Skip to content
Snippets Groups Projects
  1. Jan 25, 2025
    • Stefan Melmuk's avatar
    • Mathijs van Veluw's avatar
      Org fixes (#5438) · 952992c8
      Mathijs van Veluw authored
      
      * Security fixes for admin and sendmail
      
      Because the Vaultwarden Admin Backend endpoints did not validated the Content-Type during a request, it was possible to update settings via CSRF. But, this was only possible if there was no `ADMIN_TOKEN` set at all. To make sure these environments are also safe I added the needed content-type checks at the functions.
      This could cause some users who have scripts which uses cURL for example to adjust there commands to provide the correct headers.
      
      By using a crafted favicon and having access to the Admin Backend an attacker could run custom commands on the host/container where Vaultwarden is running on. The main issue here is that we allowed the sendmail binary name/path to be changed. To mitigate this we removed this configuration item and only then `sendmail` binary as a name can be used.
      This could cause some issues where the `sendmail` binary is not in the `$PATH` and thus not able to be started. In these cases the admins should make sure `$PATH` is set correctly or create a custom shell script or symlink at a location which is in the `$PATH`.
      
      Added an extra security header and adjusted the CSP to be more strict by setting `default-src` to `none` and added the needed missing specific policies.
      
      Also created a general email validation function which does some more checking to catch invalid email address not found by the email_address crate.
      
      Signed-off-by: default avatarBlackDex <black.dex@gmail.com>
      
      * Fix security issue with organizationId validation
      
      Because of a invalid check/validation of the OrganizationId which most of the time is located in the path but sometimes provided as a URL Parameter, the parameter overruled the path ID during the Guard checks.
      This resulted in someone being able to execute commands as an Admin or Owner of the OrganizationId fetched from the parameter, but the API endpoints then used the OrganizationId located in the path instead.
      
      This commit fixes the extraction of the OrganizationId in the Guard and also added some extra validations of this OrgId in several functions.
      
      Also added an extra `OrgMemberHeaders` which can be used to only allow access to organization endpoints which should only be accessible by members of that org.
      
      Signed-off-by: default avatarBlackDex <black.dex@gmail.com>
      
      * Update server version in config endpoint
      
      Updated the server version reported to the clients to `2025.1.0`.
      This should make Vaultwarden future proof for the newer clients released by Bitwarden.
      
      Signed-off-by: default avatarBlackDex <black.dex@gmail.com>
      
      * Fix and adjust build workflow
      
      The build workflow had an issue with some `if` checks.
      For one they had two `$` signs, and it is not recommended to use `always()` since canceling a workflow does not cancel those calls.
      Using `!cancelled()` is the preferred way.
      
      Signed-off-by: default avatarBlackDex <black.dex@gmail.com>
      
      * Update crates
      
      Signed-off-by: default avatarBlackDex <black.dex@gmail.com>
      
      * Allow sendmail to be configurable
      
      This reverts a previous change which removed the sendmail to be configurable.
      We now set the config to be read-only, and omit all read-only values from being stored during a save action from the admin interface.
      
      Signed-off-by: default avatarBlackDex <black.dex@gmail.com>
      
      * Add more org_id checks
      
      Added more org_id checks at all functions which use the org_id in there path.
      
      Signed-off-by: default avatarBlackDex <black.dex@gmail.com>
      
      ---------
      
      Signed-off-by: default avatarBlackDex <black.dex@gmail.com>
      952992c8
  2. Jan 23, 2025
  3. Jan 21, 2025
    • Mathijs van Veluw's avatar
      Add manage role for collections and groups (#5386) · d1dee046
      Mathijs van Veluw authored
      
      * Add manage role for collections and groups
      
      This commit will add the manage role/column to collections and groups.
      We need this to allow users part of a collection either directly or via groups to be able to delete ciphers.
      Without this, they are only able to either edit or view them when using new clients, since these check the manage role.
      
      Still trying to keep it compatible with previous versions and able to revert to an older Vaultwarden version and the `access_all` feature of the older installations.
      In a future version we should really check and fix these rights and create some kind of migration step to also remove the `access_all` feature and convert that to a `manage` option.
      But this commit at least creates the base for this already.
      
      This should resolve #5367
      
      Signed-off-by: default avatarBlackDex <black.dex@gmail.com>
      
      * Fix an issue with access_all
      
      If owners or admins do not have the `access_all` flag set, in case they do not want to see all collection on the password manager view, they didn't see any collections at all anymore.
      
      This should fix that they are still able to view all the collections and have access to it.
      
      Signed-off-by: default avatarBlackDex <black.dex@gmail.com>
      
      ---------
      
      Signed-off-by: default avatarBlackDex <black.dex@gmail.com>
      d1dee046
  4. Jan 20, 2025
    • Stefan Melmuk's avatar
      improve admin invite (#5403) · ef2695de
      Stefan Melmuk authored
      * check for admin invite
      
      * refactor the invitation logic
      
      * cleanup check for undefined token
      
      * prevent wrong user from accepting invitation
      ef2695de
  5. Jan 13, 2025
  6. Jan 11, 2025
  7. Jan 10, 2025
  8. Jan 09, 2025
  9. Jan 08, 2025
  10. Jan 07, 2025
  11. Jan 04, 2025
  12. Dec 31, 2024
  13. Dec 30, 2024
  14. Dec 29, 2024
  15. Dec 20, 2024
  16. Dec 15, 2024
  17. Dec 14, 2024
  18. Dec 13, 2024
  19. Dec 12, 2024
  20. Dec 10, 2024
  21. Dec 08, 2024
  22. Dec 06, 2024
  23. Dec 05, 2024
    • Mathijs van Veluw's avatar
      Update Rust and crates (#5248) · 71b3d3c8
      Mathijs van Veluw authored
      
      * Update Rust and crates
      
      - Updated Rust to v1.83.0
      - Updated MSRV to v1.82.0 (Needed for html5gum crate)
      - Updated icon fetching code to match new html5gum version
      - Updated workflows
      - Enabled edition 2024 clippy lints
        Nightly reports some clippy hints, but that would be too much to change in this PR i think.
      
      Signed-off-by: default avatarBlackDex <black.dex@gmail.com>
      
      * Some additional updates
      
      - Patch fern to allow syslog-7 feature
      - Fixed diesel logger which was broken because of the sqlite backup feature
        Refactored the sqlite backup because of this
      - Added a build workflow test to include the query_logger feature
      
      Signed-off-by: default avatarBlackDex <black.dex@gmail.com>
      
      * Also patch yubico-rs and latest updates
      
      Signed-off-by: default avatarBlackDex <black.dex@gmail.com>
      
      ---------
      
      Signed-off-by: default avatarBlackDex <black.dex@gmail.com>
      71b3d3c8
  24. Nov 25, 2024
  25. Nov 20, 2024
    • Mathijs van Veluw's avatar
      Fix editing members which have access-all rights (#5213) · 96813b13
      Mathijs van Veluw authored
      
      With web-vault v2024.6.2 and lower, if a user has access-all rights either as an org-member or via a group it shouldn't return individual collections.
      
      This probably needs to be changed with newer versions which do not support the `access-all` feature anymore and work with manage.
      But with the current version this should solve access right issues.
      
      Fixes #5212
      
      Signed-off-by: default avatarBlackDex <black.dex@gmail.com>
      96813b13
    • Mathijs van Veluw's avatar
      Fix push not working (#5214) · b0b953f3
      Mathijs van Veluw authored
      
      The new native mobile clients seem to use PascalCase for the push payload.
      Also the date/time could cause issues.
      
      This PR fixes this by formatting the date/time correctly and use PascalCase for the payload key's
      I now receive cipher updates and login-with-device requests again.
      
      Fixes #5182
      
      Signed-off-by: default avatarBlackDex <black.dex@gmail.com>
      b0b953f3
  26. Nov 17, 2024
    • Mathijs van Veluw's avatar
      Fix Org Import duplicate collections (#5200) · cdfdc6ff
      Mathijs van Veluw authored
      
      This fixes an issue with collections be duplicated same as was an issue with folders.
      Also made some optimizations by using HashSet where possible and device the Vec/Hash capacity.
      And instead of passing objects only use the UUID which was the only value we needed.
      
      Also found an issue with importing a personal export via the Org import where folders are used.
      Since Org's do not use folder we needed to clear those out, same as Bitwarden does.
      
      Fixes #5193
      
      Signed-off-by: default avatarBlackDex <black.dex@gmail.com>
  27. Nov 15, 2024
  28. Nov 13, 2024
Loading