-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] salt-api server dies on bad /login request #62187
Comments
Hi there! Welcome to the Salt Community! Thank you for making your first contribution. We have a lengthy process for issues and PRs. Someone from the Core Team will follow up as soon as possible. In the meantime, here’s some information that may help as you continue your Salt journey.
There are lots of ways to get involved in our community. Every month, there are around a dozen opportunities to meet with other contributors and the Salt Core team and collaborate in real time. The best way to keep track is by subscribing to the Salt Community Events Calendar. |
Hey, kindly reminder, is it possible someone look into this report? On my setup salt-api gets stuck for all incoming requests, could easily lead to ddos :( |
Description
Salt-master times out when doing salt-api
/auth
endpoint request withoutusername
orpassword
fields but witheauth
field present. Can lead to salt-api DDoS.Setup
Really the most generic salt setup you can ever create, just enabled salt-api with
external_auth
(config below)Steps to Reproduce the behavior
external_auth
in master configExample master config
Example curl
Salt-api stuck logs
Salt-master logs
Expected behavior
/login
without password field)Screenshots
If applicable, add screenshots to help explain your problem.
Versions Report
salt --versions-report
(Provided by running salt --versions-report. Please also mention any differences in master/minion versions.)Additional context
Problem can be easily solved by placing try block before
format_call()
func here: https://github.com/saltstack/salt/blob/master/salt/auth/__init__.py#L98-L101The text was updated successfully, but these errors were encountered: