From 826e87884e44e0550076c16937ae08f491e4077e Mon Sep 17 00:00:00 2001 From: Steven Clark Date: Thu, 1 Dec 2022 10:10:12 -0500 Subject: [PATCH] Address a nil panic when writing an empty POST request to the ocsp handler (#18184) * Address a nil panic when writing an empty POST request to the ocsp handler - Seems when no JSON body is sent with a POST request Vault will not populate the HTTPRequest member variable which caused the nil panic - vault write -force pki/ocsp - Add a check for it and the Body member variable to be nil before use. * Add cl --- builtin/logical/pki/ocsp.go | 8 ++++++++ changelog/18184.txt | 3 +++ 2 files changed, 11 insertions(+) create mode 100644 changelog/18184.txt diff --git a/builtin/logical/pki/ocsp.go b/builtin/logical/pki/ocsp.go index 9ca159c9a..b01f60a38 100644 --- a/builtin/logical/pki/ocsp.go +++ b/builtin/logical/pki/ocsp.go @@ -218,7 +218,15 @@ func fetchDerEncodedRequest(request *logical.Request, data *framework.FieldData) return base64.StdEncoding.DecodeString(base64Req) case logical.UpdateOperation: // POST bodies should contain the binary form of the DER request. + // NOTE: Writing an empty update request to Vault causes a nil request.HTTPRequest, and that object + // says that it is possible for its Body element to be nil as well, so check both just in case. + if request.HTTPRequest == nil { + return nil, errors.New("no data in request") + } rawBody := request.HTTPRequest.Body + if rawBody == nil { + return nil, errors.New("no data in request body") + } defer rawBody.Close() requestBytes, err := io.ReadAll(io.LimitReader(rawBody, maximumRequestSize)) diff --git a/changelog/18184.txt b/changelog/18184.txt new file mode 100644 index 000000000..153131abe --- /dev/null +++ b/changelog/18184.txt @@ -0,0 +1,3 @@ +```release-note:bug +secrets/pki: Address nil panic when an empty POST request is sent to the OCSP handler +```