Closed matusf closed 2 years ago
Here is minimal example:
curl -X POST -H 'Content-Type: application/json' -H "X-Vault-Token: $token" -d '{"accessor": "x", "increment": -1}' http://localhost:8200/v1/auth/token/renew-accessor
Thanks for the minimal versions on this and the other two, we'll look into this.
Thanks, I'll try to add minimal example to all issues I created when I'll have some spare time :slightly_smiling_face:
Closing as issue has since been resolved from the RC version when this was reported. Tested using 1.10.5:
curl -v -X POST -H 'Content-Type: application/json' -H "X-Vault-Token: $VAULT_TOKEN" -d '{"accessor": "x", "increment": -1}' ${VAULT_ADDR}/v1/auth/token/renew-accessor
# < HTTP/2 400
# # // ...
# {"errors":["Field validation failed: error converting input -1 for field \"increment\": cannot provide negative value '-1'"]}
Hey @matusf many thanks for reporting this when you did.
Describe the bug Making a POST request on
/auth/token/renew/accessor
with specific payload causes internal server errorTo Reproduce Hi, I was fuzzing vault and found this bug. To reproduce it, just run
vault server -dev
and make a request. The request is described in enclosed zip (single JSON file inside). The JSON has also thecurl
formated of the request, however, the request contains some wild unicode characters that your terminal may not like (at least mine does not :smile:). Therefore is better to use theresender
utility that I made (along with the fuzzer). You may find it in my repo (github.com/matusf/openapi-fuzzer), with all installation instructions.This time I fuzzed vault with supplied
X-Vault-Token
header, so to reproduce the crash you will need to add the root token toopenapi-fuzzer-resender
as well. There is a flag for that. Run is as follows:auth-token-renew-accessor.zip
See error from request:
In logs: nothing
Expected behavior Response with non 500 status code.
Environment:
vault status
):vault version
):Vault v1.7.0-rc1 (9af08a1c5f0f855984a1fa56d236675d167f578e)