vault icon indicating copy to clipboard operation
vault copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

UI interprets URL-encoded secrets when accessing it

Open NoaFayn opened this issue 11 months ago • 2 comments

Describe the bug When using the UI to navigate in the KV secrets, if a "directory" was URL-encoded with slashes, it will be interpreted as a path.

To Reproduce Steps to reproduce the behavior:

  1. Create a secret in the KV engine (e.g.: secrets/test1%2ftest2/test3)
  2. Navigate using the UI to secrets
  3. Now, when clicking on the test1%2ftest2 "directory" (which is correctly displayed in the UI), the UI interprets the %2f as a slash, and tries to display secrets in secrets/test1/test2/, which doesn't exist.

Expected behavior It is expected that when clicking on the "directory" test1%2ftest2, the UI correctly handles the %2f as part of the name, and doesn't interpret it as a slash.

Environment:

  • Vault Server Version (retrieve with vault status): 1.15.6
  • Vault CLI Version (retrieve with vault version): N/A
  • Server Operating System/Architecture: Docker on Debian 11

Additional context Note that accessing a secret (instead of a "directory") containing %2f works as expected.

NoaFayn avatar Mar 13 '24 13:03 NoaFayn

@NoaFayn thank you for the issue. I'm trying to figure out the best way to approach a fix, and it might be helpful to understand what your workflow is for creating a directory with a URL encoded slash.

  1. Do you create this directory in the CLI and then move to the UI?
  2. Is the directory path automatically generated for you?
  3. Are you manually writing out the encoded slash in the UI when creating a secret path?

If number 3 is your workflow, can you help me understand why you'd want a directory name with a encoded slash?

Monkeychip avatar May 13 '24 19:05 Monkeychip

Hi @Monkeychip, your first guess is the correct one for my workflow. Its actually through the API that I'm creating the directory (but it shouldn't matter), and then I'm accessing it with the UI. We have a script creating secrets automatically (and each directory represents a "product" ID which happens to contain a "/" in it) and we use the UI to access them. However, I just want to point out that it doesn't matter how the directory name is created (UI or API), the problem is when the path is accessed. (I've actually tried to create the directory from the UI and it results in the same behaviour.)

NoaFayn avatar May 14 '24 09:05 NoaFayn

Hi, I'm just curious if this was resolved. We are experiencing this issue in 1.17.1 currently (after upgrading from 1.14.x)

This one might be a similar issue, but it seems like it was fixed https://github.com/hashicorp/vault/issues/23940#issuecomment-1807954457?

Or not? Referring to this comment? https://github.com/hashicorp/vault/issues/23940#issuecomment-1821451727

99 avatar Sep 13 '24 00:09 99