auth/aws: guard against malformed assumed role ARNs (#6917)

* auth/aws: guard against malformed assumed role ARNs * revert helper func changes
hashicorp · Jun 18, 2019 · 9422612 · 9422612
1 parent 70287b6
commit 9422612
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 0 deletions.
diff --git a/builtin/credential/aws/path_login.go b/builtin/credential/aws/path_login.go
@@ -1404,6 +1404,10 @@ func parseIamArn(iamArn string) (*iamEntity, error) {
 	// now, entity.FriendlyName should either be <UserName> or <RoleName>
 	switch entity.Type {
 	case "assumed-role":
+		// Check for three parts for assumed role ARNs
+		if len(parts) < 3 {
+			return nil, fmt.Errorf("unrecognized arn: %q contains fewer than 3 slash-separated parts", fullParts[5])
+		}
 		// Assumed roles don't have paths and have a slightly different format
 		// parts[2] is <RoleSessionName>
 		entity.Path = ""

diff --git a/builtin/credential/aws/path_login_test.go b/builtin/credential/aws/path_login_test.go
@@ -114,6 +114,10 @@ func TestBackend_pathLogin_parseIamArn(t *testing.T) {
 	if err == nil {
 		t.Error("expected error from empty principal type and no principal name (arn:aws:iam::1234556789012:/)")
 	}
+	_, err = parseIamArn("arn:aws:sts::1234556789012:assumed-role/role")
+	if err == nil {
+		t.Error("expected error from malformed assumed role ARN")
+	}
 }
 
 func TestBackend_validateVaultHeaderValue(t *testing.T) {