This commit introduces two main changes to the config loading logic to prevent infinite loops.

First, it adds loop detection for the source_profile chain. This prevents aws-vault from crashing when a profile has a circular dependency on another profile via source_profile.

Second, it removes the implicit inheritance of the default profile for all other profiles. This aligns aws-vault's behavior with the AWS CLI and prevents unexpected loops when the default profile has a source_profile set. This was causing a bug where aws-vault would fail to load a valid AWS config.

Author: xilu0

vault/config.go

@@ -274,13 +274,15 @@ type ConfigLoader struct {
 	ActiveProfile string
 
 	visitedProfiles []string
+	sourceChain     map[string]bool
 }
 
 func NewConfigLoader(baseConfig ProfileConfig, file *ConfigFile, activeProfile string) *ConfigLoader {
 	return &ConfigLoader{
 		BaseConfig:    baseConfig,
 		File:          file,
 		ActiveProfile: activeProfile,
+		sourceChain:   make(map[string]bool),
 	}
 }
 
@@ -405,11 +407,6 @@ func (cl *ConfigLoader) populateFromConfigFile(config *ProfileConfig, profileNam
 		if err != nil {
 			return err
 		}
-	} else if profileName != defaultSectionName {
-		err := cl.populateFromConfigFile(config, defaultSectionName)
-		if err != nil {
-			return err
-		}
 	}
 
 	// Ignore source_profile if it recursively refers to the profile
@@ -516,6 +513,14 @@ func (cl *ConfigLoader) hydrateSourceConfig(config *ProfileConfig) error {
 
 // GetProfileConfig loads the profile from the config file and environment variables into config
 func (cl *ConfigLoader) GetProfileConfig(profileName string) (*ProfileConfig, error) {
+	if cl.sourceChain[profileName] {
+		return nil, fmt.Errorf("Loop detected in source_profile chain for profile '%s'", profileName)
+	}
+	cl.sourceChain[profileName] = true
+	defer func() {
+		delete(cl.sourceChain, profileName)
+	}()
+
 	config := cl.BaseConfig
 	config.ProfileName = profileName
 	cl.populateFromEnv(&config)