From aa62d18d88cf276f2b4c47101e5fe12cb6e5ef47 Mon Sep 17 00:00:00 2001
From: Sean <sean@organgrindermedia.com>
Date: Mon, 25 Jul 2022 20:57:38 +0200
Subject: [PATCH] fix(attach_ix): OS-SQD-SUG-01 - verify internal attached ix
 has proper program_id

---
 programs/squads-mpl/src/lib.rs | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/programs/squads-mpl/src/lib.rs b/programs/squads-mpl/src/lib.rs
index 357520b..ecea3bc 100644
--- a/programs/squads-mpl/src/lib.rs
+++ b/programs/squads-mpl/src/lib.rs
@@ -171,7 +171,6 @@ pub mod squads_mpl {
 
     // create a transaction, and delegate an authority to sign for it later
     pub fn create_transaction(ctx: Context<CreateTransaction>, authority_index: u32) -> Result<()> {
-        msg!("TX PDA: {:?}", ctx.accounts.transaction.key());
         let ms = &mut ctx.accounts.multisig;
         let authority_bump = match authority_index  {
            1.. => {
@@ -209,6 +208,10 @@ pub mod squads_mpl {
     // attach an instruction to the transaction
     pub fn add_instruction(ctx: Context<AddInstruction>, incoming_instruction: IncomingInstruction) -> Result<()> {
         let tx = &mut ctx.accounts.transaction;
+        // make sure internal transactions have a matching program id for attached instructions
+        if tx.authority_index == 0 && &incoming_instruction.program_id != ctx.program_id {
+            return err!(MsError::InvalidAuthorityIndex);
+        }
         tx.instruction_index = tx.instruction_index.checked_add(1).unwrap();
         ctx.accounts.instruction.init(
             tx.instruction_index,