From c960e7e50828c9df6a2e6d5452616c9c809b364e Mon Sep 17 00:00:00 2001
From: Michael FIG <mfig@agoric.com>
Date: Wed, 8 Sep 2021 13:55:02 -0600
Subject: [PATCH] fix(baseapp): prevent queries for future (or in-progress)
 blocks

---
 baseapp/abci.go      | 25 ++++++++++++++++++++++---
 baseapp/abci_test.go | 20 ++++++++++++++++++++
 2 files changed, 42 insertions(+), 3 deletions(-)

diff --git a/baseapp/abci.go b/baseapp/abci.go
index f233865aab82..4ead31f22624 100644
--- a/baseapp/abci.go
+++ b/baseapp/abci.go
@@ -416,8 +416,18 @@ func (app *BaseApp) Query(req abci.RequestQuery) (res abci.ResponseQuery) {
 	}()
 
 	// when a client did not provide a query height, manually inject the latest
+	lastHeight := app.LastBlockHeight()
 	if req.Height == 0 {
-		req.Height = app.LastBlockHeight()
+		req.Height = lastHeight
+	}
+	if req.Height > lastHeight {
+		return sdkerrors.QueryResult(
+			sdkerrors.Wrapf(
+				sdkerrors.ErrInvalidHeight,
+				"given height %d is greater than latest height %d",
+				req.Height, lastHeight,
+			),
+		)
 	}
 
 	// handle gRPC routes first rather than calling splitPath because '/' characters
@@ -428,7 +438,7 @@ func (app *BaseApp) Query(req abci.RequestQuery) (res abci.ResponseQuery) {
 
 	path := splitPath(req.Path)
 	if len(path) == 0 {
-		sdkerrors.QueryResult(sdkerrors.Wrap(sdkerrors.ErrUnknownRequest, "no query path provided"))
+		return sdkerrors.QueryResult(sdkerrors.Wrap(sdkerrors.ErrUnknownRequest, "no query path provided"))
 	}
 
 	switch path[0] {
@@ -628,8 +638,17 @@ func (app *BaseApp) createQueryContext(height int64, prove bool) (sdk.Context, e
 	}
 
 	// when a client did not provide a query height, manually inject the latest
+	lastHeight := app.LastBlockHeight()
 	if height == 0 {
-		height = app.LastBlockHeight()
+		height = lastHeight
+	}
+	if height > lastHeight {
+		return sdk.Context{}, sdkerrors.Wrapf(
+			sdkerrors.ErrInvalidRequest,
+			"cannot query with height %d; last height is %d",
+			height,
+			lastHeight,
+		)
 	}
 
 	if height <= 1 && prove {
diff --git a/baseapp/abci_test.go b/baseapp/abci_test.go
index 8a61a0aebfc2..130cd0fb0a52 100644
--- a/baseapp/abci_test.go
+++ b/baseapp/abci_test.go
@@ -139,3 +139,23 @@ func TestBaseAppCreateQueryContextRejectsNegativeHeights(t *testing.T) {
 		})
 	}
 }
+
+func TestBaseAppCreateQueryContextRejectsFutureHeights(t *testing.T) {
+	t.Parallel()
+
+	logger := defaultLogger()
+	db := dbm.NewMemDB()
+	name := t.Name()
+	app := NewBaseApp(name, logger, db, nil)
+
+	proves := []bool{
+		false, true,
+	}
+	for _, prove := range proves {
+		t.Run(fmt.Sprintf("prove=%t", prove), func(t *testing.T) {
+			sctx, err := app.createQueryContext(30, true)
+			require.Error(t, err)
+			require.Equal(t, sctx, sdk.Context{})
+		})
+	}
+}