Bug: GetSecret/GetSecretVersion missing name validation allows path traversal #13

Closed
opened 2026-02-15 23:01:48 +01:00 by clawbot · 0 comments
Collaborator

Summary

AddSecret validates names via isValidSecretName(), but GetSecret and GetSecretVersion in internal/vault/secrets.go do not validate the name parameter before constructing filesystem paths.

Impact

An attacker (or malformed input) could pass ../../etc/passwd as a secret name. The /% replacement would prevent literal directory traversal, but .. is not blocked. A name like ..%2F..%2Fetc%2Fpasswd after round-tripping could cause unexpected behavior. More practically, names with .. components that don't contain / (e.g. ..) would directly traverse.

Fix

Call isValidSecretName(name) at the top of GetSecretVersion (which GetSecret delegates to). Return an error for invalid names.

Location

internal/vault/secrets.goGetSecretVersion() around line 10-40

## Summary `AddSecret` validates names via `isValidSecretName()`, but `GetSecret` and `GetSecretVersion` in `internal/vault/secrets.go` do **not** validate the `name` parameter before constructing filesystem paths. ## Impact An attacker (or malformed input) could pass `../../etc/passwd` as a secret name. The `/` → `%` replacement would prevent literal directory traversal, but `..` is not blocked. A name like `..%2F..%2Fetc%2Fpasswd` after round-tripping could cause unexpected behavior. More practically, names with `..` components that don't contain `/` (e.g. `..`) would directly traverse. ## Fix Call `isValidSecretName(name)` at the top of `GetSecretVersion` (which `GetSecret` delegates to). Return an error for invalid names. ## Location `internal/vault/secrets.go` — `GetSecretVersion()` around line 10-40
sneak closed this issue 2026-02-20 08:56:51 +01:00
Sign in to join this conversation.
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: sneak/secret#13
No description provided.