Vault-4010 Unauthenticated panic when processing "help" requests (#14704

) * fix help panic * add changelog entry
hashicorp · Mar 24, 2022 · 82b94bc · 82b94bc
1 parent 1685ae2
commit 82b94bc
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 1 deletion.
diff --git a/changelog/14704.txt b/changelog/14704.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+core: Fix panic for help request URL paths without /v1/ prefix   
+```
diff --git a/http/help.go b/http/help.go
@@ -1,7 +1,9 @@
 package http
 
 import (
+	"errors"
 	"net/http"
+	"strings"
 
 	"github.com/hashicorp/vault/helper/namespace"
 	"github.com/hashicorp/vault/sdk/logical"
@@ -31,6 +33,10 @@ func handleHelp(core *vault.Core, w http.ResponseWriter, r *http.Request) {
 		respondError(w, http.StatusBadRequest, nil)
 		return
 	}
+	if !strings.HasPrefix(r.URL.Path, "/v1/") {
+		respondError(w, http.StatusNotFound, errors.New("Missing /v1/ prefix in path. Use vault path-help command to retrieve API help for paths"))
+		return
+	}
 	path := ns.TrimmedPath(r.URL.Path[len("/v1/"):])
 
 	req := &logical.Request{

diff --git a/http/help_test.go b/http/help_test.go
@@ -13,7 +13,11 @@ func TestHelp(t *testing.T) {
 	defer ln.Close()
 	TestServerAuth(t, addr, token)
 
-	resp := testHttpGet(t, "", addr+"/v1/sys/mounts?help=1")
+	// request without /v1/ prefix
+	resp := testHttpGet(t, token, addr+"/?help=1")
+	testResponseStatus(t, resp, 404)
+
+	resp = testHttpGet(t, "", addr+"/v1/sys/mounts?help=1")
 	if resp.StatusCode != http.StatusForbidden {
 		t.Fatal("expected permission denied with no token")
 	}