From 64409bf990a93979d8a9fee5de3f5ef7c83474f7 Mon Sep 17 00:00:00 2001
From: bruce-wayne2 <97930236+bruce-wayne2@users.noreply.github.com>
Date: Wed, 8 Jun 2022 23:32:03 +0800
Subject: [PATCH] fix: Fix MsgExec not verifying the validity of nested
 messages (#12184)

---
 CHANGELOG.md             |  1 +
 x/authz/client/cli/tx.go |  4 ++--
 x/authz/msgs.go          | 10 ++++++++++
 x/authz/msgs_test.go     |  7 +++++++
 4 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 67e790c454..85311b9bb3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -61,6 +61,7 @@ Ref: https://keepachangelog.com/en/1.0.0/
 * (x/auth) [#12108](https://github.com/cosmos/cosmos-sdk/pull/12108) Fix GetBlockWithTxs error when querying block with 0 tx
 * (genutil) [#12140](https://github.com/cosmos/cosmos-sdk/pull/12140) Fix staking's genesis JSON migrate in the `simd migrate v0.46` CLI command.
 * (types) [#12154](https://github.com/cosmos/cosmos-sdk/pull/12154) Add `baseAccountGetter` to avoid invalid account error when create vesting account.
+* (x/authz) [#12184](https://github.com/cosmos/cosmos-sdk/pull/12184) Fix MsgExec not verifying the validity of nested messages.
 
 ## [v0.46.0-rc1](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.46.0-rc1) - 2022-05-23
 
diff --git a/x/authz/client/cli/tx.go b/x/authz/client/cli/tx.go
index d03e3d228b..8ebf8550d7 100644
--- a/x/authz/client/cli/tx.go
+++ b/x/authz/client/cli/tx.go
@@ -60,9 +60,9 @@ func NewCmdGrantAuthorization() *cobra.Command {
 			fmt.Sprintf(`create a new grant authorization to an address to execute a transaction on your behalf:
 
 Examples:
- $ %s tx %s grant cosmos1skjw.. send %s --spend-limit=1000stake --from=cosmos1skl..
+ $ %s tx %s grant cosmos1skjw.. send --spend-limit=1000stake --from=cosmos1skl..
  $ %s tx %s grant cosmos1skjw.. generic --msg-type=/cosmos.gov.v1.MsgVote --from=cosmos1sk..
-	`, version.AppName, authz.ModuleName, bank.SendAuthorization{}.MsgTypeURL(), version.AppName, authz.ModuleName),
+	`, version.AppName, authz.ModuleName, version.AppName, authz.ModuleName),
 		),
 		Args: cobra.ExactArgs(2),
 		RunE: func(cmd *cobra.Command, args []string) error {
diff --git a/x/authz/msgs.go b/x/authz/msgs.go
index 8fbe17623f..dd8257e167 100644
--- a/x/authz/msgs.go
+++ b/x/authz/msgs.go
@@ -219,6 +219,16 @@ func (msg MsgExec) ValidateBasic() error {
 		return sdkerrors.ErrInvalidRequest.Wrapf("messages cannot be empty")
 	}
 
+	msgs, err := msg.GetMessages()
+	if err != nil {
+		return err
+	}
+	for _, msg := range msgs {
+		if err = msg.ValidateBasic(); err != nil {
+			return err
+		}
+	}
+
 	return nil
 }
 
diff --git a/x/authz/msgs_test.go b/x/authz/msgs_test.go
index 0318225df2..f1b357a2b9 100644
--- a/x/authz/msgs_test.go
+++ b/x/authz/msgs_test.go
@@ -30,6 +30,13 @@ func TestMsgExecAuthorized(t *testing.T) {
 	}{
 		{"nil grantee address", nil, []sdk.Msg{}, false},
 		{"zero-messages test: should fail", grantee, []sdk.Msg{}, false},
+		{"invalid nested msg", grantee, []sdk.Msg{
+			&banktypes.MsgSend{
+				Amount:      sdk.NewCoins(sdk.NewInt64Coin("steak", 2)),
+				FromAddress: "invalid_from_address",
+				ToAddress:   grantee.String(),
+			},
+		}, false},
 		{"valid test: msg type", grantee, []sdk.Msg{
 			&banktypes.MsgSend{
 				Amount:      sdk.NewCoins(sdk.NewInt64Coin("steak", 2)),