOTES.md @@ -1,6 +1,6 @@ -# Cosmos SDK v0.45.13 Release Notes +# Cosmos SDK v0.45.14 Release Notes -This release introduces one bug fix, namely [#14798](https://github.com/cosmos/cosmos-sdk/pull/14798) and a bump to Tendermint v0.34.26, as per its [security advisory](https://github.com/informalsystems/tendermint/security/advisories/GHSA-cpqw-5g6w-h8rr). +This release fixes possible way to DoS a node. **NOTE**: Add or update the following replace in the `go.mod` of your application: @@ -11,13 +11,4 @@ replace github.com/tendermint/tendermint => github.com/informalsystems/tendermin Please see the [CHANGELOG](https://github.com/cosmos/cosmos-sdk/blob/release/v0.45.x/CHANGELOG.md) for an exhaustive list of changes. -**Full Commit History**: https://github.com/cosmos/cosmos-sdk/compare/v0.45.12...v0.45.13 - -**NOTE:** The changes mentioned in `v0.45.9` are **no longer required**. The following replace directive can be removed from the chains. - -```go -# Can be deleted from go.mod -replace github.com/confio/ics23/go => github.com/cosmos/cosmos-sdk/ics23/go v0.8.0 -``` - -Instead, `github.com/confio/ics23/go` must be **bumped to `v0.9.0`**. +**Full Commit History**: https://github.com/cosmos/cosmos-sdk/compare/v0.45.13...v0.45.14 diff --git a/baseapp/abci.go b/baseapp/abci.go index f5053829aa9b..059de7f2d095 100644 --- a/baseapp/abci.go +++ b/baseapp/abci.go @@ -435,17 +435,10 @@ func (app *BaseApp) Query(req abci.RequestQuery) (res abci.ResponseQuery) { req.Height = app.LastBlockHeight() } -<<<<<<< HEAD -======= - telemetry.IncrCounter(1, "query", "count") - telemetry.IncrCounter(1, "query", req.Path) - defer telemetry.MeasureSince(time.Now(), req.Path) - if req.Path == "/cosmos.tx.v1beta1.Service/BroadcastTx" { return sdkerrors.QueryResult(sdkerrors.Wrap(sdkerrors.ErrInvalidRequest, "can't route a broadcast tx message"), app.trace) } ->>>>>>> c884e276f (fix: avoid broadcasting tx through query (#15044)) // handle gRPC routes first rather than calling splitPath because '/' characters // are used as part of gRPC paths if grpcHandler := app.grpcQueryRouter.Route(req.Path); grpcHandler != nil { From 768056aecc606e4d31e2bcacd1af88c31aef77a8 Mon Sep 17 00:00:00 2001 From: Julien Robert Date: Thu, 16 Feb 2023 16:54:12 +0100 Subject: [PATCH 3/4] word --- RELEASE_NOTES.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md index cca2a17b0975..d0e943bff686 100644 --- a/RELEASE_NOTES.md +++ b/RELEASE_NOTES.md @@ -1,6 +1,6 @@ # Cosmos SDK v0.45.14 Release Notes -This release fixes possible way to DoS a node. +This release fixes a possible way to DoS a node. **NOTE**: Add or update the following replace in the `go.mod` of your application: From f27c311489369807b8a66357aea4131726880f31 Mon Sep 17 00:00:00 2001 From: Julien Robert Date: Thu, 16 Feb 2023 17:00:45 +0100 Subject: [PATCH 4/4] update API --- baseapp/abci.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/baseapp/abci.go b/baseapp/abci.go index 059de7f2d095..3b866e4f01e3 100644 --- a/baseapp/abci.go +++ b/baseapp/abci.go @@ -436,7 +436,7 @@ func (app *BaseApp) Query(req abci.RequestQuery) (res abci.ResponseQuery) { } if req.Path == "/cosmos.tx.v1beta1.Service/BroadcastTx" { - return sdkerrors.QueryResult(sdkerrors.Wrap(sdkerrors.ErrInvalidRequest, "can't route a broadcast tx message"), app.trace) + return sdkerrors.QueryResultWithDebug(sdkerrors.Wrapf(sdkerrors.ErrInvalidRequest, "can't route a broadcast tx message"), app.trace) } // handle gRPC routes first rather than calling splitPath because '/' characters