Bug: GetSecret/GetSecretVersion missing name validation allows path traversal #13

New Issue

Closed

opened 2026-02-15 23:01:48 +01:00 by clawbot · 0 comments

clawbot commented 2026-02-15 23:01:48 +01:00

Collaborator

Copy Link

Summary

AddSecret validates names via isValidSecretName(), but GetSecret and GetSecretVersion in internal/vault/secrets.go do not validate the name parameter before constructing filesystem paths.

Impact

An attacker (or malformed input) could pass ../../etc/passwd as a secret name. The / → % replacement would prevent literal directory traversal, but .. is not blocked. A name like ..%2F..%2Fetc%2Fpasswd after round-tripping could cause unexpected behavior. More practically, names with .. components that don't contain / (e.g. ..) would directly traverse.

Fix

Call isValidSecretName(name) at the top of GetSecretVersion (which GetSecret delegates to). Return an error for invalid names.

Location

internal/vault/secrets.go — GetSecretVersion() around line 10-40

## Summary `AddSecret` validates names via `isValidSecretName()`, but `GetSecret` and `GetSecretVersion` in `internal/vault/secrets.go` do **not** validate the `name` parameter before constructing filesystem paths. ## Impact An attacker (or malformed input) could pass `../../etc/passwd` as a secret name. The `/` → `%` replacement would prevent literal directory traversal, but `..` is not blocked. A name like `..%2F..%2Fetc%2Fpasswd` after round-tripping could cause unexpected behavior. More practically, names with `..` components that don't contain `/` (e.g. `..`) would directly traverse. ## Fix Call `isValidSecretName(name)` at the top of `GetSecretVersion` (which `GetSecret` delegates to). Return an error for invalid names. ## Location `internal/vault/secrets.go` — `GetSecretVersion()` around line 10-40

clawbot referenced a pull request that will close this issue 2026-02-15 23:03:53 +01:00

Validate secret name in GetSecretVersion to prevent path traversal (closes #13) #15

sneak closed this issue 2026-02-20 08:56:51 +01:00

sneak referenced this issue from a commit 2026-02-20 08:56:52 +01:00

Validate secret name in GetSecretVersion to prevent path traversal

sneak referenced this issue from a commit 2026-02-20 08:56:52 +01:00

Merge pull request 'Validate secret name in GetSecretVersion to prevent path traversal (closes #13)' (#15) from clawbot/secret:fix/issue-13 into main

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

ci/make-check

chore/remove-stale-files

fix-memory-security

No results found.

Labels

Clear labels   

merge-ready

  

merge-ready

  

needs-checks

  

needs-checks

  

needs-rebase

  

needs-rebase

  

needs-review

  

needs-review

  

needs-rework

  

needs-rework

No Label

merge-ready

merge-ready

needs-checks

needs-checks

needs-rebase

needs-rebase

needs-review

needs-review

needs-rework

needs-rework

Milestone

Clear milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

No Assignees

1 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: sneak/secret#13

No description provided.