fix: avoid broadcasting tx through query (backport cosmos#15044) (cosmos#15047)

Co-authored-by: Facundo Medica <[email protected]>
Co-authored-by: Julien Robert <[email protected]>

Author: 3 people

CHANGELOG.md

@@ -38,6 +38,8 @@ Ref: https://keepachangelog.com/en/1.0.0/
 
 ## [Unreleased]
 
+## [v0.46.10](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.46.10) - 2022-02-16
+
 ### Improvements
 
 * (cli) [#14953](https://github.com/cosmos/cosmos-sdk/pull/14953) Enable profiling block replay during abci handshake with `--cpu-profile`.

RELEASE_NOTES.md

@@ -1,8 +1,7 @@
-# Cosmos SDK v0.46.9 Release Notes
+# Cosmos SDK v0.46.10 Release Notes
 
-This release introduces bug fixes and improvements. Notably an extra config in the `app.toml`, `iavl-lazy-loading`, to enable lazy loading of IAVL store.
-Changes to be made in the `app.toml` can be found in the [CHANGELOG](https://github.com/cosmos/cosmos-sdk/blob/release/v0.46.x/CHANGELOG.md).
+This release improves CPU profiling when using the `--cpu-profile` flag, and fixes a possible way to DoS a node.
 
 Please see the [CHANGELOG](https://github.com/cosmos/cosmos-sdk/blob/release/v0.46.x/CHANGELOG.md) for an exhaustive list of changes.
 
-Full Commit History: https://github.com/cosmos/cosmos-sdk/compare/v0.46.8...v0.46.9
+Full Commit History: https://github.com/cosmos/cosmos-sdk/compare/v0.46.9...v0.46.10

baseapp/abci.go

@@ -503,6 +503,10 @@ func (app *BaseApp) Query(_ context.Context, req *abci.QueryRequest) (resp *abci
 	telemetry.IncrCounter(1, "query", req.Path)
 	defer telemetry.MeasureSince(time.Now(), req.Path)
 
+	if req.Path == "/cosmos.tx.v1beta1.Service/BroadcastTx" {
+		return sdkerrors.QueryResult(sdkerrors.Wrap(sdkerrors.ErrInvalidRequest, "can't route a broadcast tx message"), app.trace)
+	}
+
 	// handle gRPC routes first rather than calling splitPath because '/' characters
 	// are used as part of gRPC paths
 	if grpcHandler := app.grpcQueryRouter.Route(req.Path); grpcHandler != nil {