auth/aws: guard against malformed assumed role ARNs (#6917)

* auth/aws: guard against malformed assumed role ARNs * revert helper func changes
2019-06-18 15:51:40 -07:00 · 2019-06-18 15:51:40 -07:00 · 76cc52f48c
parent 3c9c47f97d
commit 76cc52f48c
2 changed files with 8 additions and 0 deletions
--- a/builtin/credential/aws/path_login.go
+++ b/builtin/credential/aws/path_login.go
@ -1404,6 +1404,10 @@ func parseIamArn(iamArn string) (*iamEntity, error) {
 	// now, entity.FriendlyName should either be <UserName> or <RoleName>
 	switch entity.Type {
 	case "assumed-role":
+		// Check for three parts for assumed role ARNs
+		if len(parts) < 3 {
+			return nil, fmt.Errorf("unrecognized arn: %q contains fewer than 3 slash-separated parts", fullParts[5])
+		}
 		// Assumed roles don't have paths and have a slightly different format
 		// parts[2] is <RoleSessionName>
 		entity.Path = ""
--- a/builtin/credential/aws/path_login_test.go
+++ b/builtin/credential/aws/path_login_test.go
@ -114,6 +114,10 @@ func TestBackend_pathLogin_parseIamArn(t *testing.T) {
 	if err == nil {
 		t.Error("expected error from empty principal type and no principal name (arn:aws:iam::1234556789012:/)")
 	}
+	_, err = parseIamArn("arn:aws:sts::1234556789012:assumed-role/role")
+	if err == nil {
+		t.Error("expected error from malformed assumed role ARN")
+	}
 }

 func TestBackend_validateVaultHeaderValue(t *testing.T) {