fix: avoid broadcasting tx through query (backport #15044) (#15048)

Co-authored-by: Facundo Medica <14063057+facundomedica@users.noreply.github.com>
Co-authored-by: Julien Robert <julien@rbrt.fr>

CHANGELOG.md

@@ -37,11 +37,13 @@ Ref: https://keepachangelog.com/en/1.0.0/
 
 ## [Unreleased]
 
+## [v0.45.14](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.45.14) - 2023-02-16
+
 ### Features
 
 * [#14583](https://github.com/cosmos/cosmos-sdk/pull/14583) Add support for Core API.
 
-## v0.45.13 - 2023-02-09
+## [v0.45.13](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.45.13) - 2023-02-09
 
 ### Improvements
 
@@ -51,7 +53,7 @@ Ref: https://keepachangelog.com/en/1.0.0/
 
 * (store) [#14798](https://github.com/cosmos/cosmos-sdk/pull/14798) Copy btree to avoid the problem of modify while iteration.
 
-## v0.45.12 - 2023-01-23
+## [v0.45.12](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.45.12) - 2023-01-23
 
 ### Improvements
 
@@ -74,7 +76,7 @@ Ref: https://keepachangelog.com/en/1.0.0/
 * (store) [#13516](https://github.com/cosmos/cosmos-sdk/pull/13516) Fix state listener that was observing writes at wrong time.
 * (store) [#12945](https://github.com/cosmos/cosmos-sdk/pull/12945) Fix nil end semantics in store/cachekv/iterator when iterating a dirty cache.
 
-## v0.45.11 - 2022-11-09
+## [v0.45.11](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.45.11) - 2022-11-09
 
 ### Improvements
 
@@ -94,7 +96,7 @@ Ref: https://keepachangelog.com/en/1.0.0/
 
 * [#13673](https://github.com/cosmos/cosmos-sdk/pull/13673) The `GetFromFields` function now takes `Context` as an argument and removes `genOnly`.
 
-## v0.45.10 - 2022-10-24
+## [v0.45.10](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.45.10) - 2022-10-24
 
 ### Features
 
@@ -112,7 +114,7 @@ Ref: https://keepachangelog.com/en/1.0.0/
 * [#13564](https://github.com/cosmos/cosmos-sdk/pull/13564) - Fix `make proto-gen`.
 * (server) [#13610](https://github.com/cosmos/cosmos-sdk/pull/13610) Read the pruning-keep-every field again.
 
-## v0.45.9 - 2022-10-14
+## [v0.45.9](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.45.9) - 2022-10-14
 
 ATTENTION:
 
@@ -152,7 +154,7 @@ replace github.com/confio/ics23/go => github.com/cosmos/cosmos-sdk/ics23/go v0.8
 
 Reverted #12437 due to API breaking changes.
 
-## v0.45.8 - 2022-08-25
+## [v0.45.8](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.45.8) - 2022-08-25
 
 ### Improvements
 
@@ -167,7 +169,7 @@ Reverted #12437 due to API breaking changes.
 
 * [#13046](https://github.com/cosmos/cosmos-sdk/pull/13046) Fix missing return statement in BaseApp.Query.
 
-## v0.45.7 - 2022-08-04
+## [v0.45.7](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.45.7) - 2022-08-04
 
 ### Features
 

RELEASE_NOTES.md

@@ -1,6 +1,6 @@
-# Cosmos SDK v0.45.13 Release Notes
+# Cosmos SDK v0.45.14 Release Notes
 
-This release introduces one bug fix, namely [#14798](https://github.com/cosmos/cosmos-sdk/pull/14798) and a bump to Tendermint v0.34.26, as per its [security advisory](https://github.com/informalsystems/tendermint/security/advisories/GHSA-cpqw-5g6w-h8rr).
+This release fixes a possible way to DoS a node.
 
 **NOTE**: Add or update the following replace in the `go.mod` of your application:
 
@@ -11,13 +11,4 @@ replace github.com/tendermint/tendermint => github.com/informalsystems/tendermin
 
 Please see the [CHANGELOG](https://github.com/cosmos/cosmos-sdk/blob/release/v0.45.x/CHANGELOG.md) for an exhaustive list of changes.
 
-**Full Commit History**: https://github.com/cosmos/cosmos-sdk/compare/v0.45.12...v0.45.13
-
-**NOTE:** The changes mentioned in `v0.45.9` are **no longer required**. The following replace directive can be removed from the chains.
-
-```go
-# Can be deleted from go.mod
-replace github.com/confio/ics23/go => github.com/cosmos/cosmos-sdk/ics23/go v0.8.0
-```
-
-Instead, `github.com/confio/ics23/go` must be **bumped to `v0.9.0`**.
+**Full Commit History**: https://github.com/cosmos/cosmos-sdk/compare/v0.45.13...v0.45.14

baseapp/abci.go

@@ -435,6 +435,10 @@ func (app *BaseApp) Query(req abci.RequestQuery) (res abci.ResponseQuery) {
 		req.Height = app.LastBlockHeight()
 	}
 
+	if req.Path == "/cosmos.tx.v1beta1.Service/BroadcastTx" {
+		return sdkerrors.QueryResultWithDebug(sdkerrors.Wrapf(sdkerrors.ErrInvalidRequest, "can't route a broadcast tx message"), app.trace)
+	}
+
 	// handle gRPC routes first rather than calling splitPath because '/' characters
 	// are used as part of gRPC paths
 	if grpcHandler := app.grpcQueryRouter.Route(req.Path); grpcHandler != nil {