Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vault Audit Logs include javascript as field name #10441

Closed
gabenp opened this issue Nov 24, 2020 · 4 comments
Closed

Vault Audit Logs include javascript as field name #10441

gabenp opened this issue Nov 24, 2020 · 4 comments
Labels
bug Used to indicate a potential bug core/audit ui

Comments

@gabenp
Copy link

gabenp commented Nov 24, 2020

Describe the bug
Vault audit logs for sys/capabilities-self sometimes includes an invalid javascript based field name.

To Reproduce
Steps to reproduce the behavior:

  1. Login via the UI (we use Google OIDC)
  2. Open an auth configuration page (ie. ui/vault/access/gcp/configuration)
  3. See audit log:
# grep 'sys/capabilities-self' /var/log/vault/audit.json | tail -1 | jq '.response'
{
  "mount_type": "system",
  "data": {
    "capabilities": [
      "hmac-sha256:deadbeef"
    ],
    "function(t){var a=t||{},s=[e[0]]\nreturn n.forEach(function(t,n){s.push(a[t],e[n+1])}),s.join(\"\")}": [
      "hmac-sha256:deadbeef"
    ]
  }
}

Expected behavior
Vault Audit logs do not include invalid JSON fields. This causes major headaches with ELK centralized logging infrastructure.

Environment:

  • Vault Server Version (retrieve with vault status): v1.5.4
  • Vault CLI Version (retrieve with vault version): v1.5.4
  • Server Operating System/Architecture: Ubuntu 18.04
@swayne275
Copy link
Contributor

You mentioned this happens sometimes. Do you have any more data on what might make it happen or not happen? State, series of actions, etc? And thanks for pointing this out!

@gabenp
Copy link
Author

gabenp commented Dec 1, 2020

When I was initially testing I was having a hard time reproducing consistently, but could make it happen by clicking around the auth configuration pages as mentioned.

I've looked further and now I notice that there is actually a request being made by the browser, copied as curl from chrome devtools:

curl 'https://some.vault.com/v1/sys/capabilities-self' \
  -H 'authority: some.vault.com' \
  -H 'pragma: no-cache' \
  -H 'cache-control: no-cache' \
  -H 'dnt: 1' \
  -H 'x-vault-token: blahblah' \
  -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_0_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.67 Safari/537.36' \
  -H 'content-type: application/json; charset=utf-8' \
  -H 'accept: */*' \
  -H 'origin: https://some.vault.com' \
  -H 'sec-fetch-site: same-origin' \
  -H 'sec-fetch-mode: cors' \
  -H 'sec-fetch-dest: empty' \
  -H 'referer: https://some.vault.com/ui/vault/access' \
  -H 'accept-language: en-US,en;q=0.9' \
  -H 'cookie: GCP_IAP_UID=blah' \
  --data-binary '{"paths":["function(t){var a=t||{},s=[e[0]]\nreturn n.forEach(function(t,n){s.push(a[t],e[n+1])}),s.join(\"\")}"]}' \
  --compressed

So it looks like this might actually be a bug with the frontend javascript itself perhaps?

@swayne275 swayne275 added ui bug Used to indicate a potential bug and removed waiting-for-response labels Jan 6, 2021
@mhoydis13
Copy link

I'm also experiencing this issue. It's making logstash crash when it tries to parse the json message with a field name like that.

@hashishaw
Copy link
Contributor

This should be fixed as of #14966 (versions 1.11.0, 1.10.1, 1.9.5, 1.8.10) Feel free to re-open if you see it come up again!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Used to indicate a potential bug core/audit ui
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@swayne275 @mhoydis13 @gabenp @hashishaw @heatherezell