From 463f184c598eeda30c9fc20baf7a3b4cffe27a27 Mon Sep 17 00:00:00 2001
From: Julien Robert <julien@rbrt.fr>
Date: Mon, 19 Feb 2024 17:56:39 +0100
Subject: [PATCH] Merge pull request from GHSA-4j93-fm92-rp4m

* fix(x/auth/vesting): Add `BlockedAddr` check in `CreatePeriodicVestingAccount`

* updates
---
 CHANGELOG.md                      |  1 +
 RELEASE_NOTES.md                  |  3 +-
 x/auth/vesting/msg_server.go      |  4 +++
 x/auth/vesting/msg_server_test.go | 56 +++++++++++++++++++++++++++++++
 4 files changed, 63 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 09cc45ca019e..166f12ae0498 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -41,6 +41,7 @@ Ref: https://keepachangelog.com/en/1.0.0/
 
 ### Bug Fixes
 
+* (x/auth/vesting) [GHSA-4j93-fm92-rp4m](#bug-fixes) Add `BlockedAddr` check in `CreatePeriodicVestingAccount`.
 * (baseapp) [#19177](https://github.com/cosmos/cosmos-sdk/pull/19177) Fix baseapp `DefaultProposalHandler` same-sender non-sequential sequence.
 
 ## [v0.47.8](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.47.8) - 2024-01-22
diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
index a58b5b941767..22136c6608bf 100644
--- a/RELEASE_NOTES.md
+++ b/RELEASE_NOTES.md
@@ -4,9 +4,10 @@
 
 ## 🚀 Highlights
 
-This patch release includes a fix in baseapp in `DefaultProposalHandler` and <>.
+This patch release includes a fix in baseapp in `DefaultProposalHandler` and fixes [GHSA-4j93-fm92-rp4m](https://github.com/cosmos/cosmos-sdk/security/advisories/GHSA-4j93-fm92-rp4m).
 
 We recommended to upgrade to this patch release as soon as possible.
+When upgrading from <= v0.47.8, please ensure that 2/3 of the validator power upgrade to v0.47.9.
 
 Curious? Check out the [changelog](https://github.com/cosmos/cosmos-sdk/blob/v0.47.9/CHANGELOG.md) for an exhaustive list of changes or [compare changes](https://github.com/cosmos/cosmos-sdk/compare/v0.47.8...v0.47.9) from last release.
 
diff --git a/x/auth/vesting/msg_server.go b/x/auth/vesting/msg_server.go
index 33dd56861cb1..1c94f780b06e 100644
--- a/x/auth/vesting/msg_server.go
+++ b/x/auth/vesting/msg_server.go
@@ -154,6 +154,10 @@ func (s msgServer) CreatePeriodicVestingAccount(goCtx context.Context, msg *type
 		return nil, err
 	}
 
+	if s.BankKeeper.BlockedAddr(to) {
+		return nil, sdkerrors.Wrapf(sdkerrors.ErrUnauthorized, "%s is not allowed to receive funds", msg.ToAddress)
+	}
+
 	if acc := ak.GetAccount(ctx, to); acc != nil {
 		return nil, sdkerrors.Wrapf(sdkerrors.ErrInvalidRequest, "account %s already exists", msg.ToAddress)
 	}
diff --git a/x/auth/vesting/msg_server_test.go b/x/auth/vesting/msg_server_test.go
index 18205f705b2a..baa092d30d33 100644
--- a/x/auth/vesting/msg_server_test.go
+++ b/x/auth/vesting/msg_server_test.go
@@ -85,6 +85,21 @@ func (s *VestingTestSuite) TestCreateVestingAccount() {
 			expErr:    true,
 			expErrMsg: "already exists",
 		},
+		"create for blocked account": {
+			preRun: func() {
+				s.bankKeeper.EXPECT().IsSendEnabledCoins(gomock.Any(), fooCoin).Return(nil)
+				s.bankKeeper.EXPECT().BlockedAddr(to1Addr).Return(true)
+			},
+			input: vestingtypes.NewMsgCreateVestingAccount(
+				fromAddr,
+				to1Addr,
+				sdk.Coins{fooCoin},
+				time.Now().Unix(),
+				true,
+			),
+			expErr:    true,
+			expErrMsg: "not allowed to receive funds",
+		},
 		"create a valid delayed vesting account": {
 			preRun: func() {
 				s.bankKeeper.EXPECT().IsSendEnabledCoins(gomock.Any(), fooCoin).Return(nil)
@@ -155,6 +170,22 @@ func (s *VestingTestSuite) TestCreatePermanentLockedAccount() {
 			expErr:    true,
 			expErrMsg: "already exists",
 		},
+		"create for blocked account": {
+			preRun: func() {
+				toAcc := s.accountKeeper.NewAccountWithAddress(s.ctx, to1Addr)
+				s.bankKeeper.EXPECT().IsSendEnabledCoins(gomock.Any(), fooCoin).Return(nil)
+				s.bankKeeper.EXPECT().BlockedAddr(to1Addr).Return(true)
+				s.accountKeeper.SetAccount(s.ctx, toAcc)
+			},
+			input: vestingtypes.NewMsgCreatePermanentLockedAccount(
+				fromAddr,
+				to1Addr,
+				sdk.Coins{fooCoin},
+			),
+			expErr:    true,
+			expErrMsg: "not allowed to receive funds",
+		},
+
 		"create a valid permanent locked account": {
 			preRun: func() {
 				s.bankKeeper.EXPECT().IsSendEnabledCoins(gomock.Any(), fooCoin).Return(nil)
@@ -196,6 +227,7 @@ func (s *VestingTestSuite) TestCreatePeriodicVestingAccount() {
 		{
 			name: "create for existing account",
 			preRun: func() {
+				s.bankKeeper.EXPECT().BlockedAddr(to1Addr).Return(false)
 				toAcc := s.accountKeeper.NewAccountWithAddress(s.ctx, to1Addr)
 				s.accountKeeper.SetAccount(s.ctx, toAcc)
 			},
@@ -213,10 +245,34 @@ func (s *VestingTestSuite) TestCreatePeriodicVestingAccount() {
 			expErr:    true,
 			expErrMsg: "already exists",
 		},
+		{
+			name: "create for blocked address",
+			preRun: func() {
+				s.bankKeeper.EXPECT().BlockedAddr(to2Addr).Return(true)
+			},
+			input: vestingtypes.NewMsgCreatePeriodicVestingAccount(
+				fromAddr,
+				to2Addr,
+				time.Now().Unix(),
+				[]vestingtypes.Period{
+					{
+						Length: 10,
+						Amount: sdk.NewCoins(periodCoin),
+					},
+					{
+						Length: 20,
+						Amount: sdk.NewCoins(fooCoin),
+					},
+				},
+			),
+			expErr:    true,
+			expErrMsg: "not allowed to receive funds",
+		},
 		{
 			name: "create a valid periodic vesting account",
 			preRun: func() {
 				s.bankKeeper.EXPECT().IsSendEnabledCoins(gomock.Any(), periodCoin.Add(fooCoin)).Return(nil)
+				s.bankKeeper.EXPECT().BlockedAddr(to2Addr).Return(false)
 				s.bankKeeper.EXPECT().SendCoins(gomock.Any(), fromAddr, to2Addr, gomock.Any()).Return(nil)
 			},
 			input: vestingtypes.NewMsgCreatePeriodicVestingAccount(