Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

UI does not properly handle URL-encoded components in secrets path #28759

Open
bmerry opened this issue Oct 24, 2024 · 0 comments
Open

UI does not properly handle URL-encoded components in secrets path #28759

bmerry opened this issue Oct 24, 2024 · 0 comments
Labels
bug Used to indicate a potential bug reproduced This issue has been reproduced by a Vault engineer ui

Comments

@bmerry
Copy link

bmerry commented Oct 24, 2024

Describe the bug
I wanted to use an URL as a single component of a secret path (to uniquely identify the data for which the secret is a decryption key); to make it a valid path component, I URL-encoded the URL. This works fine in the API, but when trying to browse to the secret in the UI, the URL escapes get unescaped at some point and the UI is unable to browse to the secret.

To Reproduce
Steps to reproduce the behavior:

  1. Mount a kv v2 secrets engine at the default path (/secret)
  2. Run vault kv put -mount=secret 'test%2Fwith%2Fpercents/data' foo=bar
  3. Browse to https://HOST/ui/vault/secrets/secret/kv/list
  4. Click on test%2Fwith%2Fpercents/
  5. The error 'There are no secrets matching "test/with/percents/".' is displayed, and the navigation bar at the top shows "Secrets / secret / test / with / percents". The URL is https://HOST/ui/vault/secrets/secret/kv/list/test%2Fwith%2Fpercents/

Expected behavior
I expect to see a list of the secrets under the test%2Fwith%2Fpercents tree (namely the data secret written in step 2).

Environment:

  • Vault Server Version (retrieve with vault status): 1.17.6
  • Vault CLI Version (retrieve with vault version): Vault v1.17.6 (cgo)
  • Server Operating System/Architecture: Ubuntu 22.04.5 LTS / x86_64

Vault server configuration file(s):

storage "raft" {
  path = "/opt/vault/data"
  node_id = "vault1"

  retry_join {
    leader_api_addr = "REDACTED"
    leader_ca_cert_file = "/opt/vault/tls/ca.pem"
  }
  retry_join {
    leader_api_addr = "REDACTED"
    leader_ca_cert_file = "/opt/vault/tls/ca.pem"
  }
}

listener "tcp" {
  address = "[::]:8200"
  tls_cert_file = "/opt/vault/tls/tls.crt"
  tls_key_file = "/opt/vault/tls/tls.key"
  tls_min_version = "tls13"
  telemetry = {
    unauthenticated_metrics_access = true
  }
}

telemetry {
  disable_hostname = true  # Recommended for use with Prometheus
}

api_addr = "REDACTED"
cluster_addr = "REDACTED"

disable_mlock = true   # Recommended for "raft" storage
ui = true

(other Vault servers in the cluster are the same except for node_id and retry_join blocks)

Additional context
Add any other context about the problem here.
@miagilepner miagilepner added ui bug Used to indicate a potential bug reproduced This issue has been reproduced by a Vault engineer labels Oct 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Used to indicate a potential bug reproduced This issue has been reproduced by a Vault engineer ui
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bmerry @miagilepner