POST on `/auth/token/renew/self` endpoint with negative increment in payload causes internal server error

[matusf]

Describe the bug Making a POST request on /auth/token/renew/self with specific payload causes internal server error

To Reproduce Hi, I was fuzzing vault and found this bug. To reproduce it, just run vault server -dev and make a request. The request is described in enclosed zip (single JSON file inside). The JSON has also the curl formated of the request, however, the request contains some wild unicode characters that your terminal may not like (at least mine does not :smile:). Therefore is better to use the resender utility that I made (along with the fuzzer). You may find it in my repo (github.com/matusf/openapi-fuzzer), with all installation instructions.

This time I fuzzed vault with supplied X-Vault-Token header, so to reproduce the crash you will need to add the root token to openapi-fuzzer-resender as well. There is a flag for that. Run is as follows:

openapi-fuzzer-resender file.json -H "X-Vault-Token: $VAULT_TOKEN"

auth-token-renew-self.zip

This crash seems to be similat to https://github.com/hashicorp/vault/issues/11310. They both seem crash because of the increment field value.

See error from request:

{"errors":["1 error occurred:   * error converting input -8177261539048048142 for field \"increment\": cannot provide negative value \'-5181739610\'"]}

In logs: nothing

Expected behavior Response with non 500 status code.

Environment:

• Vault Server Version (retrieve with vault status):

  {
  "cluster_id": "ff96e72d-8a50-1574-3044-567db781e3c3",
  "cluster_name": "vault-cluster-f4d3b0c5",
  "initialized": true,
  "migration": false,
  "n": 1,
  "nonce": "",
  "progress": 0,
  "recovery_seal": false,
  "sealed": false,
  "storage_type": "inmem",
  "t": 1,
  "type": "shamir",
  "version": "1.7.0-rc1"
  }

• Vault CLI Version (retrieve with vault version): Vault v1.7.0-rc1 (9af08a1c5f0f855984a1fa56d236675d167f578e)
• Server Operating System/Architecture: Ubuntu 18.04/x86_64

[matusf]

Here is minimal example:

curl -X POST  -H 'Content-Type: application/json' -H "X-Vault-Token: $token" -d '{"increment": -1, "token": "x"}' http://localhost:8200/v1/auth/token/renew-self

[aphorise]

Closing as issue has ben resolved since it was reported at the time of the referenced RC version. Retested in 1.10.5 without any issues:

curl -v -X POST -H 'Content-Type: application/json' -H "X-Vault-Token: $VAULT_TOKEN" -d '{"increment": -1, "token": "x"}' ${VAULT_ADDR}/v1/auth/token/renew-self
  # < HTTP/2 400
  # # // ...
  # {"errors":["Field validation failed: error converting input -1 for field \"increment\": cannot provide negative value '-1'"]}

Great work @matusf ⭐