aphorise
commented
2 years ago Closing as retesting in 1.10.5 shows the expected response and no issues with 500 responses. Issue may have been specific to the RC version when this issue was raised.
curl -v -X POST -d '{"increment":-5424973945252039949,"lease_id":"𰻈ꕞ𦶹ㅹ𘯢𣁜𘀱㐏ꏬ𠯬𱪁𰩎𣷛Ќ𓐔𨕃𩄧𦻖𢿟ᄃ𮆆𫶗𥍳𗟰ᱩ𮳊𰇎㌃₠𫂮咷ﳢ𱤄󠄣𗦁辟僤𐠑𩉡𑈀𪶓🨰𩇤囡𨱳🭲䡺𒓨봍𡲡铈𩠀黮𩧞.","url_lease_id":"𐜄襑𬸴淘특甐󠄋油擷𭐶🖈𞺑긋뼜ⱼ𥺭⎃ﬡ熨愉𱦎돡먏𣭢ꏬ牜𬔜𢵺殸𪰰🪫⩦𘋋𣊧𢂭𭋇𱩢휟𝞊⚯𘬕᭾🝖𩂲뛴𪡉ञ୦責ʭ𫈺𩞛𩋂🠇𠤅𡽢𮖽𗗎⡢臱棤𪳟痓𬷰ڻ㙤"}' -H 'X-Vault-Token: ${VAULT_TOKEN}' ${VAULT_ADDR}/v1/sys/leases/renew
# < HTTP/2 403
# # // ...
# {"errors":["permission denied"]}Thank you once more @matusf.
Describe the bug Making a POST request on
/sys/leases/renewwith specific payload causes internal server errorTo Reproduce Hi, I was fuzzing vault and found this bug. To reproduce it, just run
vault server -devand make a request. The request is described in enclosed zip (single JSON file inside). The JSON has also thecurlformated of the request, however, the request contains some wild unicode characters that your terminal may not like (at least mine does not :smile:). Therefore is better to use theresenderutility that I made (along with the fuzzer). You may find it in my repo (github.com/matusf/openapi-fuzzer), with all installation instructions. Basically just runopenapi-fuzzer-resender file.jsonto make the request.sys-leases-renew.zip In the request is vault token supplied in the headers, however, it's not needed to reproduce this crash.
See error from request:
{"errors":["no namespace"]}In logs:This issue might be related to #11306, #11308, #11313 and #11314 as there is the same response & log message.
Expected behavior Response with non 500 status code.
Environment:
vault status):vault version):Vault v1.7.0-rc1 (9af08a1c5f0f855984a1fa56d236675d167f578e)