ibc-apps icon indicating copy to clipboard operation
ibc-apps copied to clipboard
verified publisher icon cosmos

fix(ibc-hooks): safely construct JSON message using Go struct and json.Marshal

Open odaysec opened this issue 1 month ago • 1 comments

This pull request addresses a potential security on issue #277 and reliability issue related to manual JSON string construction with interpolated, user-controlled values. Previously, the OnAcknowledgementPacketOverride method built the sudoMsg JSON payload using fmt.Sprintf, directly interpolating the ackAsJson value into a JSON string. This approach risks incorrect JSON formatting and potential injection vulnerabilities.

Changes

  • Replaced manual JSON string construction with a structured approach.
  • Introduced a Go struct representing the message payload.
  • Used json.Marshal to safely encode the struct into JSON, ensuring proper escaping and quoting of all fields.

This change improves code safety, maintainability, and ensures compliance with Go’s best practices for JSON handling.

Affected Area

  • https://github.com/cosmos/ibc-apps/blob/5596e0a0358565b87fa6399125bbfc8dbdf97553/modules/ibc-hooks/wasm_hook.go#L307-L309 specifically the OnAcknowledgementPacketOverride method.

odaysec avatar Nov 13 '25 07:11 odaysec

/cc @gjermundgaraba. I kindly request that you urgently consider merging this pull request at your earliest convenience.

odaysec avatar Nov 13 '25 07:11 odaysec