safe doesn't canonicalize paths #106

thomasmitchell · 2017-09-21T15:38:28Z

Maybe it should. My personal issue is /secret/... has vault try to redirect to secret/... but safe can't handle that.

The text was updated successfully, but these errors were encountered:

jhunt · 2017-09-22T17:00:46Z

Specifically, this is happening when a POST is issued to a non-canonical URL, as in

safe x509 issue /secret/x --name foo

jhunt · 2017-09-22T17:27:10Z

Here is what is ultimately going on:

Vault is canonicalizing paths (at least to the generic backend) when you retrieve them, but not when you store them. Consider:

jhunt ~ →  safe write secret/x foo=quux
foo: quux
jhunt ~ →  safe read secret/x
--- # secret/x
foo: quux

jhunt ~ →  safe write secret///x foo=boz
foo: boz
jhunt ~ →  safe read secret///x
--- # secret///x
foo: quux

There is literally no way we will ever get back the foo=boz value we wrote in the second call to safe write; it's lost to the ages.

To fix this, safe will have to canonicalize all paths it sees by:

Stripping off leading and trailing forward slashes
Replacing contiguous runs of 2 or more forward slashes with a single forward slash

jhunt self-assigned this Sep 22, 2017

Qarik-Group deleted a comment from thomasmitchell Sep 22, 2017

jhunt changed the title ~~safe doesn't follow redirects~~ safe doesn't canonicalize paths Sep 22, 2017

jhunt closed this as completed in bc7a07c Sep 22, 2017

jhunt mentioned this issue Sep 27, 2017

creating a vault target with a trailing slash causes inconsistent behavior #109

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

safe doesn't canonicalize paths #106

safe doesn't canonicalize paths #106

thomasmitchell commented Sep 21, 2017

jhunt commented Sep 22, 2017

jhunt commented Sep 22, 2017

safe doesn't canonicalize paths #106

safe doesn't canonicalize paths #106

Comments

thomasmitchell commented Sep 21, 2017

jhunt commented Sep 22, 2017

jhunt commented Sep 22, 2017