Skip to content

feat(external-migrations): vault migrations #4211

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

feat(external-migrations): vault migrations #4211

wants to merge 4 commits into from
+1,075 −375

Conversation

DanielHougaard
Copy link
Member

Description 📣

Added a new vault migration option. This allows users to migrate from Vault self-hosted/dedicated to Infisical. Currently the migration only supports Vault Key Vault (KV) V2. But we can extend it as we please in the future.

Type ✨

  • Bug fix
  • New feature
  • Improvement
  • Breaking change
  • Documentation

@DanielHougaard DanielHougaard self-assigned this Jul 21, 2025
@maidul98
Copy link
Collaborator

maidul98 commented Jul 21, 2025
edited
Loading

🎉 Snyk checks have passed. No issues have been found so far.

security/snyk check is complete. No issues have been found. (View Details)

@DanielHougaard DanielHougaard requested a review from akhilmhdh July 21, 2025 21:56
greptile-apps[bot]
greptile-apps bot reviewed Jul 21, 2025
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment
edited by DanielHougaard
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Greptile Summary

This PR adds functionality to migrate secrets from HashiCorp Vault (KV V2) to Infisical. The implementation allows users to transfer their secrets from self-hosted or dedicated Vault instances while preserving their hierarchical structure. The changes span both frontend and backend:

  • Frontend changes add a new Vault platform option in the import selection modal with a dedicated form for Vault credentials
  • Backend implements the migration logic with support for two mapping types: namespace-based and key-vault based
  • The implementation follows existing patterns used for EnvKey migrations, using a queue-based system for processing
  • Data transformation handles the conversion between Vault's structure and Infisical's project/environment/folder hierarchy

Confidence score: 2/5

  1. This PR has significant security implications and needs careful review before merging
  2. Score reflects multiple security concerns in error handling and input validation
  3. The following files need particular attention:
    • frontend/src/hooks/api/migration/mutations.tsx (error handling issues)
    • backend/src/services/external-migration/external-migration-fns/vault.ts (URL construction)
    • backend/src/server/routes/v3/external-migration-router.ts (rate limiting configuration)

Security Concerns:

  1. The mutations.tsx file has poor error handling that swallows errors and only logs them
  2. User-controlled input (vaultUrl) is used to construct API calls without proper URL validation
  3. Sensitive information (vault tokens) may be exposed in logs
  4. Rate limiting configuration needs review to prevent DoS attacks
  5. Need to ensure proper sanitization of imported secret values
    a
    13 files reviewed, 13 comments

Edit Code Review Bot Settings | Greptile

backend/src/services/external-migration/external-migration-fns/vault.ts
Comment on lines +116 to +122
const request = axios.create({
baseURL: baseUrl,
headers: {
"X-Vault-Namespace": namespace,
"X-Vault-Token": accessToken
}
});
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

logic: Validate the baseUrl before creating axios instance - potential SSRF vulnerability if not validated

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

@akhilmhdh akhilmhdh Awaiting requested review from akhilmhdh

At least 1 approving review is required to merge this pull request.

Assignees

@DanielHougaard DanielHougaard

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@DanielHougaard @maidul98