Don't allow non-printable characters in the API client's token (#3841)

2025-11-01 19:17:58 +00:00 · 2018-01-24 19:57:49 -05:00
parent 5e0f673544
commit 460e8fc1ff
2 changed files with 35 additions and 0 deletions
--- a/api/client.go
+++ b/api/client.go
@@ -12,6 +12,7 @@ import (
 	"strings"
 	"sync"
 	"time"
+	"unicode"

 	"github.com/hashicorp/errwrap"
 	"github.com/hashicorp/go-cleanhttp"
@@ -530,8 +531,17 @@ func (c *Client) RawRequest(r *Request) (*Response, error) {
 	c.modifyLock.RLock()
 	c.config.modifyLock.RLock()
 	defer c.config.modifyLock.RUnlock()
+	token := c.token
 	c.modifyLock.RUnlock()

+	// Sanity check the token before potentially erroring from the API
+	idx := strings.IndexFunc(token, func(c rune) bool {
+		return !unicode.IsPrint(c)
+	})
+	if idx != -1 {
+		return nil, fmt.Errorf("Configured Vault token contains non-printable characters and cannot be used.")
+	}
+
 	redirectCount := 0
 START:
 	req, err := r.ToHTTP()