diff --git a/x/auth/tx/decoder.go b/x/auth/tx/decoder.go index 74b20621690b..05821f29bf23 100644 --- a/x/auth/tx/decoder.go +++ b/x/auth/tx/decoder.go @@ -1,12 +1,9 @@ package tx import ( - gogoproto "github.com/cosmos/gogoproto/proto" + "fmt" - txv1beta1 "cosmossdk.io/api/cosmos/tx/v1beta1" - "cosmossdk.io/core/address" - errorsmod "cosmossdk.io/errors" - "cosmossdk.io/x/tx/decode" + "google.golang.org/protobuf/encoding/protowire" "github.com/cosmos/cosmos-sdk/codec" sdk "github.com/cosmos/cosmos-sdk/types" @@ -17,8 +14,16 @@ import ( // DefaultJSONTxDecoder returns a default protobuf JSON TxDecoder using the provided Marshaler. func DefaultJSONTxDecoder(addrCodec address.Codec, cdc codec.Codec, decoder *decode.Decoder) sdk.TxDecoder { return func(txBytes []byte) (sdk.Tx, error) { - var jsonTx tx.Tx - err := cdc.UnmarshalJSON(txBytes, &jsonTx) + // Make sure txBytes follow ADR-027. + err := rejectNonADR027(txBytes) + if err != nil { + return nil, sdkerrors.Wrap(sdkerrors.ErrTxDecode, err.Error()) + } + + var raw tx.TxRaw + + // reject all unknown proto fields in the root TxRaw + err = unknownproto.RejectUnknownFieldsStrict(txBytes, &raw, cdc.InterfaceRegistry()) if err != nil { return nil, errorsmod.Wrap(sdkerrors.ErrTxDecode, err.Error()) } @@ -50,3 +55,77 @@ func DefaultJSONTxDecoder(addrCodec address.Codec, cdc codec.Codec, decoder *dec return newWrapperFromDecodedTx(addrCodec, cdc, decodedTx) } } + +// rejectNonADR027 rejects txBytes that do not follow ADR-027. This function +// only checks that: +// - field numbers are in ascending order (1, 2, and potentially multiple 3s), +// - and varints as as short as possible. +// All other ADR-027 edge cases (e.g. TxRaw fields having default values) will +// not happen with TxRaw. +func rejectNonADR027(txBytes []byte) error { + // Make sure all fields are ordered in ascending order with this variable. + prevTagNum := protowire.Number(0) + + for len(txBytes) > 0 { + tagNum, wireType, m := protowire.ConsumeTag(txBytes) + if m < 0 { + return fmt.Errorf("invalid length; %w", protowire.ParseError(m)) + } + if wireType != protowire.BytesType { + return fmt.Errorf("expected %d wire type, got %d", protowire.VarintType, wireType) + } + if tagNum < prevTagNum { + return fmt.Errorf("txRaw must follow ADR-027, got tagNum %d after tagNum %d", tagNum, prevTagNum) + } + prevTagNum = tagNum + + // All 3 fields of TxRaw have wireType == 2, so their next component + // is a varint. + // We make sure that the varint is as short as possible. + lengthPrefix, m := protowire.ConsumeVarint(txBytes[m:]) + if m < 0 { + return fmt.Errorf("invalid length; %w", protowire.ParseError(m)) + } + n := varintMinLength(lengthPrefix) + if n != m { + return fmt.Errorf("length prefix varint for tagNum %d is not as short as possible, read %d, only need %d", tagNum, m, n) + } + + // Skip over the bytes that store fieldNumber and wireType bytes. + _, _, m = protowire.ConsumeField(txBytes) + if m < 0 { + return fmt.Errorf("invalid length; %w", protowire.ParseError(m)) + } + txBytes = txBytes[m:] + } + + return nil +} + +// varintMinLength returns the minimum number of bytes necessary to encode an +// uint using varint encoding. +func varintMinLength(n uint64) int { + switch { + // Note: 1<