vault: Sanity check keys in the barrier view
This commit is contained in:
Armon Dadgar
parent
a6bc60c7d6
commit
d817e31d67
|
|
@ -28,13 +28,27 @@ func NewBarrierView(barrier SecurityBarrier, prefix string) *BarrierView {
|
|||
}
|
||||
}
|
||||
|
||||
// sanityCheck is used to perform a sanity check on a key
|
||||
func (v *BarrierView) sanityCheck(key string) error {
|
||||
if strings.Contains(key, "..") {
|
||||
return fmt.Errorf("key cannot be relative path")
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// logical.Storage impl.
|
||||
func (v *BarrierView) List(prefix string) ([]string, error) {
|
||||
if err := v.sanityCheck(prefix); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return v.barrier.List(v.expandKey(prefix))
|
||||
}
|
||||
|
||||
// logical.Storage impl.
|
||||
func (v *BarrierView) Get(key string) (*logical.StorageEntry, error) {
|
||||
if err := v.sanityCheck(key); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
entry, err := v.barrier.Get(v.expandKey(key))
|
||||
if err != nil {
|
||||
return nil, err
|
||||
|
|
@ -54,6 +68,9 @@ func (v *BarrierView) Get(key string) (*logical.StorageEntry, error) {
|
|||
|
||||
// logical.Storage impl.
|
||||
func (v *BarrierView) Put(entry *logical.StorageEntry) error {
|
||||
if err := v.sanityCheck(entry.Key); err != nil {
|
||||
return err
|
||||
}
|
||||
nested := &Entry{
|
||||
Key: v.expandKey(entry.Key),
|
||||
Value: entry.Value,
|
||||
|
|
@ -63,6 +80,9 @@ func (v *BarrierView) Put(entry *logical.StorageEntry) error {
|
|||
|
||||
// logical.Storage impl.
|
||||
func (v *BarrierView) Delete(key string) error {
|
||||
if err := v.sanityCheck(key); err != nil {
|
||||
return err
|
||||
}
|
||||
return v.barrier.Delete(v.expandKey(key))
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -18,6 +18,35 @@ func TestBarrierView_spec(t *testing.T) {
|
|||
logical.TestStorage(t, view)
|
||||
}
|
||||
|
||||
func TestBarrierView_BadKeysKeys(t *testing.T) {
|
||||
_, barrier, _ := mockBarrier(t)
|
||||
view := NewBarrierView(barrier, "foo/")
|
||||
|
||||
_, err := view.List("../")
|
||||
if err == nil {
|
||||
t.Fatalf("expected error")
|
||||
}
|
||||
|
||||
_, err = view.Get("../")
|
||||
if err == nil {
|
||||
t.Fatalf("expected error")
|
||||
}
|
||||
|
||||
err = view.Delete("../foo")
|
||||
if err == nil {
|
||||
t.Fatalf("expected error")
|
||||
}
|
||||
|
||||
le := &logical.StorageEntry{
|
||||
Key: "../foo",
|
||||
Value: []byte("test"),
|
||||
}
|
||||
err = view.Put(le)
|
||||
if err == nil {
|
||||
t.Fatalf("expected error")
|
||||
}
|
||||
}
|
||||
|
||||
func TestBarrierView(t *testing.T) {
|
||||
_, barrier, _ := mockBarrier(t)
|
||||
view := NewBarrierView(barrier, "foo/")
|
||||
|
|
|
|||
Loading…
Reference in New Issue