"invalid memory address or nil pointer dereference" panic on malformed AppRole login

[mossblaser]

I have stumbled upon a way to trigger a panic using the /auth/approle/login API endpoint of Vault using a simple malformed request.

Describe the bug

In a request to /auth/approle/login, setting either the role_id or secret_id parameters to an object (i.e. {}) rather than a string triggers the issue. This results in the connection being closed to the client without a response being sent. On the server side, a log message beginning with the following (followed by a stack trace) is seen:

[INFO]  http: panic serving 127.0.0.1:34110: runtime error: invalid memory address or nil pointer dereference
<...stack trace...>

Full output with stack trace (click to expand)

2024-09-04T10:46:43.380Z [INFO]  http: panic serving 127.0.0.1:58506: runtime error: invalid memory address or nil pointer dereference
goroutine 887 [running]:
net/http.(*conn).serve.func1()
        /opt/hostedtoolcache/go/1.22.4/x64/src/net/http/server.go:1898 +0xbe
panic({0x92b3d80?, 0x130a8170?})
        /opt/hostedtoolcache/go/1.22.4/x64/src/runtime/panic.go:770 +0x132
github.com/hashicorp/vault/vault.(*Core).aliasNameFromLoginRequest(0xc0029e9808, {0xcfc5b60, 0xc00484b080}, 0xc002b8ba40)
        /home/runner/work/vault/vault/vault/core.go:4295 +0x37a
github.com/hashicorp/vault/vault.(*Core).getLoginUserInfoKey(0x132b5590?, {0xcfc5b60?, 0xc00484b080?}, 0xc00411c3c0, 0xb2b229e?)
        /home/runner/work/vault/vault/vault/request_handling.go:2158 +0x29
github.com/hashicorp/vault/vault.(*Core).isUserLocked(0xc0029e9808, {0xcfc5b60, 0xc00484b080}, 0xc00411c3c0, 0x1?)
        /home/runner/work/vault/vault/vault/request_handling.go:2211 +0x3f
github.com/hashicorp/vault/vault.(*Core).handleLoginRequest(0xc0029e9808, {0xcfc5b60, 0xc00484b080}, 0xc002b8ba40)
        /home/runner/work/vault/vault/vault/request_handling.go:1528 +0xb54
github.com/hashicorp/vault/vault.(*Core).handleCancelableRequest(0xc0029e9808, {0xcfc5b60, 0xc00484b050}, 0xc002b8ba40)
        /home/runner/work/vault/vault/vault/request_handling.go:801 +0x15d4
github.com/hashicorp/vault/vault.(*Core).switchedLockHandleRequest(0xc0029e9808, {0xcfc5b60, 0xc00484abd0}, 0xc002b8ba40, 0x1)
        /home/runner/work/vault/vault/vault/request_handling.go:608 +0x791
github.com/hashicorp/vault/vault.(*Core).HandleRequest(...)
        /home/runner/work/vault/vault/vault/request_handling.go:549
github.com/hashicorp/vault/http.request(0xc0029e9808, {0xcfa9950, 0xc00484ab10}, 0xc003e0fb00, 0xc002b8ba40)
        /home/runner/work/vault/vault/http/handler.go:1016 +0x19c
github.com/hashicorp/vault/http.handler.handleLogical.handleLogicalInternal.func67({0xcfa9950, 0xc00484ab10}, 0xc003e0fb00)
        /home/runner/work/vault/vault/http/logical.go:386 +0x1d5
net/http.HandlerFunc.ServeHTTP(0xc0029e9808?, {0xcfa9950?, 0xc00484ab10?}, 0x7754b084c108?)
        /opt/hostedtoolcache/go/1.22.4/x64/src/net/http/server.go:2166 +0x29
github.com/hashicorp/vault/http.handler.handleRequestForwarding.func41({0xcfa9950, 0xc00484ab10}, 0xc003e0fb00)
        /home/runner/work/vault/vault/http/handler.go:925 +0x1e9
net/http.HandlerFunc.ServeHTTP(0xc003b67000?, {0xcfa9950?, 0xc00484ab10?}, 0x61dbe8?)
        /opt/hostedtoolcache/go/1.22.4/x64/src/net/http/server.go:2166 +0x29
net/http.(*ServeMux).ServeHTTP(0xc0048435c0?, {0xcfa9950, 0xc00484ab10}, 0xc003e0fb00)
        /opt/hostedtoolcache/go/1.22.4/x64/src/net/http/server.go:2683 +0x1ad
github.com/hashicorp/vault/http.handler.wrapHelpHandler.func53({0xcfa9950, 0xc00484ab10}, 0xc003e0fb00)
        /home/runner/work/vault/vault/http/help.go:28 +0xfd
net/http.HandlerFunc.ServeHTTP(0x1eb5c80?, {0xcfa9950?, 0xc00484ab10?}, 0xc003465450?)
        /opt/hostedtoolcache/go/1.22.4/x64/src/net/http/server.go:2166 +0x29
github.com/hashicorp/vault/http.handler.wrapCORSHandler.func54({0xcfa9950, 0xc00484ab10}, 0xc003e0fb00)
        /home/runner/work/vault/vault/http/cors.go:33 +0x389
net/http.HandlerFunc.ServeHTTP(0xc0029e9808?, {0xcfa9950?, 0xc00484ab10?}, 0xc003a29ec0?)
        /opt/hostedtoolcache/go/1.22.4/x64/src/net/http/server.go:2166 +0x29
github.com/hashicorp/vault/http.handler.rateLimitQuotaWrapping.func55({0xcfa9950, 0xc00484ab10}, 0xc003e0fb00)
        /home/runner/work/vault/vault/http/util.go:153 +0x9df
net/http.HandlerFunc.ServeHTTP(0xc1ae2c84d68e70f8?, {0xcfa9950?, 0xc00484ab10?}, 0xc002b45b50?)
        /opt/hostedtoolcache/go/1.22.4/x64/src/net/http/server.go:2166 +0x29
github.com/hashicorp/vault/http.wrapGenericHandler.func1({0xcfa84f8, 0xc0041221c0}, 0xc003e0f7a0)
        /home/runner/work/vault/vault/http/handler.go:508 +0xd2f
net/http.HandlerFunc.ServeHTTP(0xc003e0f680?, {0xcfa84f8?, 0xc0041221c0?}, 0xc0048432c0?)
        /opt/hostedtoolcache/go/1.22.4/x64/src/net/http/server.go:2166 +0x29
github.com/hashicorp/vault/http.handler.wrapMaxRequestSizeHandler.func56({0xcfa84f8, 0xc0041221c0}, 0xc003e0f680)
        /home/runner/work/vault/vault/http/util.go:42 +0x122
net/http.HandlerFunc.ServeHTTP(0x7754698b3d28?, {0xcfa84f8?, 0xc0041221c0?}, 0xc003e0f680?)
        /opt/hostedtoolcache/go/1.22.4/x64/src/net/http/server.go:2166 +0x29
github.com/hashicorp/vault/http.handler.WrapRequestPriorityHandler.func57({0xcfa84f8, 0xc0041221c0}, 0xc003e0f680)
        /home/runner/work/vault/vault/http/priority/priority.go:74 +0xb9
net/http.HandlerFunc.ServeHTTP(0xc0040d5fb5?, {0xcfa84f8?, 0xc0041221c0?}, 0x0?)
        /opt/hostedtoolcache/go/1.22.4/x64/src/net/http/server.go:2166 +0x29
github.com/hashicorp/vault/http.handler.PrintablePathCheckHandler.func58({0xcfa84f8, 0xc0041221c0}, 0xc003e0f680)
        /home/runner/go/pkg/mod/github.com/hashicorp/[email protected]/handlers.go:42 +0x8f
net/http.HandlerFunc.ServeHTTP(0x4122c5?, {0xcfa84f8?, 0xc0041221c0?}, 0xc004122101?)
        /opt/hostedtoolcache/go/1.22.4/x64/src/net/http/server.go:2166 +0x29
net/http.serverHandler.ServeHTTP({0xcf64b08?}, {0xcfa84f8?, 0xc0041221c0?}, 0x6?)
        /opt/hostedtoolcache/go/1.22.4/x64/src/net/http/server.go:3137 +0x8e
net/http.(*conn).serve(0xc002a83b90, {0xcfc5b60, 0xc004100390})
        /opt/hostedtoolcache/go/1.22.4/x64/src/net/http/server.go:2039 +0x5e8
created by net/http.(*Server).Serve in goroutine 828
        /opt/hostedtoolcache/go/1.22.4/x64/src/net/http/server.go:3285 +0x4b4

I have not observed any other side effects (e.g. the server remains up and responsive to further requests).

To Reproduce

Start up a vault instance, e.g.:

$ vault server -dev

Enable the AppRole auth method:

$ VAULT_ADDR="http://localhost:8200" VAULT_TOKEN="..." vault auth enable approle
Success! Enabled approle auth method at: approle/

Send a malformed request with either role_id or secret_id set to {}, for example:

$ curl \
    --request POST \
    --header "Content-Type: application/json" \
    --data '{"role_id": {}, "secret_id": ""}' \
    http://localhost:8200/v1/auth/approle/login
curl: (52) Empty reply from server

Observe connection closing before a response is received by the client. Also observe panic and stack trace (as shown above) in the Vault logs.

Expected behavior

I would expect some kind of 4xx error about a malformed request and no messages in the vault logs.

Environment:

• Vault v1.17.1 (b8ab595), built 2024-06-25T16:33:25Z
• Ubuntu 22.04.4 LTS, x86_64

Additional context
Since this causes a panic I initially reported this to the Hashicorp security address due to the hypothetical possibility of using this kind of error as the basis for an exploit. They were contented that this particular bug was not likely to have any potential security impact, hence this report being posted publicly here.