When restoring a key in transit engine, path is not correctly validated #7663

byo · 2019-10-15T16:30:45Z

Steps to reproduce the behavior:

vault write /transit/keys/test-key type=rsa-2048 exportable=true allow_plaintext_backup=true
vault read --field=backup /transit/backup/test-key | vault write /transit/restore/sub/path/test-key2 backup=-
A key with incorrect path has been created, sub is listed as a sub-path in /transit/keys/ but one can not list that sub-path nor do any operation related to the key

Expected behavior
When doing restore, vault should fail if the name of the key is incorrect.

Environment:

Vault Server Version (retrieve with vault status): 1.2.3
Vault CLI Version (retrieve with vault version): v1.2.2
Server Operating System/Architecture: Debian/amd64

Transit ACLs used:

path "transit/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}

The text was updated successfully, but these errors were encountered:

catsby · 2019-12-10T22:05:23Z

I've opened #7998 to address this, hopefully it gets approved and merged 😄

* Add test to verify #7663 * Validate name in transit key restore to not be a path

catsby · 2019-12-11T15:34:08Z

#7998 was merged, thanks again for reporting this!

* Add test to verify #7663 * Validate name in transit key restore to not be a path

* Output human duration in TTL warnings (#7901) * Add enable_hostname_label option to telementry stanza (#7902) * store secret key and value as an object to fix copy/show secret bug (#7926) * Add accept header check for prometheus mime type (#7958) * Add accept header check for prometheus mime type * Fix small header filter bug. Add test * Fix S3 configurable path handling (#7966) Also remove some incorrect skipping of the S3 test. Fixes #7362 * Ui/fix demoting status menu (#7997) * fix bug where users couldn't click on update primary * don't show status menu items when cluster isSecondary since those links don't work * show the mode of replication in the status menu * do not show server header in status menu when the contents are empty * show Disaster Recovery instead of 'DR' * do not show http metrics in status menu unless user is authenticated * fix typo so icons in status menu show * Transit: error when restoring to a name that looks like a path (#7998) * Add test to verify #7663 * Validate name in transit key restore to not be a path * overwrite bulma bug that crashes safari (#8023)

michelvocks added bug Used to indicate a potential bug secret/transit labels Nov 5, 2019

catsby added the version/1.2.x label Nov 18, 2019

catsby added a commit that referenced this issue Dec 10, 2019

Add test to verify #7663

cc01758

catsby mentioned this issue Dec 10, 2019

Transit: error when restoring to a name that looks like a path #7998

Merged

catsby closed this as completed in #7998 Dec 11, 2019

catsby added a commit that referenced this issue Dec 11, 2019

Transit: error when restoring to a name that looks like a path (#7998)

3f62e7f

* Add test to verify #7663 * Validate name in transit key restore to not be a path

briankassouf pushed a commit that referenced this issue Dec 18, 2019

Transit: error when restoring to a name that looks like a path (#7998)

e6ca938

* Add test to verify #7663 * Validate name in transit key restore to not be a path

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

When restoring a key in transit engine, path is not correctly validated #7663

When restoring a key in transit engine, path is not correctly validated #7663

byo commented Oct 15, 2019

catsby commented Dec 10, 2019

catsby commented Dec 11, 2019

When restoring a key in transit engine, path is not correctly validated #7663

When restoring a key in transit engine, path is not correctly validated #7663

Comments

byo commented Oct 15, 2019

catsby commented Dec 10, 2019

catsby commented Dec 11, 2019