From 7532072d50bd030bb7fd3b900af571049ef5378b Mon Sep 17 00:00:00 2001 From: Stefan Melmuk Date: Tue, 11 Oct 2022 20:31:15 +0200 Subject: [PATCH 1/6] add check if data folder is a directory --- src/main.rs | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/main.rs b/src/main.rs index c877c01c..126674d1 100644 --- a/src/main.rs +++ b/src/main.rs @@ -303,6 +303,10 @@ async fn check_data_folder() { } exit(1); } + if !path.is_dir() { + error!("Data folder '{}' is not a directory.", data_folder); + exit(1); + } if is_running_in_docker() && std::env::var("I_REALLY_WANT_VOLATILE_STORAGE").is_err() From 2dd508691689d4f5a9c39f411837300666f4dfc7 Mon Sep 17 00:00:00 2001 From: Stefan Melmuk Date: Wed, 12 Oct 2022 01:07:12 +0200 Subject: [PATCH 2/6] more verbose permission denied error be a bit more verbose about why a file could not be created when it is caused by a permission denied error. --- src/util.rs | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/src/util.rs b/src/util.rs index bdbb564e..16c0fce5 100644 --- a/src/util.rs +++ b/src/util.rs @@ -1,7 +1,7 @@ // // Web Headers and caching // -use std::io::Cursor; +use std::io::{Cursor, ErrorKind}; use rocket::{ fairing::{Fairing, Info, Kind}, @@ -311,7 +311,16 @@ pub fn file_exists(path: &str) -> bool { pub fn write_file(path: &str, content: &[u8]) -> Result<(), crate::error::Error> { use std::io::Write; - let mut f = File::create(path)?; + let mut f = match File::create(path) { + Ok(file) => file, + Err(e) => { + if e.kind() == ErrorKind::PermissionDenied { + error!("Can't create '{}': Permission denied", path); + } + return Err(From::from(e)); + } + }; + f.write_all(content)?; f.flush()?; Ok(()) From 0f944ec7e242c502db5e2f0490ebc27805f39d71 Mon Sep 17 00:00:00 2001 From: Stefan Melmuk Date: Wed, 12 Oct 2022 20:15:45 +0200 Subject: [PATCH 3/6] fix link of license badge master branch has been renamed to main. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3e25e158..9591bbc9 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ [![Docker Pulls](https://img.shields.io/docker/pulls/vaultwarden/server.svg)](https://hub.docker.com/r/vaultwarden/server) [![Dependency Status](https://deps.rs/repo/github/dani-garcia/vaultwarden/status.svg)](https://deps.rs/repo/github/dani-garcia/vaultwarden) [![GitHub Release](https://img.shields.io/github/release/dani-garcia/vaultwarden.svg)](https://github.com/dani-garcia/vaultwarden/releases/latest) -[![GPL-3.0 Licensed](https://img.shields.io/github/license/dani-garcia/vaultwarden.svg)](https://github.com/dani-garcia/vaultwarden/blob/master/LICENSE.txt) +[![GPL-3.0 Licensed](https://img.shields.io/github/license/dani-garcia/vaultwarden.svg)](https://github.com/dani-garcia/vaultwarden/blob/main/LICENSE.txt) [![Matrix Chat](https://img.shields.io/matrix/vaultwarden:matrix.org.svg?logo=matrix)](https://matrix.to/#/#vaultwarden:matrix.org) Image is based on [Rust implementation of Bitwarden API](https://github.com/dani-garcia/vaultwarden). From 1e32db8c416c3c5853d5022c43a35830a1a8518b Mon Sep 17 00:00:00 2001 From: Jeremy Lin Date: Wed, 12 Oct 2022 00:17:09 -0700 Subject: [PATCH 4/6] Add `CreationDate` to cipher response JSON Upstream PR: https://github.com/bitwarden/server/pull/2142 --- src/db/models/cipher.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/src/db/models/cipher.rs b/src/db/models/cipher.rs index d5f78fbe..7464fdc1 100644 --- a/src/db/models/cipher.rs +++ b/src/db/models/cipher.rs @@ -160,6 +160,7 @@ impl Cipher { "Object": "cipherDetails", "Id": self.uuid, "Type": self.atype, + "CreationDate": format_date(&self.created_at), "RevisionDate": format_date(&self.updated_at), "DeletedDate": self.deleted_at.map_or(Value::Null, |d| Value::String(format_date(&d))), "FolderId": if let Some(cipher_sync_data) = cipher_sync_data { cipher_sync_data.cipher_folders.get(&self.uuid).map(|c| c.to_string() ) } else { self.get_folder_uuid(user_uuid, conn).await }, From 4283a49e0b96da5b9b6dcb2f93cb6c77c0d13c0e Mon Sep 17 00:00:00 2001 From: Jeremy Lin Date: Tue, 11 Oct 2022 21:25:29 -0700 Subject: [PATCH 5/6] Reformat CSP header for readability --- src/util.rs | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/src/util.rs b/src/util.rs index 16c0fce5..dabebd75 100644 --- a/src/util.rs +++ b/src/util.rs @@ -63,16 +63,30 @@ impl Fairing for AppHeaders { // app.simplelogin.io, app.anonaddy.com, api.fastmail.com let csp = format!( "default-src 'self'; \ + object-src 'self' blob:; \ script-src 'self'{script_src}; \ style-src 'self' 'unsafe-inline'; \ - img-src 'self' data: https://haveibeenpwned.com/ https://www.gravatar.com {icon_service_csp}; \ child-src 'self' https://*.duosecurity.com https://*.duofederal.com; \ frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; \ - connect-src 'self' https://api.pwnedpasswords.com/range/ https://2fa.directory/api/ https://app.simplelogin.io/api/ https://app.anonaddy.com/api/ https://api.fastmail.com/; \ - object-src 'self' blob:; \ - frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh moz-extension://* {allowed_iframe_ancestors};", - icon_service_csp=CONFIG._icon_service_csp(), - allowed_iframe_ancestors=CONFIG.allowed_iframe_ancestors() + frame-ancestors 'self' \ + chrome-extension://nngceckbapebfimnlniiiahkandclblb \ + chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh \ + moz-extension://* \ + {allowed_iframe_ancestors}; \ + img-src 'self' data: \ + https://haveibeenpwned.com/ \ + https://www.gravatar.com \ + {icon_service_csp}; \ + connect-src 'self' \ + https://api.pwnedpasswords.com/range/ \ + https://2fa.directory/api/ \ + https://app.simplelogin.io/api/ \ + https://app.anonaddy.com/api/ \ + https://api.fastmail.com/ \ + ;\ + ", + icon_service_csp = CONFIG._icon_service_csp(), + allowed_iframe_ancestors = CONFIG.allowed_iframe_ancestors() ); res.set_raw_header("Content-Security-Policy", csp); res.set_raw_header("X-Frame-Options", "SAMEORIGIN"); From 46ec11de12c70222e814c9ea3f64d87fe0e5f680 Mon Sep 17 00:00:00 2001 From: Jeremy Lin Date: Tue, 11 Oct 2022 21:27:15 -0700 Subject: [PATCH 6/6] Update CSP for DuckDuckGo email forwarding Upstream PR: https://github.com/bitwarden/clients/pull/3630 --- src/util.rs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/util.rs b/src/util.rs index dabebd75..60e38fef 100644 --- a/src/util.rs +++ b/src/util.rs @@ -60,7 +60,7 @@ impl Fairing for AppHeaders { // Leaked Passwords check: api.pwnedpasswords.com // 2FA/MFA Site check: 2fa.directory // # Mail Relay: https://bitwarden.com/blog/add-privacy-and-security-using-email-aliases-with-bitwarden/ - // app.simplelogin.io, app.anonaddy.com, api.fastmail.com + // app.simplelogin.io, app.anonaddy.com, api.fastmail.com, quack.duckduckgo.com let csp = format!( "default-src 'self'; \ object-src 'self' blob:; \ @@ -83,6 +83,7 @@ impl Fairing for AppHeaders { https://app.simplelogin.io/api/ \ https://app.anonaddy.com/api/ \ https://api.fastmail.com/ \ + https://quack.duckduckgo.com/api/email/ \ ;\ ", icon_service_csp = CONFIG._icon_service_csp(),