POST on /sys/leases/lookup endpoint with specific payload causes internal server error
#11314
Assignees
Comments
sgmiller
added
auth/approle
bug
|
Closing as report was likely specific to the RC version when this was reported. Retesting in 1.10.5 all looks fine - eg: curl -v -X POST -d '{"lease_id":"昦𢮕.뵸訁𱃸ᇪ𲅶ꟾ🄖曱醙𡒴𗅊Ṯ𬥌匳𧎏𭌡㳪𱀖𩲝𱲑𤧒㓼𡦙硢𱓕𢑀찓⫣𑦠𱊂ࣼ𘁍𨃸ᮞ𧫒𥎫𰙖𰫛ቄ𨳡𡑜𨕉𪍃𰵅𗎡췿𪋬៶𤤎欴厓𨿬详𠖜𨇑攍𮍁𤖫⑰톉𖼮𗭄䵍𢉉﨣睜ཽ𠴿𬮨𬢊𤻗巳𤀙𬰛𫵌𗢌"}' -H 'X-Vault-Token: ${VAULT_TOKEN}' ${VAULT_ADDR}/v1/sys/leases/lookup
# < HTTP/2 403
# # // ...
# {"errors":["permission denied"]}Thanks @matusf |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Making a POST request on
/sys/leases/lookupwith specific payload causes internal server errorTo Reproduce
Hi, I was fuzzing vault and found this bug. To reproduce it, just run
vault server -devand make a request. The request is described in enclosed zip (single JSON file inside). The JSON has also thecurlformated of the request, however, the request contains some wild unicode characters that your terminal may not like (at least mine does not 😄). Therefore is better to use theresenderutility that I made (along with the fuzzer). You may find it in my repo (github.com/matusf/openapi-fuzzer), with all installation instructions. Basically just runopenapi-fuzzer-resender file.jsonto make the request.sys-leases-lookup.zip
In the request is vault token supplied in the headers, however, it's not needed to reproduce this crash.
See error from request:
{"errors":["no namespace"]}In logs:
This issue might be related to #11306, #11308 and #11313 as there is the same response & log message.
Expected behavior
Response with non 500 status code.
Environment:
vault status):vault version):Vault v1.7.0-rc1 (9af08a1c5f0f855984a1fa56d236675d167f578e)The text was updated successfully, but these errors were encountered: