Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FIX URI path handling to remove double slashes #344

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

FIX URI path handling to remove double slashes #344

wants to merge 1 commit into from
+52 −0

Conversation

TaopaiC
Copy link

@TaopaiC TaopaiC commented Sep 13, 2024

Fix request URI to remove double slashes.
Vault server returns 301 redirect for double slash URIs, requiring resending. Since Vault server v1.17.3, the redirect URL has changed.

For example, take key: /cubbyhole/my-secret:

  • Before vault v1.17.2, vault-ruby sends /v1//cubbyhole/my%2Dsecret, and the Vault server returns /v1/cubbyhole/my-secret.
  • After vault v1.17.3, vault-ruby sends /v1//cubbyhole/my%2Dsecret, and the Vault server returns /v1/cubbyhole/my%252Dsecret.

Thus, the behavior is not the same. Removing the double slashes prevents the redirect mechanism from being triggered.

@TaopaiC
FIX URI path handling to remove double slashes
327f828 
Fix request URI to remove double slashes.
Vault server returns 301 redirect for double slash URIs, requiring resending.
Since Vault server v1.17.3, the redirect URL has changed.

For example, take key: `/cubbyhole/my-secret`:

- Before vault v1.17.2, vault-ruby sends `/v1//cubbyhole/my%2Dsecret`,
  and the Vault server returns `/v1/cubbyhole/my-secret`.
- After vault v1.17.3, vault-ruby sends `/v1//cubbyhole/my%2Dsecret`,
  and the Vault server returns `/v1/cubbyhole/my%252Dsecret`.

Thus, the behavior is not the same. Removing the double slashes prevents the
redirect mechanism from being triggered.
@TaopaiC TaopaiC requested a review from a team as a code owner September 13, 2024 16:28
@ochnerd
Copy link

ochnerd commented Sep 23, 2024

@TaopaiC we have a similar problem with v1.17.3. Our Problem seems to be that v1.17.3 'double-encodes' the URI.
You can see that in your request too. Your Secret my%2Dsecret gets encoded to my%252Dsecret.
So the vault encodes the % to %25.

@TaopaiC
Copy link
Author

TaopaiC commented Sep 23, 2024
edited
Loading

@TaopaiC we have a similar problem with v1.17.3. Our Problem seems to be that v1.17.3 'double-encodes' the URI. You can see that in your request too. Your Secret my%2Dsecret gets encoded to my%252Dsecret. So the vault encodes the % to %25.

@ochnerd We found that the issue occurred after upgrading to Go 1.22.5 in commit hashicorp/vault@68e9f39 .

Two of possible solutions are:

  • Fix the redirect double encoding issue on the Vault server (Go).
  • Modify the client to remove double slashes to prevent triggering the redirect behavior (which causes the double encoding issue).

This PR attempts to implement solution 2.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@TaopaiC @ochnerd