Vault-4010 Unauthenticated panic when processing "help" requests (#14704)

* fix help panic * add changelog entry
2022-03-24 12:19:14 -07:00 · 2022-03-24 12:19:14 -07:00 · e59aee02bd
parent c4236d55ba
commit e59aee02bd
3 changed files with 14 additions and 1 deletions
--- a/changelog/14704.txt
+++ b/changelog/14704.txt
@ -0,0 +1,3 @@
+```release-note:bug
+core: Fix panic for help request URL paths without /v1/ prefix   
+```
--- a/http/help.go
+++ b/http/help.go
@ -1,7 +1,9 @@
 package http

 import (
+	"errors"
 	"net/http"
+	"strings"

 	"github.com/hashicorp/vault/helper/namespace"
 	"github.com/hashicorp/vault/sdk/logical"
@ -31,6 +33,10 @@ func handleHelp(core *vault.Core, w http.ResponseWriter, r *http.Request) {
 		respondError(w, http.StatusBadRequest, nil)
 		return
 	}
+	if !strings.HasPrefix(r.URL.Path, "/v1/") {
+		respondError(w, http.StatusNotFound, errors.New("Missing /v1/ prefix in path. Use vault path-help command to retrieve API help for paths"))
+		return
+	}
 	path := ns.TrimmedPath(r.URL.Path[len("/v1/"):])

 	req := &logical.Request{
--- a/http/help_test.go
+++ b/http/help_test.go
@ -13,7 +13,11 @@ func TestHelp(t *testing.T) {
 	defer ln.Close()
 	TestServerAuth(t, addr, token)

-	resp := testHttpGet(t, "", addr+"/v1/sys/mounts?help=1")
+	// request without /v1/ prefix
+	resp := testHttpGet(t, token, addr+"/?help=1")
+	testResponseStatus(t, resp, 404)
+
+	resp = testHttpGet(t, "", addr+"/v1/sys/mounts?help=1")
 	if resp.StatusCode != http.StatusForbidden {
 		t.Fatal("expected permission denied with no token")
 	}