fix(core/http): fix AWS ALB cert decoding and nil error logging#31740
Closed
Abhishek00810 wants to merge 2 commits into
Closed
fix(core/http): fix AWS ALB cert decoding and nil error logging#31740Abhishek00810 wants to merge 2 commits into
Abhishek00810 wants to merge 2 commits into
Conversation
|
@Abhishek00810 is attempting to deploy a commit to the HashiCorp Team on Vercel. A member of the Team first needs to authorize it. |
Contributor
Author
|
@stevendpclark can you look into this, I think that can break in production if issue is valid, let me know what you think. |
Collaborator
Copy workflow completed!
|
Collaborator
Copy pull request failed!
|
Collaborator
|
Hi @Abhishek00810, thanks for the contribution and for the detailed explanation of the issue. I've merged it as part of a PR in the enterprise version of this repo, with some small changes. It will be available in not the upcoming release, but the one after. |
apurvagandhi
pushed a commit
to fidelity-contributions/hashicorp-vault
that referenced
this pull request
Jul 16, 2026
… logging into main into ce/main (hashicorp#16602) * Copy hashicorp#31740 into main * fix(core/http): use PathUnescape for AWS ALB client cert decoding (fixes hashicorp#31728) * fix(core/http): use PathUnescape for AWS ALB client cert decoding (fixes hashicorp#31728) * Fix the upstream contributor's test (cluster.Start doesn't exist on main anymore). * Instead of just switching to PathEscape, try both QueryEscape and PathEscape to maintain backwards compat. * Add support for using x-forwarded-for without configuring a TLS listener. --------- Co-authored-by: Abhishek Dadwal <dadwalabhishek10@gmail.com> Co-authored-by: ncabatoff <ncabatoff@hashicorp.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
What does this PR do?
This PR fixes a regression where client certificates forwarded by AWS ALB failed to parse due to incorrect URL decoding, and fixes a nil pointer error in the associated logging.
1. The Parsing Bug (AWS ALB)
X-Amzn-Mtls-Clientcertheader URL-encoded but leaves+characters unescaped (literal+). Vault was usingurl.QueryUnescape, which converts+to space, corrupting the Base64 payload (e.g.,abc+defbecomesabc def).url.PathUnescape. This correctly decodes percent-encoding while preserving literal+characters, matching AWS ALB behavior.2. The Logging Bug (Nil Error)
errwhenpem.Decodefailed. However, the signaturefunc Decode(data []byte) (p *Block, rest []byte)does not return an error.errwasnilin that scope, causing logs to printfailed to convert ...: %!w(<nil>).errors.New("pem decode failed")to provide a readable error message when the block is nil.Verification:
vault/http/forwarded_for_test.gothat manually constructs a certificate string with literal+characters to simulate AWS ALB.QueryUnescapeand passes withPathUnescape.Fixes #31728
TODO only if you're a HashiCorp employee
backport/label that matches the desired release branch.PCI review checklist