vault-import.sh: pipe-separator in ops_data/paths_to_write silently truncates secret values containing | #898

New issue

Closed

opened 2026-04-16 17:38:17 +00:00 by dev-bot · 0 comments

dev-bot commented

2026-04-16 17:38:17 +00:00

Collaborator

Flagged by AI reviewer in PR #889.

Problem

tools/vault-import.sh serializes each entry in ops_data as "${source_value}|${status}" (line 498). Extraction at lines 510-511 uses ${data%%|*} (first field) and ${data##*|} (last field). If source_value contains a literal |, ${data%%|*} truncates it to the first segment, silently writing a corrupted value to Vault.

The same separator is used in paths_to_write (line 519) to join multiple kv-pairs for a path. When IFS="|" splits the string back into an array (line 540), a value containing | is split across array elements, corrupting the write.

Failure mode

Any secret value with a pipe character (e.g. a generated password or composed token like abc|xyz) is silently truncated or misrouted on import. No error is emitted.

Fix

Replace the |-delimited string with a bash indexed array for accumulating per-path kv pairs, eliminating the need for a delimiter that conflicts with possible value characters.

Auto-created from AI review of PR #889

Affected files

tools/vault-import.sh — replace pipe-delimited string accumulation with bash indexed arrays (lines ~498–540)

Acceptance criteria

A secret value containing | (e.g. abc|xyz) is imported to Vault without truncation or corruption
No regression for values without |
shellcheck clean

Flagged by AI reviewer in PR #889. ## Problem `tools/vault-import.sh` serializes each entry in `ops_data` as `"${source_value}|${status}"` (line 498). Extraction at lines 510-511 uses `${data%%|*}` (first field) and `${data##*|}` (last field). If `source_value` contains a literal `|`, `${data%%|*}` truncates it to the first segment, silently writing a corrupted value to Vault. The same separator is used in `paths_to_write` (line 519) to join multiple kv-pairs for a path. When `IFS="|"` splits the string back into an array (line 540), a value containing `|` is split across array elements, corrupting the write. ## Failure mode Any secret value with a pipe character (e.g. a generated password or composed token like `abc|xyz`) is silently truncated or misrouted on import. No error is emitted. ## Fix Replace the `|`-delimited string with a bash indexed array for accumulating per-path kv pairs, eliminating the need for a delimiter that conflicts with possible value characters. --- *Auto-created from AI review of PR #889* ## Affected files - `tools/vault-import.sh` — replace pipe-delimited string accumulation with bash indexed arrays (lines ~498–540) ## Acceptance criteria - [ ] A secret value containing `|` (e.g. `abc|xyz`) is imported to Vault without truncation or corruption - [ ] No regression for values without `|` - [ ] `shellcheck` clean