From a2f79c3753412de87cd9f0603c747c6c4552cfb1 Mon Sep 17 00:00:00 2001
From: hc-github-team-secure-vault-core
 <82990506+hc-github-team-secure-vault-core@users.noreply.github.com>
Date: Thu, 24 Mar 2022 19:44:47 -0400
Subject: [PATCH] Backport of Vault-4010 Unauthenticated panic when processing
 "help" requests into release/1.10.x (#14711)

* backport of commit ee6a5a4d665c9c8bb0de11e4163c04c1ed286ec4

* backport of commit 64b308c6e5f01737941b996d261d203dc9326a2c

Co-authored-by: akshya96 <araghavan@hashicorp.com>
Co-authored-by: akshya96 <87045294+akshya96@users.noreply.github.com>
---
 changelog/14704.txt | 3 +++
 http/help.go        | 6 ++++++
 http/help_test.go   | 6 +++++-
 3 files changed, 14 insertions(+), 1 deletion(-)
 create mode 100644 changelog/14704.txt

diff --git a/changelog/14704.txt b/changelog/14704.txt
new file mode 100644
index 0000000000000..e5663e1c9d8d6
--- /dev/null
+++ b/changelog/14704.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+core: Fix panic for help request URL paths without /v1/ prefix   
+```
\ No newline at end of file
diff --git a/http/help.go b/http/help.go
index 45099bd7b67f5..7ec6fb6131aae 100644
--- a/http/help.go
+++ b/http/help.go
@@ -1,7 +1,9 @@
 package http
 
 import (
+	"errors"
 	"net/http"
+	"strings"
 
 	"github.com/hashicorp/vault/helper/namespace"
 	"github.com/hashicorp/vault/sdk/logical"
@@ -31,6 +33,10 @@ func handleHelp(core *vault.Core, w http.ResponseWriter, r *http.Request) {
 		respondError(w, http.StatusBadRequest, nil)
 		return
 	}
+	if !strings.HasPrefix(r.URL.Path, "/v1/") {
+		respondError(w, http.StatusNotFound, errors.New("Missing /v1/ prefix in path. Use vault path-help command to retrieve API help for paths"))
+		return
+	}
 	path := ns.TrimmedPath(r.URL.Path[len("/v1/"):])
 
 	req := &logical.Request{
diff --git a/http/help_test.go b/http/help_test.go
index c3abfc86fa134..ec9a67dd1c58c 100644
--- a/http/help_test.go
+++ b/http/help_test.go
@@ -13,7 +13,11 @@ func TestHelp(t *testing.T) {
 	defer ln.Close()
 	TestServerAuth(t, addr, token)
 
-	resp := testHttpGet(t, "", addr+"/v1/sys/mounts?help=1")
+	// request without /v1/ prefix
+	resp := testHttpGet(t, token, addr+"/?help=1")
+	testResponseStatus(t, resp, 404)
+
+	resp = testHttpGet(t, "", addr+"/v1/sys/mounts?help=1")
 	if resp.StatusCode != http.StatusForbidden {
 		t.Fatal("expected permission denied with no token")
 	}