validate sign tx request's body

Closes: #3176
cosmos · Dec 20, 2018 · 266a9dd · 266a9dd
1 parent 5a13e75
commit 266a9dd
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 26 deletions.
diff --git a/PENDING.md b/PENDING.md
@@ -41,6 +41,7 @@ FEATURES
 IMPROVEMENTS
 
 * Gaia REST API (`gaiacli advanced rest-server`)
+  * [\#3176](https://github.com/cosmos/cosmos-sdk/issues/3176) Validate tx/sign endpoint POST body.
 
 * Gaia CLI  (`gaiacli`)
 

diff --git a/client/lcd/lcd_test.go b/client/lcd/lcd_test.go
@@ -17,6 +17,7 @@ import (
 
 	client "github.com/cosmos/cosmos-sdk/client"
 	"github.com/cosmos/cosmos-sdk/client/tx"
+	"github.com/cosmos/cosmos-sdk/client/utils"
 	"github.com/cosmos/cosmos-sdk/cmd/gaia/app"
 
 	"github.com/cosmos/cosmos-sdk/crypto/keys/mintkey"
@@ -246,12 +247,14 @@ func TestCoinSendGenerateSignAndBroadcast(t *testing.T) {
 	var signedMsg auth.StdTx
 
 	payload := authrest.SignBody{
-		Tx:               msg,
-		LocalAccountName: name1,
-		Password:         pw,
-		ChainID:          viper.GetString(client.FlagChainID),
-		AccountNumber:    accnum,
-		Sequence:         sequence,
+		Tx: msg,
+		BaseReq: utils.BaseReq{
+			Name:          name1,
+			Password:      pw,
+			ChainID:       viper.GetString(client.FlagChainID),
+			AccountNumber: accnum,
+			Sequence:      sequence,
+		},
 	}
 	json, err := cdc.MarshalJSON(payload)
 	require.Nil(t, err)

diff --git a/client/lcd/test_helpers.go b/client/lcd/test_helpers.go
@@ -643,12 +643,14 @@ func getAccount(t *testing.T, port string, addr sdk.AccAddress) auth.Account {
 func doSign(t *testing.T, port, name, password, chainID string, accnum, sequence uint64, msg auth.StdTx) auth.StdTx {
 	var signedMsg auth.StdTx
 	payload := authrest.SignBody{
-		Tx:               msg,
-		LocalAccountName: name,
-		Password:         password,
-		ChainID:          chainID,
-		AccountNumber:    accnum,
-		Sequence:         sequence,
+		Tx: msg,
+		BaseReq: utils.BaseReq{
+			Name:          name,
+			Password:      password,
+			ChainID:       chainID,
+			AccountNumber: accnum,
+			Sequence:      sequence,
+		},
 	}
 	json, err := cdc.MarshalJSON(payload)
 	require.Nil(t, err)

diff --git a/client/utils/rest.go b/client/utils/rest.go
@@ -189,7 +189,7 @@ func ReadRESTReq(w http.ResponseWriter, r *http.Request, cdc *codec.Codec, req i
 
 	err = cdc.UnmarshalJSON(body, req)
 	if err != nil {
-		WriteErrorResponse(w, http.StatusBadRequest, err.Error())
+		WriteErrorResponse(w, http.StatusBadRequest, "failed to decode JSON payload: "+err.Error())
 		return err
 	}
 

diff --git a/x/auth/client/rest/sign.go b/x/auth/client/rest/sign.go
@@ -1,26 +1,22 @@
 package rest
 
 import (
-	"io/ioutil"
 	"net/http"
 
 	"github.com/cosmos/cosmos-sdk/client/context"
 	"github.com/cosmos/cosmos-sdk/client/utils"
 	"github.com/cosmos/cosmos-sdk/codec"
 	"github.com/cosmos/cosmos-sdk/crypto/keys/keyerror"
+	sdk "github.com/cosmos/cosmos-sdk/types"
 	"github.com/cosmos/cosmos-sdk/x/auth"
 	authtxb "github.com/cosmos/cosmos-sdk/x/auth/client/txbuilder"
 )
 
 // SignBody defines the properties of a sign request's body.
 type SignBody struct {
-	Tx               auth.StdTx `json:"tx"`
-	LocalAccountName string     `json:"name"`
-	Password         string     `json:"password"`
-	ChainID          string     `json:"chain_id"`
-	AccountNumber    uint64     `json:"account_number"`
-	Sequence         uint64     `json:"sequence"`
-	AppendSig        bool       `json:"append_sig"`
+	Tx        auth.StdTx `json:"tx"`
+	AppendSig bool       `json:"append_sig"`
+	utils.BaseReq
 }
 
 // nolint: unparam
@@ -30,21 +26,27 @@ func SignTxRequestHandlerFn(cdc *codec.Codec, cliCtx context.CLIContext) http.Ha
 	return func(w http.ResponseWriter, r *http.Request) {
 		var m SignBody
 
-		body, err := ioutil.ReadAll(r.Body)
-		if err != nil {
+		if err := utils.ReadRESTReq(w, r, cdc, &m); err != nil {
 			utils.WriteErrorResponse(w, http.StatusBadRequest, err.Error())
 			return
 		}
-		err = cdc.UnmarshalJSON(body, &m)
-		if err != nil {
+
+		// validate request
+		if !m.ValidateBasic(w) {
+			return
+		}
+
+		// validate tx
+		// discard error if it's CodeUnauthorized as the tx comes with no signatures
+		if err := m.Tx.ValidateBasic(); err != nil && err.Code() != sdk.CodeUnauthorized {
 			utils.WriteErrorResponse(w, http.StatusBadRequest, err.Error())
 			return
 		}
 
 		txBldr := authtxb.NewTxBuilder(utils.GetTxEncoder(cdc), m.AccountNumber,
 			m.Sequence, m.Tx.Fee.Gas, 1.0, false, m.ChainID, m.Tx.GetMemo(), m.Tx.Fee.Amount)
 
-		signedTx, err := txBldr.SignStdTx(m.LocalAccountName, m.Password, m.Tx, m.AppendSig)
+		signedTx, err := txBldr.SignStdTx(m.Name, m.Password, m.Tx, m.AppendSig)
 		if keyerror.IsErrKeyNotFound(err) {
 			utils.WriteErrorResponse(w, http.StatusBadRequest, err.Error())
 			return