From ba69bd4992b3631a26b2278c7ce92e437fd64c0e Mon Sep 17 00:00:00 2001 From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com> Date: Tue, 20 Feb 2024 15:32:05 +0100 Subject: [PATCH] imp: deny selected client types from VerifyMembership rpc (#5871) (#5877) * chore: add client status check to verify membership rpc * imp: deny selected client types from VerifyMembership rpc (cherry picked from commit 4f14cfd8ea11763793d5ab4dc36c030b507726b2) Co-authored-by: Damian Nolan --- modules/core/02-client/keeper/grpc_query.go | 11 +++++++++++ .../core/02-client/keeper/grpc_query_test.go | 18 ++++++++++++++++++ 2 files changed, 29 insertions(+) diff --git a/modules/core/02-client/keeper/grpc_query.go b/modules/core/02-client/keeper/grpc_query.go index 01cbaacdc2f..9ba5241fe57 100644 --- a/modules/core/02-client/keeper/grpc_query.go +++ b/modules/core/02-client/keeper/grpc_query.go @@ -4,6 +4,7 @@ import ( "bytes" "context" "fmt" + "slices" "sort" "strings" @@ -341,6 +342,16 @@ func (k Keeper) VerifyMembership(c context.Context, req *types.QueryVerifyMember return nil, status.Error(codes.InvalidArgument, err.Error()) } + clientType, _, err := types.ParseClientIdentifier(req.ClientId) + if err != nil { + return nil, status.Error(codes.InvalidArgument, err.Error()) + } + + denyClients := []string{exported.Localhost, exported.Solomachine} + if slices.Contains(denyClients, clientType) { + return nil, status.Error(codes.InvalidArgument, errorsmod.Wrapf(types.ErrInvalidClientType, "verify membership is disabled for client types %s", denyClients).Error()) + } + if len(req.Proof) == 0 { return nil, status.Error(codes.InvalidArgument, "empty proof") } diff --git a/modules/core/02-client/keeper/grpc_query_test.go b/modules/core/02-client/keeper/grpc_query_test.go index 75520f1935c..379e9ea2670 100644 --- a/modules/core/02-client/keeper/grpc_query_test.go +++ b/modules/core/02-client/keeper/grpc_query_test.go @@ -713,6 +713,24 @@ func (suite *KeeperTestSuite) TestQueryVerifyMembershipProof() { }, host.ErrInvalidID, }, + { + "localhost client ID is denied", + func() { + req = &types.QueryVerifyMembershipRequest{ + ClientId: exported.LocalhostClientID, + } + }, + types.ErrInvalidClientType, + }, + { + "solomachine client ID is denied", + func() { + req = &types.QueryVerifyMembershipRequest{ + ClientId: types.FormatClientIdentifier(exported.Solomachine, 1), + } + }, + types.ErrInvalidClientType, + }, { "empty proof", func() {