From be2f69bc4a0d89925f285b62f6406f377785416c Mon Sep 17 00:00:00 2001
From: mgritter <mgritter@hashicorp.com>
Date: Fri, 26 Apr 2019 15:57:00 -0700
Subject: [PATCH] Check nil parameter value when processing an ACL.

---
 vault/acl.go      | 9 ++++++++-
 vault/acl_test.go | 3 +++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/vault/acl.go b/vault/acl.go
index 4105b3583..1313fa33b 100644
--- a/vault/acl.go
+++ b/vault/acl.go
@@ -709,7 +709,14 @@ func valueInParameterList(v interface{}, list []interface{}) bool {
 
 func valueInSlice(v interface{}, list []interface{}) bool {
 	for _, el := range list {
-		if reflect.TypeOf(el).String() == "string" && reflect.TypeOf(v).String() == "string" {
+		if el == nil || v == nil {
+			// It doesn't seem possible to set up a nil entry in the list, but it is possible
+			// to pass in a null entry in the API request being checked. Just in case,
+			// nil will match nil.
+			if el == v {
+				return true
+			}
+		} else if reflect.TypeOf(el).String() == "string" && reflect.TypeOf(v).String() == "string" {
 			item := el.(string)
 			val := v.(string)
 
diff --git a/vault/acl_test.go b/vault/acl_test.go
index 5a2de1b7f..a8cb634dd 100644
--- a/vault/acl_test.go
+++ b/vault/acl_test.go
@@ -549,6 +549,8 @@ func testACLValuePermissions(t *testing.T, ns *namespace.Namespace) {
 		{"foo/bar", []string{"deny"}, []interface{}{"bad glob"}, false},
 		{"foo/bar", []string{"deny"}, []interface{}{"good"}, true},
 		{"foo/bar", []string{"allow"}, []interface{}{"good"}, true},
+		{"foo/bar", []string{"deny"}, []interface{}{nil}, true},
+		{"foo/bar", []string{"allow"}, []interface{}{nil}, true},
 		{"foo/baz", []string{"aLLow"}, []interface{}{"good"}, true},
 		{"foo/baz", []string{"deny"}, []interface{}{"bad"}, false},
 		{"foo/baz", []string{"deny"}, []interface{}{"good"}, false},
@@ -557,6 +559,7 @@ func testACLValuePermissions(t *testing.T, ns *namespace.Namespace) {
 		{"foo/baz", []string{"deNy", "allow"}, []interface{}{"bad", "good"}, false},
 		{"foo/baz", []string{"aLLow"}, []interface{}{"bad"}, false},
 		{"foo/baz", []string{"Neither"}, []interface{}{"bad"}, false},
+		{"foo/baz", []string{"allow"}, []interface{}{nil}, false},
 		{"fizz/buzz", []string{"allow_multi"}, []interface{}{"good"}, true},
 		{"fizz/buzz", []string{"allow_multi"}, []interface{}{"good1"}, true},
 		{"fizz/buzz", []string{"allow_multi"}, []interface{}{"good2"}, true},