cosmos · crodriguezvega · Dec 14, 2023 · Nov 30, 2023 · Nov 30, 2023 · Nov 30, 2023
@@ -22,13 +22,16 @@ It takes:
 
 - an `AllowList` list that specifies the list of addresses that are allowed to receive funds. If this list is empty, then all addresses are allowed to receive funds from the `TransferAuthorization`.
 
+- an `AllowPacketData` list that specifies the list of memo packet data keys that are allowed to send the packet. If this list is empty, then only an empty memo is allowed (a `memo` field with non-empty content will be denied). If this list includes a single element equal to `"*"`, then any content in `memo` field will be allowed.
+
 Setting a `TransferAuthorization` is expected to fail if:
 
 - the spend limit is nil
 - the denomination of the spend limit is an invalid coin type
 - the source port ID is invalid
 - the source channel ID is invalid
 - there are duplicate entries in the `AllowList`
+- the `memo` field is not allowed by `AllowPacketData`
 
 Below is the `TransferAuthorization` message:
 
@@ -48,6 +51,9 @@ type Allocation struct {
   SpendLimit sdk.Coins  
   // allow list of receivers, an empty allow list permits any receiver address
   AllowList []string 
+  // allow list of packet data keys, an empty list.
+  // an empty list prohibits all packet data keys; a list only with "*" permits any packet data key
+  AllowPacketData []string 
 }
 
 ```
@@ -30,6 +30,9 @@ const (
 	// DenomPrefix is the prefix used for internal SDK coin representation.
 	DenomPrefix = "ibc"
 
+	// AllowAllPacketDataKeys holds the string key that allows all packet data keys in authz transfer messages
+	AllowAllPacketDataKeys = "*"
+
 	KeyTotalEscrowPrefix = "totalEscrowForDenom"
 
 	ParamsKey = "params"

@@ -2,9 +2,13 @@ package types
 
 import (
 	"context"
+	"encoding/json"
+	fmt "fmt"
 	"math/big"
+	"strings"
 
 	"github.com/cosmos/gogoproto/proto"
+	"golang.org/x/exp/maps"
 
 	errorsmod "cosmossdk.io/errors"
 	sdkmath "cosmossdk.io/math"
@@ -50,6 +54,15 @@ func (a TransferAuthorization) Accept(ctx context.Context, msg proto.Message) (a
 			return authz.AcceptResponse{}, errorsmod.Wrap(ibcerrors.ErrInvalidAddress, "not allowed receiver address for transfer")
 		}
 
+		isAllowedPacket, err := isAllowedPacketDataKeys(sdk.UnwrapSDKContext(ctx), msgTransfer.Memo, allocation.AllowPacketData)
+		if err != nil {
+			return authz.AcceptResponse{}, errorsmod.Wrapf(ErrInvalidMemo, "error: %v", err)
+		}
+
+		if !isAllowedPacket {
+			return authz.AcceptResponse{}, ErrInvalidMemo
+		}
+
 		// If the spend limit is set to the MaxUint256 sentinel value, do not subtract the amount from the spend limit.
 		if allocation.SpendLimit.AmountOf(msgTransfer.Token.Denom).Equal(UnboundedSpendLimit()) {
 			return authz.AcceptResponse{Accept: true, Delete: false, Updated: nil}, nil
@@ -145,6 +158,48 @@ func isAllowedAddress(ctx sdk.Context, receiver string, allowedAddrs []string) b
 	return false
 }
 
+// isAllowedPacketDataKeys returns a boolean indicating if the memo is valid for transfer. If it is not valid and non-nil error is also returned.
+func isAllowedPacketDataKeys(ctx sdk.Context, memo string, allowedPacketDataList []string) (bool, error) {
+	// if the allow list is empty, then the memo must be an empty string
+	if len(allowedPacketDataList) == 0 {
+		return len(strings.TrimSpace(memo)) == 0, nil
+	}
+
+	// if allowedPacketDataList has only 1 element and it equals AllowAllPacketDataKeys
+	// then accept all the packet data keys
+	if len(allowedPacketDataList) == 1 && allowedPacketDataList[0] == AllowAllPacketDataKeys {
+		return true, nil
+	}
+
+	// unmarshal memo
+	jsonObject := make(map[string]interface{})
+	err := json.Unmarshal([]byte(memo), &jsonObject)
+	if err != nil {
+		return false, err
+	}
+
+	if len(jsonObject) > len(allowedPacketDataList) {
+		return false, fmt.Errorf("packet type greater than packet allow list")
+	}
+
+	gasCostPerIteration := ctx.KVGasConfig().IterNextCostFlat
+
+	for _, key := range allowedPacketDataList {
+		ctx.GasMeter().ConsumeGas(gasCostPerIteration, "transfer authorization")
+
+		_, ok := jsonObject[key]
+		if ok {
+			delete(jsonObject, key)
+		}
+	}
+
+	if len(jsonObject) != 0 {
+		return false, fmt.Errorf("not allowed packet data keys: %v", maps.Keys(jsonObject))
+	}
+
+	return true, nil
+}
+
 // UnboundedSpendLimit returns the sentinel value that can be used
 // as the amount for a denomination's spend limit for which spend limit updating
 // should be disabled. Please note that using this sentinel value means that a grantee

@@ -11,6 +11,8 @@ import (
 	"github.com/cosmos/ibc-go/v8/testing/mock"
 )
 
+const testMemo = `{"wasm":{"contract":"osmo1c3ljch9dfw5kf52nfwpxd2zmj2ese7agnx0p9tenkrryasrle5sqf3ftpg","msg":{"osmosis_swap":{"output_denom":"uosmo","slippage":{"twap":{"slippage_percentage":"20","window_seconds":10}},"receiver":"feeabs/feeabs1efd63aw40lxf3n4mhf7dzhjkr453axurwrhrrw","on_failed_delivery":"do_nothing"}}}}`
+
 func (suite *TypesTestSuite) TestTransferAuthorizationAccept() {
 	var (
 		msgTransfer   types.MsgTransfer
@@ -101,6 +103,72 @@ func (suite *TypesTestSuite) TestTransferAuthorizationAccept() {
 				suite.Require().Nil(res.Updated)
 			},
 		},
+		{
+			"success: empty allowPacketData and empty memo",
+			func() {
+				allowedList := []string{}
+				transferAuthz.Allocations[0].AllowPacketData = allowedList
+			},
+			func(res authz.AcceptResponse, err error) {
+				suite.Require().NoError(err)
+
+				suite.Require().True(res.Accept)
+				suite.Require().True(res.Delete)
+				suite.Require().Nil(res.Updated)
+			},
+		},
+		{
+			"success: allowPacketData allows any packet",
+			func() {
+				allowedList := []string{"*"}
+				transferAuthz.Allocations[0].AllowPacketData = allowedList
+				msgTransfer.Memo = testMemo
+			},
+			func(res authz.AcceptResponse, err error) {
+				suite.Require().NoError(err)
+
+				suite.Require().True(res.Accept)
+				suite.Require().True(res.Delete)
+				suite.Require().Nil(res.Updated)
+			},
+		},
+		{
+			"success: transfer memo allowed",
+			func() {
+				allowedList := []string{"wasm", "forward"}
+				transferAuthz.Allocations[0].AllowPacketData = allowedList
+				msgTransfer.Memo = testMemo
+			},
+			func(res authz.AcceptResponse, err error) {
+				suite.Require().NoError(err)
+
+				suite.Require().True(res.Accept)
+				suite.Require().True(res.Delete)
+				suite.Require().Nil(res.Updated)
+			},
+		},
+		{
+			"empty allowPacketData but not empty memo",
+			func() {
+				allowedList := []string{}
+				transferAuthz.Allocations[0].AllowPacketData = allowedList
+				msgTransfer.Memo = testMemo
+			},
+			func(res authz.AcceptResponse, err error) {
+				suite.Require().Error(err)
+			},
+		},
+		{
+			"memo not allowed",
+			func() {
+				allowedList := []string{"forward"}
+				transferAuthz.Allocations[0].AllowPacketData = allowedList
+				msgTransfer.Memo = testMemo
+			},
+			func(res authz.AcceptResponse, err error) {
+				suite.Require().Error(err)
+			},
+		},
 		{
 			"test multiple coins does not overspend",
 			func() {

@@ -19,6 +19,9 @@ message Allocation {
       [(gogoproto.nullable) = false, (gogoproto.castrepeated) = "github.com/cosmos/cosmos-sdk/types.Coins"];
   // allow list of receivers, an empty allow list permits any receiver address
   repeated string allow_list = 4;
+  // allow list of packet data keys, an empty list.
+  // an empty list prohibits all packet data keys; a list only with "*" permits any packet data key
+  repeated string allow_packet_data = 5;
 }
 
 // TransferAuthorization allows the grantee to spend up to spend_limit coins from