Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix kv builder out of bounds panic on single backslash #35

Merged
merged 1 commit into from Mar 16, 2022
Merged

fix kv builder out of bounds panic on single backslash #35

merged 1 commit into from Mar 16, 2022

Conversation

ccapurso
Copy link
Contributor

The KV Builder panics when attempting to process a single backslash. The KV Builder add method currently assumes that the provided string has at least two characters when attempting to check for an escaped @ (i.e. \@). The proposed fix is to guard with a length check.

In additional to the added unit test, this change was functionally tested with the Vault kv secret engine CLI.

Before change:

❯ vault kv put secret/foo 'bar=\'
panic: runtime error: index out of range [1] with length 1

goroutine 1 [running]:
github.com/hashicorp/go-secure-stdlib/kv-builder.(*Builder).add(0xc0008cb440, {0x7ffeefbff898, 0x11880ee8})
        /Users/ccapurso/go/pkg/mod/github.com/hashicorp/go-secure-stdlib/kv-builder@v0.1.1/builder.go:94 +0x832
github.com/hashicorp/go-secure-stdlib/kv-builder.(*Builder).Add(0x7ffeefbff88d, {0xc0001a6040, 0x1, 0x484dde5})
        /Users/ccapurso/go/pkg/mod/github.com/hashicorp/go-secure-stdlib/kv-builder@v0.1.1/builder.go:32 +0x89
github.com/hashicorp/vault/command.parseArgsData({0x6449e40, 0xc000194000}, {0xc0001a6040, 0x1, 0x1})
        /Users/ccapurso/git/vault/command/base_helpers.go:134 +0xaa
github.com/hashicorp/vault/command.(*KVPutCommand).Run(0xc0008cab20, {0xc0001a6030, 0x2, 0x2})
        /Users/ccapurso/git/vault/command/kv_put.go:120 +0x171
github.com/mitchellh/cli.(*CLI).Run(0xc000145cc0)
        /Users/ccapurso/go/pkg/mod/github.com/mitchellh/cli@v1.1.2/cli.go:262 +0x5f8
github.com/hashicorp/vault/command.RunCustom({0xc0001a6010, 0x4, 0x4}, 0xc0000001a0)
        /Users/ccapurso/git/vault/command/main.go:180 +0x9f7
github.com/hashicorp/vault/command.Run(...)
        /Users/ccapurso/git/vault/command/main.go:88
main.main()
        /Users/ccapurso/git/vault/main.go:10 +0x52

After change:

❯ vault kv put secret/foo 'bar=\'
= Secret Path =
secret/data/foo

======= Metadata =======
Key                Value
---                -----
created_time       2022-03-15T14:38:07.024316Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            1

❯ vault kv get secret/foo
= Secret Path =
secret/data/foo

======= Metadata =======
Key                Value
---                -----
created_time       2022-03-15T14:38:07.024316Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            1

=== Data ===
Key    Value
---    -----
bar    \

@briankassouf briankassouf merged commit 895daab into main Mar 16, 2022
@briankassouf briankassouf deleted the fix-kv-builder-out-of-bounds branch March 16, 2022 03:30
@ccapurso ccapurso mentioned this pull request Mar 16, 2022
Merged
This was referenced Mar 28, 2022
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@briankassouf briankassouf briankassouf approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@ccapurso @briankassouf