POST on `/auth/token/renew/accessor` endpoint with negative increment in payload causes internal server error

[matusf]

Describe the bug Making a POST request on /auth/token/renew/accessor with specific payload causes internal server error

To Reproduce Hi, I was fuzzing vault and found this bug. To reproduce it, just run vault server -dev and make a request. The request is described in enclosed zip (single JSON file inside). The JSON has also the curl formated of the request, however, the request contains some wild unicode characters that your terminal may not like (at least mine does not :smile:). Therefore is better to use the resender utility that I made (along with the fuzzer). You may find it in my repo (github.com/matusf/openapi-fuzzer), with all installation instructions.

This time I fuzzed vault with supplied X-Vault-Token header, so to reproduce the crash you will need to add the root token to openapi-fuzzer-resender as well. There is a flag for that. Run is as follows:

openapi-fuzzer-resender file.json -H "X-Vault-Token: $VAULT_TOKEN"

auth-token-renew-accessor.zip

See error from request:

{"errors":["1 error occurred:   * error converting input -9185201444257494796 for field \"increment\": cannot provide negative value \'-535849150\'"]}

In logs: nothing

Expected behavior Response with non 500 status code.

Environment:

• Vault Server Version (retrieve with vault status):

  {
  "cluster_id": "ff96e72d-8a50-1574-3044-567db781e3c3",
  "cluster_name": "vault-cluster-f4d3b0c5",
  "initialized": true,
  "migration": false,
  "n": 1,
  "nonce": "",
  "progress": 0,
  "recovery_seal": false,
  "sealed": false,
  "storage_type": "inmem",
  "t": 1,
  "type": "shamir",
  "version": "1.7.0-rc1"
  }

• Vault CLI Version (retrieve with vault version): Vault v1.7.0-rc1 (9af08a1c5f0f855984a1fa56d236675d167f578e)
• Server Operating System/Architecture: Ubuntu 18.04/x86_64

[matusf]

Here is minimal example:

curl -X POST -H 'Content-Type: application/json' -H "X-Vault-Token: $token" -d '{"accessor": "x", "increment": -1}' http://localhost:8200/v1/auth/token/renew-accessor

[sgmiller]

Thanks for the minimal versions on this and the other two, we'll look into this.

[matusf]

Thanks, I'll try to add minimal example to all issues I created when I'll have some spare time :slightly_smiling_face:

[aphorise]

Closing as issue has since been resolved from the RC version when this was reported. Tested using 1.10.5:

curl -v -X POST -H 'Content-Type: application/json' -H "X-Vault-Token: $VAULT_TOKEN" -d '{"accessor": "x", "increment": -1}' ${VAULT_ADDR}/v1/auth/token/renew-accessor
  # < HTTP/2 400
  # # // ...
  # {"errors":["Field validation failed: error converting input -1 for field \"increment\": cannot provide negative value '-1'"]}

Hey @matusf many thanks for reporting this when you did.