Commit Graph

1653 Commits

Author SHA1 Message Date
Daniel García
e5ec245626
Protect namedfile against path traversal, rocket only does it for pathbuf 2021-07-15 19:15:55 +02:00
BlackDex
6ea95d1ede Updated attachment limit descriptions
The user and org attachment limit use `size` as wording while it should
have been `storage` since it isn't per attachment, but the sum of all attachments.

- Changed the wording in the config/env
- Changed the wording of the error messages.

Resolves #1818
2021-07-13 15:17:03 +02:00
Jeremy Lin
88bea44dd8 Prevent user enumeration via password hints
When `show_password_hint` is enabled but mail is not configured, the previous
implementation returned a differentiable response for non-existent email
addresses.

Even if mail is enabled, there is a timing side channel since mail is sent
synchronously. Add a randomized sleep to mitigate this somewhat.
2021-07-10 01:21:27 -07:00
Jeremy Lin
8ee5d51bd4 Disable show_password_hint by default
A setting that provides unauthenticated access to potentially sensitive data
shouldn't be enabled by default.
2021-07-10 01:20:37 -07:00
Kaito Udagawa
c640abbcd7
Update src/util.rs
Co-authored-by: William Desportes <williamdes@wdes.fr>
2021-07-08 02:55:58 +09:00
Kaito Udagawa
13598c098f Add links to browser extensions 2021-07-08 02:52:45 +09:00
Kaito Udagawa
a622b4d2fb Add Edge's frame-ancestors
Edge's frame-ancestors are required for Edge extension to do WebAuthn.
2021-07-08 01:19:52 +09:00
BlackDex
403f35b571 Added web-vault v2.21.x support + some misc fixes
- The new web-vault v2.21.0+ has support for Master Password Reset. For
this to work it generates a public/private key-pair which needs to be
stored in the database. Currently the Master Password Reset is not
fixed, but there are endpoints which are needed even if we do not
support this feature (yet). This PR fixes those endpoints, and stores
the keys already in the database.

- There was an issue when you want to do a key-rotate when you change
your password, it also called an Emergency Access endpoint, which we do
not yet support. Because this endpoint failed to reply correctly
produced some errors, and also prevent the user from being forced to
logout. This resolves #1826 by adding at least that endpoint.

Because of that extra endpoint check to Emergency Access is done using
an old user stamp, i also modified the stamp exception to allow multiple
rocket routes to be called, and added an expiration timestamp to it.

During these tests i stumbled upon an issue that after my key-change was
done, it triggered the websockets to try and reload my ciphers, because
they were updated. This shouldn't happen when rotating they keys, since
all access should be invalided. Now there will be no websocket
notification for this, which also prevents error toasts.

- Increased Send Size limit to 500MB (with a litle overhead)

As a side note, i tested these changes on both v2.20.4 and v2.21.1 web-vault versions, all keeps working.
2021-07-04 23:02:56 +02:00
Daniel García
3968bc8016
Merge pull request #1800 from BlackDex/pre-commit
Adding pre-commit config
2021-07-04 21:58:43 +02:00
Daniel García
ff66368cb6
Merge pull request #1830 from BlackDex/vaultwarden-logo
Storing the original Vaultwarden svg images
2021-07-04 21:58:29 +02:00
BlackDex
3fb419e704 Storing the original Vaultwarden svg images 2021-07-04 18:37:01 +02:00
Daniel García
832f838ddd
Merge pull request #1809 from BlackDex/fix-armv7
Fix armv7 alpine build.
2021-06-29 17:16:57 +02:00
BlackDex
18703bf195 Fix armv7 alpine build.
The `messense/rust-musl-cross` has removed OpenSSL in favor of the
vendored option. Enabled vendored openssl to resolve this.

Resolves #1807
2021-06-29 10:37:39 +02:00
BlackDex
ff8e88a5df Adding pre-commit config
There is a nice tool called pre-commit: https://pre-commit.com/
It can run actions prior to a commit to validate everything is working.
People can choose to enable this for them selfs, but it would be nice to have a base config by default.
2021-06-27 19:11:22 +02:00
Daniel García
72e1946ce5
Merge pull request #1799 from BlackDex/issue-1796
Fixes issue with multiple security keys.
2021-06-27 18:23:15 +02:00
BlackDex
ee391720aa Fixes issue with multiple security keys.
- Updated webauthn-rs commit hash to resolve #1796
2021-06-27 18:12:27 +02:00
Daniel García
e3a2dfffab
Formatting 2021-06-26 14:21:58 +02:00
Daniel García
8bf1278b1b
Update web vault and docker base images 2021-06-26 14:08:06 +02:00
Daniel García
00ce943ea5
Merge branch 'BlackDex-security-md' into main 2021-06-26 13:36:14 +02:00
Daniel García
b67eacdfde
Merge branch 'security-md' of https://github.com/BlackDex/vaultwarden into BlackDex-security-md 2021-06-26 13:36:05 +02:00
Daniel García
0dcea75764
Remove unused lifetime and double referencing 2021-06-26 13:35:09 +02:00
BlackDex
0c5532d8b5 Adding a SECURITY.md 2021-06-26 11:49:00 +02:00
Daniel García
46e0f3c43a
Load RSA keys as pem format directly, and using openssl crate, backported from async branch 2021-06-25 20:53:26 +02:00
Daniel García
2cd17fe7af
Add token with short expiration time to send url 2021-06-25 20:53:26 +02:00
Daniel García
f44b2611e6
Update rust toolchain and dependencies 2021-06-25 20:53:26 +02:00
Mathijs van Veluw
82fee0ede3
Merge pull request #1779 from jjlin/last-known-rev-warning
Avoid `Error parsing LastKnownRevisionDate` warning for mobile clients
2021-06-20 18:07:18 +02:00
Jeremy Lin
49579e4ce7 Avoid Error parsing LastKnownRevisionDate warning for mobile clients
When creating a new cipher, the mobile clients seem to set this field to an
invalid value, which causes a warning to be logged:

    Error parsing LastKnownRevisionDate '0001-01-01T00:00:00': premature end of input

Avoid this by dropping the `LastKnownRevisionDate` field on cipher creation.
2021-06-19 21:32:11 -07:00
Daniel García
9254cf9d9c
Fix clippy lints 2021-06-19 22:02:03 +02:00
Daniel García
ff0fee3690
Merge branch 'BlackDex-admin-changes' into main 2021-06-19 21:38:58 +02:00
Daniel García
0778bd4bd5
Merge branch 'admin-changes' of https://github.com/BlackDex/vaultwarden into BlackDex-admin-changes 2021-06-19 21:27:25 +02:00
Daniel García
0cd065d354
Update webauthn-rs crate to upstream version 2021-06-19 21:25:55 +02:00
BlackDex
8615736e84 Multiple Admin Interface fixes and some others.
Misc:
- Fixed hadolint workflow, new git cli needs some extra arguments.
- Add ignore paths to all specific on triggers.
- Updated hadolint version.
- Made SMTP_DEBUG read-only, since it can't be changed at runtime.

Admin:
- Migrated from Bootstrap v4 to v5
- Updated jquery to v3.6.0
- Updated Datatables
- Made Javascript strict
- Added a way to show which ENV Vars are overridden.
- Changed the way to provide data for handlebars.
- Fixed date/time check.
- Made support string use details and summary feature of markdown/github.
2021-06-19 19:22:19 +02:00
Daniel García
5772836be5
Fix admin page with handlebars 4 2021-06-16 22:57:28 +02:00
Daniel García
c380d9c379
Support for webauthn and u2f->webauthn migrations 2021-06-16 19:06:40 +02:00
Daniel García
cea7a30d82
Merge pull request #1761 from jjlin/deps
Update dependencies
2021-06-10 21:03:05 +02:00
Jeremy Lin
06cde29419 Update dependencies
Notably, update `diesel` to 1.4.7 and `libsqlite3-sys` to 0.22.2 to pick up
the fix for CVE-2021-20227 added in SQLite 3.34.1.
2021-06-09 01:44:29 -07:00
Daniel García
20f5988174
Merge pull request #1736 from jjlin/rocket-env-docs
Clarify Rocket env var defaults
2021-06-04 20:03:17 +02:00
Jeremy Lin
b491cfe0b0 Clarify Rocket env var defaults
Mention `ROCKET_WORKERS`, but remove `ROCKET_ENV` since most users
probably wouldn't use it.
2021-05-31 13:13:02 -07:00
Daniel García
fc513413ea
Merge pull request #1730 from jjlin/attachment-upload-v2
Add support for v2 attachment upload APIs
2021-05-30 22:27:52 +02:00
Jeremy Lin
3f7e4712cd Fix attachment size limit calculation for v2 uploads 2021-05-25 23:17:22 -07:00
Jeremy Lin
c2ef331df9 Rework file ID generation 2021-05-25 23:15:24 -07:00
Jeremy Lin
5fef7983f4 Clean up attachment error handling 2021-05-25 22:13:04 -07:00
Jeremy Lin
29ed82a359 Add support for v2 attachment upload APIs
Upstream PR: https://github.com/bitwarden/server/pull/1229
2021-05-25 04:14:51 -07:00
Daniel García
7d5186e40a
Merge pull request #1706 from jjlin/trash-auto-delete-env
Add `TRASH_AUTO_DELETE_DAYS` to .env.template
2021-05-17 17:21:34 +02:00
Daniel García
99270612ba
Merge pull request #1704 from jjlin/global-domains
Sync global_domains.json
2021-05-17 17:21:09 +02:00
Jeremy Lin
c7b5b6ee07 Add TRASH_AUTO_DELETE_DAYS to .env.template 2021-05-16 17:51:54 -07:00
Jeremy Lin
848d17ffb9 Sync global_domains.json to bitwarden/server@7857053 (Amazon) 2021-05-16 15:16:41 -07:00
Daniel García
47e8aa29e1
Merge pull request #1702 from BlackDex/icon-updates-plus
Updated icon fetching and crates.
2021-05-16 23:35:37 +02:00
BlackDex
f270f2ed65 Updated icon fetching and crates.
- Updated some crates
- Updated icon fetching code:
  + Use a cookie jar and set Max-Age to 2 minutes for all cookies
  + Locate the base href tag to fix some locations
  + Changed User-Agent (Helps on some sites to get HTML instead of JS)
  + Reduced HTML code limit from 512KB to 384KB
  + Allow some large icons higer-up in the sort
  + Allow GIF images
  + Ignore cookie_store and hyper::client debug messages
2021-05-16 15:29:13 +02:00
Daniel García
aba5b234af
Merge pull request #1700 from jjlin/fix-attachment-downloads
Fix attachment downloads
2021-05-16 14:11:21 +02:00