backpoort GHSA-mvm6-gfm2-89xj (cosmos#8872)

Co-authored-by: Jonathan Gimeno <[email protected]>

CHANGELOG.md

@@ -43,6 +43,8 @@ Ref: https://keepachangelog.com/en/1.0.0/
 
 ## [v0.39.3]
 
+This release fixes security vulnerability identified in the simapp.
+
 ### Improvements
 
 * (deps) Bump IAVL to v0.14.3.

simapp/app.go

@@ -72,11 +72,6 @@ var (
 		staking.NotBondedPoolName: {supply.Burner, supply.Staking},
 		gov.ModuleName:            {supply.Burner},
 	}
-
-	// module accounts that are allowed to receive tokens
-	allowedReceivingModAcc = map[string]bool{
-		distr.ModuleName: true,
-	}
 )
 
 // MakeCodec - custom tx codec
@@ -174,7 +169,7 @@ func NewSimApp(
 		app.cdc, keys[auth.StoreKey], app.subspaces[auth.ModuleName], auth.ProtoBaseAccount,
 	)
 	app.BankKeeper = bank.NewBaseKeeper(
-		app.AccountKeeper, app.subspaces[bank.ModuleName], app.BlacklistedAccAddrs(),
+		app.AccountKeeper, app.subspaces[bank.ModuleName], app.ModuleAccountAddrs(),
 	)
 	app.SupplyKeeper = supply.NewKeeper(
 		app.cdc, keys[supply.StoreKey], app.AccountKeeper, app.BankKeeper, maccPerms,
@@ -331,16 +326,6 @@ func (app *SimApp) ModuleAccountAddrs() map[string]bool {
 	return modAccAddrs
 }
 
-// BlacklistedAccAddrs returns all the app's module account addresses black listed for receiving tokens.
-func (app *SimApp) BlacklistedAccAddrs() map[string]bool {
-	blacklistedAddrs := make(map[string]bool)
-	for acc := range maccPerms {
-		blacklistedAddrs[supply.NewModuleAddress(acc).String()] = !allowedReceivingModAcc[acc]
-	}
-
-	return blacklistedAddrs
-}
-
 // Codec returns SimApp's codec.
 //
 // NOTE: This is solely to be used for testing purposes as it may be desirable

simapp/app_test.go

@@ -42,7 +42,11 @@ func TestBlackListedAddrs(t *testing.T) {
 	app := NewSimApp(log.NewTMLogger(log.NewSyncWriter(os.Stdout)), db, nil, true, map[int64]bool{}, 0)
 
 	for acc := range maccPerms {
-		require.Equal(t, !allowedReceivingModAcc[acc], app.BankKeeper.BlacklistedAddr(app.SupplyKeeper.GetModuleAddress(acc)))
+		require.True(
+			t,
+			app.BankKeeper.BlacklistedAddr(app.SupplyKeeper.GetModuleAddress(acc)),
+			"ensure that blocked addresses are properly set in bank keeper",
+		)
 	}
 }
 

x/bank/app_test.go

@@ -5,9 +5,6 @@ import (
 
 	"github.com/stretchr/testify/require"
 
-	"github.com/cosmos/cosmos-sdk/x/distribution"
-	"github.com/cosmos/cosmos-sdk/x/supply"
-
 	abci "github.com/tendermint/tendermint/abci/types"
 	"github.com/tendermint/tendermint/crypto"
 	"github.com/tendermint/tendermint/crypto/secp256k1"
@@ -140,15 +137,6 @@ func TestSendToModuleAcc(t *testing.T) {
 			expFromBalance: coins,
 			expToBalance:   sdk.NewCoins(),
 		},
-		{
-			name:           "Allowed module account can be the recipient of bank sends",
-			fromBalance:    coins,
-			msg:            types.NewMsgSend(addr1, supply.NewModuleAddress(distribution.ModuleName), coins),
-			expPass:        true,
-			expSimPass:     true,
-			expFromBalance: sdk.NewCoins(),
-			expToBalance:   coins,
-		},
 	}
 
 	for _, test := range tests {

x/bank/internal/keeper/keeper_test.go

@@ -96,7 +96,7 @@ func TestKeeper(t *testing.T) {
 	// Test retrieving black listed accounts
 	for acc := range simapp.GetMaccPerms() {
 		addr := supply.NewModuleAddress(acc)
-		require.Equal(t, app.BlacklistedAccAddrs()[addr.String()], app.BankKeeper.BlacklistedAddr(addr))
+		require.Equal(t, app.ModuleAccountAddrs()[addr.String()], app.BankKeeper.BlacklistedAddr(addr))
 	}
 }