Skip to content

api: fix response body leak when rawRequestWithContext returns error#31901

Open
raman1236 wants to merge 2 commits intohashicorp:mainfrom
raman1236:fix/api-response-body-leak
Open

api: fix response body leak when rawRequestWithContext returns error#31901
raman1236 wants to merge 2 commits intohashicorp:mainfrom
raman1236:fix/api-response-body-leak

Conversation

@raman1236
Copy link
Copy Markdown

@raman1236 raman1236 commented Apr 6, 2026

Description

Fix a resource leak in the Vault API client where HTTP response bodies are not closed when rawRequestWithContext returns both a non-nil response and a non-nil error.

Problem

Several API client methods check if err == nil before closing the response body:

resp, err := c.c.rawRequestWithContext(ctx, r)
if err == nil {
    defer resp.Body.Close()
}
return err

However, rawRequestWithContext can return a non-nil response along with a non-nil error (e.g., for non-2xx HTTP status codes, redirect errors, etc.). When this happens, the response body is never closed, causing a resource leak that can gradually exhaust system resources.

Fix

Changed the check from if err == nil to if resp != nil:

resp, err := c.c.rawRequestWithContext(ctx, r)
if resp != nil {
    defer resp.Body.Close()
}
return err

This matches the pattern already used within rawRequestWithContext itself (client.go lines 1522-1524) and ensures the response body is always properly closed regardless of whether an error is returned.

Affected Methods (11 files, 23 instances)

  • sys_audit.go: DisableAuditWithContext
  • sys_auth.go: DisableAuthWithContext
  • sys_config_cors.go: ConfigureCORSWithContext, DisableCORSWithContext
  • sys_generate_root.go: generateRootCancelCommonWithContext
  • sys_leases.go: RevokeWithContext, RevokePrefixWithContext, RevokeForceWithContext, RevokeWithOptionsWithContext
  • sys_mounts.go: UnmountWithContext, TuneMountAllowNilWithContext
  • sys_plugins.go: RegisterPluginWithContext, DeregisterPluginWithContext
  • sys_plugins_runtimes.go: RegisterPluginRuntime, DeregisterPluginRuntime
  • sys_policy.go: DeletePolicyWithContext
  • sys_rekey.go: RekeyCancelWithContextWithNonce, RekeyRecoveryKeyCancelWithContextWithNonce, RekeyVerificationCancelWithContext, RekeyRecoveryKeyVerificationCancelWithContext, RekeyDeleteBackupWithContext, RekeyDeleteRecoveryBackupWithContext
  • sys_rotate.go: RotateWithContext

@ramanvasi
api: fix response body leak when rawRequestWithContext returns error
7f8c474 
rawRequestWithContext can return both a non-nil response and a non-nil
error (e.g., for non-2xx status codes or redirect errors). In several
API client methods, the response body was only closed when err was nil:

    if err == nil {
        defer resp.Body.Close()
    }

This means when an error occurs with a valid response, the body is
never closed, causing a resource leak. The fix changes the check to:

    if resp != nil {
        defer resp.Body.Close()
    }

This ensures the response body is always properly closed regardless
of whether an error is returned, matching the pattern already used
in rawRequestWithContext itself and other API methods.
@raman1236 raman1236 requested a review from a team as a code owner April 6, 2026 17:35
@vercel
Copy link
Copy Markdown

vercel bot commented Apr 6, 2026

@ramanvasi is attempting to deploy a commit to the HashiCorp Team on Vercel.

A member of the Team first needs to authorize it.

@dosubot dosubot bot added bug Used to indicate a potential bug core/api labels Apr 6, 2026
@hashicorp-cla-app
Copy link
Copy Markdown

hashicorp-cla-app bot commented Apr 6, 2026
edited
Loading

CLA assistant check
All committers have signed the CLA.

@hashicorp-cla-app
Copy link
Copy Markdown

hashicorp-cla-app bot commented Apr 6, 2026

CLA assistant check

Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement

Learn more about why HashiCorp requires a CLA and what the CLA includes

1 out of 2 committers have signed the CLA.

  • ramanvasi
  • raman1236

Have you signed the CLA already but the status is still pending? Recheck it.

@heatherezell
Copy link
Copy Markdown
Contributor

heatherezell commented Apr 9, 2026

@raman1236 please ensure that any commits made with your email, etc, all line up to the same github account information, otherwise the CLA bot gets confused

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Chris-Paris-HashiCorp Chris-Paris-HashiCorp Awaiting requested review from Chris-Paris-HashiCorp Chris-Paris-HashiCorp is a code owner automatically assigned from hashicorp/vault

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

bug Used to indicate a potential bug core/api

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@raman1236 @heatherezell @ramanvasi