-
Notifications
You must be signed in to change notification settings - Fork 4.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Get Token call to API, returns 403 rather than 404 if token not found #8428
Comments
I believe this is the intended functionality to avoid leaking information about the existence of a token. |
If the point is to prevent leaking token existence, I'm not sure anything is accomplished when the return message is "ACL not found". Nor does a 403 make sense when the query has authorization to read/list tokens. And of course I can easily work around it by generating a list and doing the query in my own code against the returned list. Strikes me as current behavior is security through obscurity and thereby provides merely the illusion of security. It also seems to me to be a security issue since the absence of a token is being leaked by the message "ACL not found" Or am I missing something obvious (not unusual :-) |
We revisited this issue and agree that the current behavior is incorrect. The API should be returning a 404 when a request to lookup a nonexistent token is issued with a token that has The |
Hi @blake , I'd like to work on this. |
@gunadhya You're welcome to fix this. Feel free to submit a PR and we'll review. 🙂 |
Hi @dnephin I'd like to work on this :) |
Hi @blake. |
Hi @blake . I just checked the code and it seems like this isn't an issue anymore as the API's have bee fixed. In that case, can we close the issue so that it makes the issue board a little bit cleaner? |
@sriramr98 Thanks for notifying will close! If folks have further issues please open a new issue as this issue is over three years old. |
Overview of the Issue
If a call is made to get a token that does not exist, the Consul API returns a 403 (Forbidden) error rather than a 404 (Not found error)
Reproduction Steps
Steps to reproduce this issue, eg:
Consul info for both Client and Server
Operating system and Environment details
Consul running in Docker container hosted by a LXD container.
The text was updated successfully, but these errors were encountered: