POST on `/auth/token/lookup` with specific payload causes internal server error

[matusf]

Describe the bug Making a POST request on /auth/token/lookup with specific payload causes internal server error

To Reproduce Hi, I was fuzzing vault and found this bug. To reproduce it, just run vault server -dev and make a request. The request is described in enclosed zip (single JSON file inside). The JSON has also the curl formated of the request, however, the request contains some wild unicode characters that your terminal may not like (at least mine does not :smile:). Therefore is better to use the resender utility that I made (along with the fuzzer). You may find it in my repo (github.com/matusf/openapi-fuzzer), with all installation instructions. Basically just run openapi-fuzzer-resender file.json to make the request.

auth-token-lookup.zip

See error from request: "{\"errors\":[\"no namespace\"]}\n" In logs:

[WARN]  core: error looking up namespace from the token's namespace ID: error="no namespace"

Expected behavior Response with non 500 status code.

Environment:

• Vault Server Version (retrieve with vault status):

  {
  "cluster_id": "ff96e72d-8a50-1574-3044-567db781e3c3",
  "cluster_name": "vault-cluster-f4d3b0c5",
  "initialized": true,
  "migration": false,
  "n": 1,
  "nonce": "",
  "progress": 0,
  "recovery_seal": false,
  "sealed": false,
  "storage_type": "inmem",
  "t": 1,
  "type": "shamir",
  "version": "1.7.0-rc1"
  }

• Vault CLI Version (retrieve with vault version): Vault v1.7.0-rc1 (9af08a1c5f0f855984a1fa56d236675d167f578e)
• Server Operating System/Architecture: Ubuntu 18.04/x86_64

[aphorise]

Closing as issue was likely in RC version when issue was reported. Retested in 1.10.5 without any issues:

curl -v -X POST -d '{"token":"𰏲򛳏򞰑𫘛򱹯ᒢ􎚋.󥆆򫾠򊄌🻮"}' ${VAULT_ADDR}/v1/auth/token/lookup
  # < HTTP/2 403
  # # // ...
  # {"errors":["permission denied"]}

Thank you @matusf