From 51fd9819daa9c52c172bfee13a33ed478817388c Mon Sep 17 00:00:00 2001 From: Facundo Medica <14063057+facundomedica@users.noreply.github.com> Date: Thu, 16 Feb 2023 12:13:23 -0300 Subject: [PATCH 1/3] fix: avoid broadcasting tx through query (#15044) (cherry picked from commit c884e276f2c41477011dd160e23ff448d8c5db29) --- baseapp/abci.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/baseapp/abci.go b/baseapp/abci.go index d93779d02943..7147d6d88593 100644 --- a/baseapp/abci.go +++ b/baseapp/abci.go @@ -400,6 +400,10 @@ func (app *BaseApp) Query(req abci.RequestQuery) (res abci.ResponseQuery) { telemetry.IncrCounter(1, "query", req.Path) defer telemetry.MeasureSince(time.Now(), req.Path) + if req.Path == "/cosmos.tx.v1beta1.Service/BroadcastTx" { + return sdkerrors.QueryResult(sdkerrors.Wrap(sdkerrors.ErrInvalidRequest, "can't route a broadcast tx message"), app.trace) + } + // handle gRPC routes first rather than calling splitPath because '/' characters // are used as part of gRPC paths if grpcHandler := app.grpcQueryRouter.Route(req.Path); grpcHandler != nil { From 09472c0177ee0bbbf2d7c3a74dc8287ff2c28830 Mon Sep 17 00:00:00 2001 From: Julien Robert Date: Thu, 16 Feb 2023 16:24:49 +0100 Subject: [PATCH 2/3] update changelog + release notes --- CHANGELOG.md | 2 ++ RELEASE_NOTES.md | 7 +++---- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 04568b2d3e62..30bf59c12d83 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -37,6 +37,8 @@ Ref: https://keepachangelog.com/en/1.0.0/ ## [Unreleased] +## [v0.46.10](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.46.10) - 2022-02-16 + ### Improvements * (cli) [#14953](https://github.com/cosmos/cosmos-sdk/pull/14953) Enable profiling block replay during abci handshake with `--cpu-profile`. diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md index 60f9309f9214..750a6d788437 100644 --- a/RELEASE_NOTES.md +++ b/RELEASE_NOTES.md @@ -1,8 +1,7 @@ -# Cosmos SDK v0.46.9 Release Notes +# Cosmos SDK v0.46.10 Release Notes -This release introduces bug fixes and improvements. Notably an extra config in the `app.toml`, `iavl-lazy-loading`, to enable lazy loading of IAVL store. -Changes to be made in the `app.toml` can be found in the [CHANGELOG](https://github.com/cosmos/cosmos-sdk/blob/release/v0.46.x/CHANGELOG.md). +This release improves CPU profiling when using the `--cpu-profile` flag, and fixes a bug when making queries. Please see the [CHANGELOG](https://github.com/cosmos/cosmos-sdk/blob/release/v0.46.x/CHANGELOG.md) for an exhaustive list of changes. -Full Commit History: https://github.com/cosmos/cosmos-sdk/compare/v0.46.8...v0.46.9 +Full Commit History: https://github.com/cosmos/cosmos-sdk/compare/v0.46.9...v0.46.10 From 744c57793f79a32c6dca59c133f7efa6b5a19ab5 Mon Sep 17 00:00:00 2001 From: Julien Robert Date: Thu, 16 Feb 2023 16:53:52 +0100 Subject: [PATCH 3/3] updates --- RELEASE_NOTES.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md index 750a6d788437..c5f8b0140af2 100644 --- a/RELEASE_NOTES.md +++ b/RELEASE_NOTES.md @@ -1,6 +1,6 @@ # Cosmos SDK v0.46.10 Release Notes -This release improves CPU profiling when using the `--cpu-profile` flag, and fixes a bug when making queries. +This release improves CPU profiling when using the `--cpu-profile` flag, and fixes a possible way to DoS a node. Please see the [CHANGELOG](https://github.com/cosmos/cosmos-sdk/blob/release/v0.46.x/CHANGELOG.md) for an exhaustive list of changes.