A possible user disclosure when you invite an user into an organization which already has an account on the same instance.
This was because we always returned the user's name.
To prevent this, this PR only returns the user's name if the status is accepted or higher, else we will return null.
This is the same as Bitwarden does.
Resolves a reported issue.
Also resolved a new `nightly` reported clippy regarding a regex within a loop.
- Fixed collection management to be usable from the Password Manager UI
- Checked and brought in-to-sync with upstream several json responses
- Fixed a small issue with the `fields` response when it was empty
Signed-off-by: BlackDex <black.dex@gmail.com>
Ever since we changed to pass the full url as a template value handlebars now html-encodes this.
This causes issues with the plain/text mails, but it also could potentially cause issues with the text/html templates.
This PR encloses the template values inside triple braces `{{{ }}}` which prevents html-encoding.
Since the URL is generated via the `url` crate the values are percent-encoded anyway.
Fixes #5097
Signed-off-by: BlackDex <black.dex@gmail.com>
In an oversight i forgot to set the type to a hidden type if converting the int was not possible.
This fixes that.
Signed-off-by: BlackDex <black.dex@gmail.com>
It seems the iOS clients are not able to handle the `type` key within the `fields` array when they are of the type string.
All other clients seem to handle this just fine though.
This PR fixes this by validating it is a number, if this is not the case, try to convert the string to a number, or return the default of `1`.
`1` is used as this is the type `hidden` and should prevent accidental data disclosure.
Fixes #5069
Possibly Fixes #5016
Possibly Fixes #5002
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix `--version` from failing without config
Since we added the option to show the web-vault version also when running `--version` this causes the config to always be validated.
While this is not very bad in general, it could cause the command to quit during the config validation, and not show the version, but also errors.
This is probably not very useful for this specific command, unlike the `--backup` for example.
To fix this, and preventing the config from being validated, i added an AtomicBool to check if we need to validate the config on first load.
This prevents errors, and will just show the Vaultwarden version, and if possible the web-vault version too.
Fixes #5046
Signed-off-by: BlackDex <black.dex@gmail.com>
* Adjusted the code bsaed upon review
Signed-off-by: BlackDex <black.dex@gmail.com>
---------
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix collections not editable by managers
Since a newer version of the web-vault we use manager were not able to create sub collections anymore.
This was because of some missing details in the response of some json objects.
This commit fixes this by using the `to_json_details` instead of the `to_json`
Fixes #5066
Fixes #5044
* Update crates and GitHub Actions
- Updated all the crates
- Updated all the GHA dependencies
- Configured the trivy workflow to only run on the main repo and not on forks
Also selected a random new scheduled date so it will not run at the same time as all other forks.
The two changes should help running this scan every day without failing, and also prevent the same for new or updated forks.
The `unix::signal` was also included during Windows compilations.
This of course will not work. Fix this by only including it for `unix` targets.
Also changed all other conditional compilation options to use `cfg(unix)` instead of `cfg(not(windows))`.
The latter may also include `wasm` for example, or any other future target family.
This way we will only match `unix`
Fixes #5052
* Add extra linting
Added extra linting for some code styles.
Also added the Rust Edition 2024 lints.
Closes #4974
Signed-off-by: BlackDex <black.dex@gmail.com>
* Adjusted according to comments
Signed-off-by: BlackDex <black.dex@gmail.com>
---------
Signed-off-by: BlackDex <black.dex@gmail.com>
* Avoid keyword collision with gen in Rust 2024
* Include new api/config setting to disable user registration, not yet used by clients
* Actually qualify CONFIG
It appears that some password histories have an encrypted value on the `lastUsedDate`
Instead of only checking if it is a string, also check if it is a valid RFC Date/Time String.
If not, set it also to epoch 0.
Signed-off-by: BlackDex <black.dex@gmail.com>
It seemed to have been possible to have `null` date values.
This PR fixes this by setting the epoch start date if either the date does not exists or is not a string.
This should solve sync issues with the new native mobile clients.
Fixes https://github.com/dani-garcia/vaultwarden/pull/4932#issuecomment-2357581292
Signed-off-by: BlackDex <black.dex@gmail.com>
* Add a CLI feature to backup the SQLite DB
Many users request to add the sqlite3 binary to the container image.
This isn't really ideal as that might bring in other dependencies and will only bloat the image.
There main reason is to create a backup of the database.
While there already was a feature within the admin interface to do so (or by using the admin API call), this might not be easy.
This PR adds several ways to generate a backup.
1. By calling the Vaultwarden binary with the `backup` command like:
- `/vaultwarden backup`
- `docker exec -it vaultwarden /vaultwarden backup`
2. By sending the USR1 signal to the running process like:
- `kill -s USR1 $(pidof vaultwarden)
- `killall -s USR1 vaultwarden)
This should help users to more easily create backups of there SQLite database.
Also added the Web-Vault version number when using `-v/--version` to the output.
Signed-off-by: BlackDex <black.dex@gmail.com>
* Spelling and small adjustments
Signed-off-by: BlackDex <black.dex@gmail.com>
---------
Signed-off-by: BlackDex <black.dex@gmail.com>
* Allow enforcing Single Org with pw reset policy
Bitwarden only allows the Reset Password policy to be set when the Single Org policy is enabled already.
This PR adds a check so that this can be enforced when a config option is enabled.
Since Vaultwarden encouraged to use multiple orgs when groups were not available yet we should not enable this by default now.
This might be something to do in the future.
When enabled, it will prevent the Reset Password policy to be enabled if the Single Org policy is not enabled.
It will also prevent the Single Org policy to be disabled if the Reset Password policy is enabled.
Fixes #4855
Signed-off-by: BlackDex <black.dex@gmail.com>
* Removed some extra if checks
Signed-off-by: BlackDex <black.dex@gmail.com>
---------
Signed-off-by: BlackDex <black.dex@gmail.com>
* Allow Org Master-Pw policy enforcement
We didn't returned the master password policy for the user.
If the `Require existing members to change their passwords` check was enabled this should trigger the login to show a change password dialog.
All the master password policies are merged into one during the login response and it will contain the max values and all `true` values which are set by all the different orgs if a user is an accepted member.
Fixes #4507
Signed-off-by: BlackDex <black.dex@gmail.com>
* Use .reduce instead of .fold
Signed-off-by: BlackDex <black.dex@gmail.com>
---------
Signed-off-by: BlackDex <black.dex@gmail.com>
Fixed an issue with login with device for the new Bitwrden Beta clients.
They seem to not support ISO8601 milli date/time, only micro.
Also updated the device display names to match Upstream and added the
CLI devices which were missing.
Signed-off-by: BlackDex <black.dex@gmail.com>
Since the change to camelCase variables the error messages in the
Vaultwarden Admin were not shown correctly anymore.
This PR fixes this by changing the case of the json key's.
Also updated the save and delete of the config to provide a more
descriptive error instead of only `Io` or which ever other error might
occure.
Fixes #4834
The web-vault v2024.6.2 we use needs some extra information to allow
managers to actually be able to manage collections.
The v2024.6.2 web-vault has somewhat of a mixture of the newer roles and
older manager roles. To at least fix this for the web-vault we bundle
these changes will make the manager able to manage.
For future web-vaults we would need a lot more changes to be done to fix
this in a better way though.
Fixes #4844
The URL crate treats `https://domain.tld/path` differently then
`https://domain.tld/path/` the latter will make sure a `.join()` will
append the given path instead of using the base as a relative path.
Fixes #4858
- All users were able to request organizational details from any org,
even if they were not a member (anymore).
Now it will check if that user is a member of the org or not.
- The `/organization/<uuid>/keys` endpoint returned also the private keys.
This should not be the case. Also, according to the upstream server
code the endpoint changed, but the clients do not seem to use it.
I added it anyway just in case they will in the future.
- Also require a valid login before being able to retreve those org
keys. Upstream does not do this, but i see no reason why not.
Fixes: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39925
* Update crates, web-vault and fixes
- Updated crates
- Updated web-vault to v2024.6.2
This version is currently the latest version compatible with our API implementation.
For newer versions we need more code updates to make it compatible.
Thanks to @stefan0xC this version fixes #4628
- Added a small fix to prevent errors in the Vaultwarden and Client logs.
The v2024.6.2 web-vault calls an endpoint with invalid arguments.
If this happens we ignore the call and just return an Ok.
- Added the bulk-collection endpoint (Though not yet available in v2024.6.2)
Fixes #4628
* Prevent bulk remove collections to work
Currently there are no checks done during the actual upload of the file of a send item.
This PR adds several checks to make sure it only accepts the correct uploads.
This PR adds a config option to allow the note size to increase to 100_000, instead of the default 10_000.
Since this might cause issues with the clients (in the future), and will cause issues with importing into a Bitwarden server, i added warnings regarding this.
Closes #3168
* Add initial working Duo Universal Prompt support.
* Add db schema and models for Duo 2FA state storage
* store duo states in the database and validate during authentication
* cleanup & comments
* bump state/nonce length
* replace stray use of TimeDelta
* more cleanup
* bind Duo oauth flow to device id, drop redundant device type handling
* drop redundant alphanum string generation code
* error handling cleanup
* directly use JWT_VALIDITY_SECS constant instead of copying it to DuoClient instances
* remove redundant explicit returns, rustfmt
* rearrange constants, update comments, error message
* override charset on duo state column to ascii for mysql
* Reduce twofactor_duo_ctx state/nonce column size in postgres and maria
* Add fixes suggested by clippy
* rustfmt
* Update to use the make_http_request
* Don't handle OrganizationDuo
* move Duo API endpoint fmt strings out of macros and into format! calls
* Add missing indentation
Co-authored-by: Daniel García <dani-garcia@users.noreply.github.com>
* remove redundant expiry check when purging Duo contexts
---------
Co-authored-by: BlackDex <black.dex@gmail.com>
Co-authored-by: Daniel García <dani-garcia@users.noreply.github.com>
* allow re-invitations of existing users
* auto-accept existing user if mail is disabled
Apply suggestions from code review
Co-authored-by: Mathijs van Veluw <black.dex@gmail.com>
---------
Co-authored-by: Mathijs van Veluw <black.dex@gmail.com>
* Fix for RSA Keys which are read only
Sometimes an RSA Key file could be read only.
We currently failed because we also wanted to write.
Added an extra check if the file exists already and is not 0 in size.
If it does already exists and is larger then 0, then open in read only
mode.
Fixes #4644
* Updated code to work atomically
- Changed the code to work atomically
- Also show the alert generated from `Io`
* Fix spelling
- Updated datatables
- Set Cookie Secure flag if the connection is https
- Prevent possible XSS via Organization Name
Converted all `innerHTML` and `innerText` to the Safe Sink version `textContent`
- Removed `jsesc` function as handlebars escapes all these chars already and more by default
- Add missing `Headers` parameter for some functions
This allowed any request from allowing these endpoints by not validating the user correctly.
- Changed the functions to retreive the emergency access record by
using the user uuid which calls the endpoint, instead of validating afterwards.
This is more secure and prevents the need of an if check.