Validate secret name in GetSecretVersion to prevent path traversal

Add isValidSecretName() check at the top of GetSecretVersion(), matching the existing validation in AddSecret(). Without this, crafted secret names containing path traversal sequences (e.g. '../../../etc/passwd') could be used to read files outside the vault directory. Add regression tests for both GetSecretVersion and GetSecret. Closes #13
2026-02-15 14:03:28 -08:00
parent 6ff00c696a
commit 3fd30bb9e6
2 changed files with 72 additions and 0 deletions
--- a/internal/vault/secrets.go
+++ b/internal/vault/secrets.go
@@ -319,6 +319,12 @@ func (v *Vault) GetSecretVersion(name string, version string) ([]byte, error) {
 		slog.String("version", version),
 	)

+	// Validate secret name to prevent path traversal
+	if !isValidSecretName(name) {
+		secret.Debug("Invalid secret name provided", "secret_name", name)
+		return nil, fmt.Errorf("invalid secret name '%s': must match pattern [a-z0-9.\\-_/]+", name)
+	}
+
 	// Get vault directory
 	vaultDir, err := v.GetDirectory()
 	if err != nil {