Skip to content

Panic when token is null for /v1/auth/token/lookup, /v1/auth/token/renew, /v1/auth/token/revoke, /v1/auth/token/revoke-orphan #13225

New issue
New issue
Closed
Closed
Panic when token is null for /v1/auth/token/lookup, /v1/auth/token/renew, /v1/auth/token/revoke, /v1/auth/token/revoke-orphan#13225
Labels
bugUsed to indicate a potential bugcore/token
@ludovicianul

Description

@ludovicianul
ludovicianul
opened on Nov 19, 2021

Describe the bug
Making a POST at any of the 4 URLs with token = null results in no HTTP response and the following stacktrace:

 invalid syntax"
2021-11-19T14:25:57.498+0200 [INFO]  http: panic serving 127.0.0.1:52114: interface conversion: interface {} is nil, not string
goroutine 227193 [running]:
net/http.(*conn).serve.func1()
        /Users/runner/hostedtoolcache/go/1.17.2/x64/src/net/http/server.go:1801 +0xb9
panic({0x50a5d80, 0xc002395590})
        /Users/runner/hostedtoolcache/go/1.17.2/x64/src/runtime/panic.go:1047 +0x266
github.com/hashicorp/vault/vault.(*Core).handleCancelableRequest(0xc00084cc00, {0x6a43270, 0xc002395110}, 0xc0006ae180)
        /Users/runner/work/vault/vault/vault/request_handling.go:546 +0x1d94
github.com/hashicorp/vault/vault.(*Core).switchedLockHandleRequest(0xc00084cc00, {0x6a43270, 0xc002394e70}, 0xc0006ae180, 0x0)
        /Users/runner/work/vault/vault/vault/request_handling.go:442 +0x4a5
github.com/hashicorp/vault/vault.(*Core).HandleRequest(...)
        /Users/runner/work/vault/vault/vault/request_handling.go:408
github.com/hashicorp/vault/http.request(0x54f6a00, {0x69f4e70, 0xc0014a4b80}, 0xc00134a500, 0xc0006ae180)
        /Users/runner/work/vault/vault/http/handler.go:953 +0x86
github.com/hashicorp/vault/http.handleLogicalInternal.func1({0x69f4e70, 0xc0014a4b80}, 0xc00134a500)
        /Users/runner/work/vault/vault/http/logical.go:341 +0xb6
net/http.HandlerFunc.ServeHTTP(0xc001a5bd15, {0x69f4e70, 0xc0014a4b80}, 0xc001172000)
        /Users/runner/hostedtoolcache/go/1.17.2/x64/src/net/http/server.go:2046 +0x2f
github.com/hashicorp/vault/http.handleRequestForwarding.func1({0x69f4e70, 0xc0014a4b80}, 0xc00134a500)
        /Users/runner/work/vault/vault/http/handler.go:878 +0x39d

To Reproduce
Steps to reproduce the behavior:

  1. Run curl -X POST -H 'Content-Type: application/json' -H "X-Vault-Token: $token" -d '{"token": null}' http://localhost:8200/v1/auth/token/lookup

Same steps to reproduce for all paths.

This was discovered while running a fuzzing tool I wrote for OpenAPI specs: https://github.com/Endava/cats. You can replay all the tests using:
./cats.jar replay --testCases="Test386.json,Test1618.json,Test3540.json,Test4288.json"

TestCases.zip

Expected behavior
A proper HTTP response: 400 with some errors details.

Environment:

  • Vault Server Version (retrieve with vault status): 1.9.0
  • Vault CLI Version (retrieve with vault version): Vault v1.9.0
  • Server Operating System/Architecture: macOS Monterey 12.0.1

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugUsed to indicate a potential bugcore/token

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions