diff --git a/CHANGELOG.md b/CHANGELOG.md index 30e4ca043649..4421a301f105 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -50,6 +50,10 @@ Ref: https://keepachangelog.com/en/1.0.0/ * (client) [#10226](https://github.com/cosmos/cosmos-sdk/pull/10226) Fix --home flag parsing. +## [v0.44.2](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.44.2) - 2021-10-12 + +Security Release. No breaking changes related to 0.44.x. + ## [v0.44.1](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.44.1) - 2021-09-29 ### Improvements diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md index 0795e40c5be5..0ef92ff1d4d7 100644 --- a/RELEASE_NOTES.md +++ b/RELEASE_NOTES.md @@ -1,21 +1,7 @@ -# Cosmos SDK v0.44.1 Release Notes +# Cosmos SDK v0.44.2 Release Notes -This release introduces bug fixes and improvements on the Cosmos SDK v0.44 series. +Recently, the Cosmos-SDK team became aware of a high-severity security vulnerability that impacts Cosmos-SDK v0.43.x and v0.44.x and can result in a consensus halt. User funds are NOT at risk; however, the vulnerability can result in a chain halt. This vulnerability does not impact the current Cosmos Hub, though other Cosmos-SDK based blockchains using v0.43.x or v0.44.x may be affected and are advised to update to v0.44.2 immediately. -The main bug fix concerns all users performing in-place store migrations from v0.42 to v0.44. A source of non-determinism in the upgrade process has been [detected and fixed](https://github.com/cosmos/cosmos-sdk/pull/10189) in this release, causing consensus errors. As such, **v0.44.0 is not safe to use when performing v0.42->v0.44 in-place store upgrades**, please use this release v0.44.1 instead. This does not impact genesis JSON dump upgrades nor fresh chains starting with v0.44. +Nodes can update their software independently of each other (no coordinated chain restart necessary), but should do so as soon as they are able. -Another bug fix concerns calling the ABCI `Query` method using `client.Context`. We modified ABCI queries to use `abci.QueryRequest`'s `Height` field if it is non-zero, otherwise continue using `client.Context`'s height. This is a minor client-breaking change for users of the `client.Context`. - -Some CLI fixes are also included, such as: - -- using pre-configured data for the CLI `add-genesis-account` command ([\#9969](https://github.com/cosmos/cosmos-sdk/pull/9969)), -- ensuring the `init` command reads the `--home` flag value correctly ([#10104](https://github.com/cosmos/cosmos-sdk/pull/10104)), -- fixing the error message when `period` or `period-limit` flag is not set on a feegrant grant transaction [\#10049](https://github.com/cosmos/cosmos-sdk/issues/10049). - -v0.44.1 also includes performance improvements, namely: - -- IAVL update to v0.17.1 which includes performance improvements on a batch load [\#10040](https://github.com/cosmos/cosmos-sdk/pull/10040), -- Speedup coins.AmountOf(), by removing many intermittent regex calls [\#10021](https://github.com/cosmos/cosmos-sdk/pull/10021), -- Improve CacheKVStore datastructures / algorithms, to no longer take O(N^2) time when interleaving iterators and insertions [\#10026](https://github.com/cosmos/cosmos-sdk/pull/10026). - -See the [Cosmos SDK v0.44.1 milestone](https://github.com/cosmos/cosmos-sdk/milestone/56?closed=1) on our issue tracker for the exhaustive list of all changes. +A full disclosure will be published a week after the release. diff --git a/x/authz/authorization_grant.go b/x/authz/authorization_grant.go index f5ebf8797be0..a873499b621b 100644 --- a/x/authz/authorization_grant.go +++ b/x/authz/authorization_grant.go @@ -10,7 +10,11 @@ import ( ) // NewGrant returns new Grant -func NewGrant(a Authorization, expiration time.Time) (Grant, error) { +func NewGrant( /*blockTime time.Time, */ a Authorization, expiration time.Time) (Grant, error) { + // TODO: add this for 0.45 + // if !expiration.After(blockTime) { + // return Grant{}, sdkerrors.ErrInvalidRequest.Wrapf("expiration must be after the current block time (%v), got %v", blockTime.Format(time.RFC3339), expiration.Format(time.RFC3339)) + // } g := Grant{ Expiration: expiration, } @@ -51,10 +55,6 @@ func (g Grant) GetAuthorization() Authorization { } func (g Grant) ValidateBasic() error { - if g.Expiration.Unix() < time.Now().Unix() { - return sdkerrors.Wrap(ErrInvalidExpirationTime, "Time can't be in the past") - } - av := g.Authorization.GetCachedValue() a, ok := av.(Authorization) if !ok { diff --git a/x/authz/authorization_grant_test.go b/x/authz/authorization_grant_test.go new file mode 100644 index 000000000000..9f9f00108c73 --- /dev/null +++ b/x/authz/authorization_grant_test.go @@ -0,0 +1,44 @@ +package authz + +import ( + "testing" + "time" + + // banktypes "github.com/cosmos/cosmos-sdk/x/bank/types" + "github.com/stretchr/testify/require" +) + +func expecError(r *require.Assertions, expected string, received error) { + if expected == "" { + r.NoError(received) + } else { + r.Error(received) + r.Contains(received.Error(), expected) + } +} + +func TestNewGrant(t *testing.T) { + // ba := banktypes.NewSendAuthorization(sdk.NewCoins(sdk.NewInt64Coin("foo", 123))) + a := NewGenericAuthorization("some-type") + var tcs = []struct { + title string + a Authorization + blockTime time.Time + expire time.Time + err string + }{ + // {"wrong expire time (1)", a, time.Unix(10, 0), time.Unix(8, 0), "expiration must be after"}, + // {"wrong expire time (2)", a, time.Unix(10, 0), time.Unix(10, 0), "expiration must be after"}, + {"good expire time (1)", a, time.Unix(10, 0), time.Unix(10, 1), ""}, + {"good expire time (2)", a, time.Unix(10, 0), time.Unix(11, 0), ""}, + } + + for _, tc := range tcs { + t.Run(tc.title, func(t *testing.T) { + // _, err := NewGrant(tc.blockTime, tc.a, tc.expire) + _, err := NewGrant(tc.a, tc.expire) + expecError(require.New(t), tc.err, err) + }) + } + +} diff --git a/x/authz/client/testutil/tx.go b/x/authz/client/testutil/tx.go index 10932d9bda23..ac003ef13b91 100644 --- a/x/authz/client/testutil/tx.go +++ b/x/authz/client/testutil/tx.go @@ -127,11 +127,11 @@ func (s *IntegrationTestSuite) TestCLITxGrantAuthorization() { "send", fmt.Sprintf("--%s=100steak", cli.FlagSpendLimit), fmt.Sprintf("--%s=%s", flags.FlagFrom, val.Address.String()), - fmt.Sprintf("--%s=true", flags.FlagGenerateOnly), + fmt.Sprintf("--%s=true", flags.FlagSkipConfirmation), fmt.Sprintf("--%s=%d", cli.FlagExpiration, pastHour), }, - 0, - true, + 0xd, + false, // TODO: enable in v0.45 }, { "fail with error invalid msg-type", diff --git a/x/authz/keeper/msg_server.go b/x/authz/keeper/msg_server.go index e13b29fbd4de..2e5183865a2a 100644 --- a/x/authz/keeper/msg_server.go +++ b/x/authz/keeper/msg_server.go @@ -10,7 +10,7 @@ import ( var _ authz.MsgServer = Keeper{} -// GrantAuthorization implements the MsgServer.Grant method. +// GrantAuthorization implements the MsgServer.Grant method to create a new grant. func (k Keeper) Grant(goCtx context.Context, msg *authz.MsgGrant) (*authz.MsgGrantResponse, error) { ctx := sdk.UnwrapSDKContext(goCtx) grantee, err := sdk.AccAddressFromBech32(msg.Grantee) diff --git a/x/authz/msgs_test.go b/x/authz/msgs_test.go index 7a41c1befb5d..c7b4192d3783 100644 --- a/x/authz/msgs_test.go +++ b/x/authz/msgs_test.go @@ -80,7 +80,7 @@ func TestMsgGrantAuthorization(t *testing.T) { {"nil granter and grantee address", nil, nil, &banktypes.SendAuthorization{SpendLimit: coinsPos}, time.Now(), false, false}, {"nil authorization", granter, grantee, nil, time.Now(), true, false}, {"valid test case", granter, grantee, &banktypes.SendAuthorization{SpendLimit: coinsPos}, time.Now().AddDate(0, 1, 0), false, true}, - {"past time", granter, grantee, &banktypes.SendAuthorization{SpendLimit: coinsPos}, time.Now().AddDate(0, 0, -1), false, false}, + {"past time", granter, grantee, &banktypes.SendAuthorization{SpendLimit: coinsPos}, time.Now().AddDate(0, 0, -1), false, true}, // TODO need 0.45 } for i, tc := range tests { msg, err := authz.NewMsgGrant(