Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid flags during plugin registration are silently ignored #29539

Open
thevilledev opened this issue Feb 10, 2025 · 0 comments · May be fixed by #28692
Open

Invalid flags during plugin registration are silently ignored #29539

thevilledev opened this issue Feb 10, 2025 · 0 comments · May be fixed by #28692
Labels
bug Used to indicate a potential bug core/plugin ecosystem/plugin

Comments

@thevilledev
Copy link
Contributor

Describe the bug
When registering a plugin using vault plugin register, if the plugin doesn't check the error return from flags.Parse(), invalid flags are silently ignored and the registration succeeds. This could lead to confusion as users might think their configuration flags are being applied when they're actually being ignored.

This bug can be found from various built-in Vault plugins, such as:

  • credential/approle
  • logical/aws
  • logical/pki

However, it is mostly a code quality issue as the plugins are not dynamically loaded. But the approach has propagated beyond this repository as it's part of the Vault plugin documentation as well. For third party plugins this missing error check might be more than a code quality issue though.

I've had a proposal to fix this for a while in #28692. This PR has links to related & affected plugins with the same issue.

To Reproduce

  1. Create a simple plugin that doesn't check the error from flags.Parse():
func main() {
    apiClientMeta := &api.PluginAPIClientMeta{}
    flags := apiClientMeta.FlagSet()
    flags.Parse(os.Args[1:]) // Error not checked
    // ... rest of plugin code ...
}
  1. Register the plugin with an invalid flag:
vault plugin register -sha256=$SHA256 -command=vault-plugin-auth-dummy -args="-invalid-flag=test" auth dummy
  1. The registration succeeds despite the invalid flag

Expected behavior

The plugin registration should fail when invalid flags are provided, as these flags might be intended for configuration but are being silently ignored. If the return value is checked, Vault prints this upon plugin register:

Unrecognized remote plugin message: Error parsing flags: flag provided but not defined: -invalid-flag

Actual behavior

The plugin registration succeeds, silently ignoring the invalid flags.

Environment:

  • Vault Server Version (retrieve with vault status): v1.19.0-beta1 (built latest from main)
  • Vault CLI Version (retrieve with vault version): v1.19.0-beta1 (built latest from main)
  • Server Operating System/Architecture: arm64
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Used to indicate a potential bug core/plugin ecosystem/plugin
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: Add error handling for CLI flag parsing with FlagSet() thevilledev/vault
2 participants
@thevilledev @aslamovamir