Spiegel von
https://github.com/dani-garcia/vaultwarden.git
synchronisiert 2025-01-31 10:08:56 +01:00
952992c85b
* Security fixes for admin and sendmail Because the Vaultwarden Admin Backend endpoints did not validated the Content-Type during a request, it was possible to update settings via CSRF. But, this was only possible if there was no `ADMIN_TOKEN` set at all. To make sure these environments are also safe I added the needed content-type checks at the functions. This could cause some users who have scripts which uses cURL for example to adjust there commands to provide the correct headers. By using a crafted favicon and having access to the Admin Backend an attacker could run custom commands on the host/container where Vaultwarden is running on. The main issue here is that we allowed the sendmail binary name/path to be changed. To mitigate this we removed this configuration item and only then `sendmail` binary as a name can be used. This could cause some issues where the `sendmail` binary is not in the `$PATH` and thus not able to be started. In these cases the admins should make sure `$PATH` is set correctly or create a custom shell script or symlink at a location which is in the `$PATH`. Added an extra security header and adjusted the CSP to be more strict by setting `default-src` to `none` and added the needed missing specific policies. Also created a general email validation function which does some more checking to catch invalid email address not found by the email_address crate. Signed-off-by: BlackDex <black.dex@gmail.com> * Fix security issue with organizationId validation Because of a invalid check/validation of the OrganizationId which most of the time is located in the path but sometimes provided as a URL Parameter, the parameter overruled the path ID during the Guard checks. This resulted in someone being able to execute commands as an Admin or Owner of the OrganizationId fetched from the parameter, but the API endpoints then used the OrganizationId located in the path instead. This commit fixes the extraction of the OrganizationId in the Guard and also added some extra validations of this OrgId in several functions. Also added an extra `OrgMemberHeaders` which can be used to only allow access to organization endpoints which should only be accessible by members of that org. Signed-off-by: BlackDex <black.dex@gmail.com> * Update server version in config endpoint Updated the server version reported to the clients to `2025.1.0`. This should make Vaultwarden future proof for the newer clients released by Bitwarden. Signed-off-by: BlackDex <black.dex@gmail.com> * Fix and adjust build workflow The build workflow had an issue with some `if` checks. For one they had two `$` signs, and it is not recommended to use `always()` since canceling a workflow does not cancel those calls. Using `!cancelled()` is the preferred way. Signed-off-by: BlackDex <black.dex@gmail.com> * Update crates Signed-off-by: BlackDex <black.dex@gmail.com> * Allow sendmail to be configurable This reverts a previous change which removed the sendmail to be configurable. We now set the config to be read-only, and omit all read-only values from being stored during a save action from the admin interface. Signed-off-by: BlackDex <black.dex@gmail.com> * Add more org_id checks Added more org_id checks at all functions which use the org_id in there path. Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>
206 Zeilen
7,8 KiB
YAML
206 Zeilen
7,8 KiB
YAML
name: Build
|
|
|
|
on:
|
|
push:
|
|
paths:
|
|
- ".github/workflows/build.yml"
|
|
- "src/**"
|
|
- "migrations/**"
|
|
- "Cargo.*"
|
|
- "build.rs"
|
|
- "rust-toolchain.toml"
|
|
- "rustfmt.toml"
|
|
- "diesel.toml"
|
|
- "docker/Dockerfile.j2"
|
|
- "docker/DockerSettings.yaml"
|
|
pull_request:
|
|
paths:
|
|
- ".github/workflows/build.yml"
|
|
- "src/**"
|
|
- "migrations/**"
|
|
- "Cargo.*"
|
|
- "build.rs"
|
|
- "rust-toolchain.toml"
|
|
- "rustfmt.toml"
|
|
- "diesel.toml"
|
|
- "docker/Dockerfile.j2"
|
|
- "docker/DockerSettings.yaml"
|
|
|
|
jobs:
|
|
build:
|
|
# We use Ubuntu 22.04 here because this matches the library versions used within the Debian docker containers
|
|
runs-on: ubuntu-22.04
|
|
timeout-minutes: 120
|
|
# Make warnings errors, this is to prevent warnings slipping through.
|
|
# This is done globally to prevent rebuilds when the RUSTFLAGS env variable changes.
|
|
env:
|
|
RUSTFLAGS: "-D warnings"
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
channel:
|
|
- "rust-toolchain" # The version defined in rust-toolchain
|
|
- "msrv" # The supported MSRV
|
|
|
|
name: Build and Test ${{ matrix.channel }}
|
|
|
|
steps:
|
|
# Checkout the repo
|
|
- name: "Checkout"
|
|
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
|
|
# End Checkout the repo
|
|
|
|
|
|
# Install dependencies
|
|
- name: "Install dependencies Ubuntu"
|
|
run: sudo apt-get update && sudo apt-get install -y --no-install-recommends openssl build-essential libmariadb-dev-compat libpq-dev libssl-dev pkg-config
|
|
# End Install dependencies
|
|
|
|
|
|
# Determine rust-toolchain version
|
|
- name: Init Variables
|
|
id: toolchain
|
|
shell: bash
|
|
run: |
|
|
if [[ "${{ matrix.channel }}" == 'rust-toolchain' ]]; then
|
|
RUST_TOOLCHAIN="$(grep -oP 'channel.*"(\K.*?)(?=")' rust-toolchain.toml)"
|
|
elif [[ "${{ matrix.channel }}" == 'msrv' ]]; then
|
|
RUST_TOOLCHAIN="$(grep -oP 'rust-version.*"(\K.*?)(?=")' Cargo.toml)"
|
|
else
|
|
RUST_TOOLCHAIN="${{ matrix.channel }}"
|
|
fi
|
|
echo "RUST_TOOLCHAIN=${RUST_TOOLCHAIN}" | tee -a "${GITHUB_OUTPUT}"
|
|
# End Determine rust-toolchain version
|
|
|
|
|
|
# Only install the clippy and rustfmt components on the default rust-toolchain
|
|
- name: "Install rust-toolchain version"
|
|
uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203 # master @ Dec 14, 2024, 5:49 AM GMT+1
|
|
if: ${{ matrix.channel == 'rust-toolchain' }}
|
|
with:
|
|
toolchain: "${{steps.toolchain.outputs.RUST_TOOLCHAIN}}"
|
|
components: clippy, rustfmt
|
|
# End Uses the rust-toolchain file to determine version
|
|
|
|
|
|
# Install the any other channel to be used for which we do not execute clippy and rustfmt
|
|
- name: "Install MSRV version"
|
|
uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203 # master @ Dec 14, 2024, 5:49 AM GMT+1
|
|
if: ${{ matrix.channel != 'rust-toolchain' }}
|
|
with:
|
|
toolchain: "${{steps.toolchain.outputs.RUST_TOOLCHAIN}}"
|
|
# End Install the MSRV channel to be used
|
|
|
|
# Set the current matrix toolchain version as default
|
|
- name: "Set toolchain ${{steps.toolchain.outputs.RUST_TOOLCHAIN}} as default"
|
|
run: |
|
|
# Remove the rust-toolchain.toml
|
|
rm rust-toolchain.toml
|
|
# Set the default
|
|
rustup default ${{steps.toolchain.outputs.RUST_TOOLCHAIN}}
|
|
|
|
# Show environment
|
|
- name: "Show environment"
|
|
run: |
|
|
rustc -vV
|
|
cargo -vV
|
|
# End Show environment
|
|
|
|
# Enable Rust Caching
|
|
- name: Rust Caching
|
|
uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3 # v2.7.7
|
|
with:
|
|
# Use a custom prefix-key to force a fresh start. This is sometimes needed with bigger changes.
|
|
# Like changing the build host from Ubuntu 20.04 to 22.04 for example.
|
|
# Only update when really needed! Use a <year>.<month>[.<inc>] format.
|
|
prefix-key: "v2023.07-rust"
|
|
# End Enable Rust Caching
|
|
|
|
# Run cargo tests
|
|
# First test all features together, afterwards test them separately.
|
|
- name: "test features: sqlite,mysql,postgresql,enable_mimalloc,query_logger"
|
|
id: test_sqlite_mysql_postgresql_mimalloc_logger
|
|
if: ${{ !cancelled() }}
|
|
run: |
|
|
cargo test --features sqlite,mysql,postgresql,enable_mimalloc,query_logger
|
|
|
|
- name: "test features: sqlite,mysql,postgresql,enable_mimalloc"
|
|
id: test_sqlite_mysql_postgresql_mimalloc
|
|
if: ${{ !cancelled() }}
|
|
run: |
|
|
cargo test --features sqlite,mysql,postgresql,enable_mimalloc
|
|
|
|
- name: "test features: sqlite,mysql,postgresql"
|
|
id: test_sqlite_mysql_postgresql
|
|
if: ${{ !cancelled() }}
|
|
run: |
|
|
cargo test --features sqlite,mysql,postgresql
|
|
|
|
- name: "test features: sqlite"
|
|
id: test_sqlite
|
|
if: ${{ !cancelled() }}
|
|
run: |
|
|
cargo test --features sqlite
|
|
|
|
- name: "test features: mysql"
|
|
id: test_mysql
|
|
if: ${{ !cancelled() }}
|
|
run: |
|
|
cargo test --features mysql
|
|
|
|
- name: "test features: postgresql"
|
|
id: test_postgresql
|
|
if: ${{ !cancelled() }}
|
|
run: |
|
|
cargo test --features postgresql
|
|
# End Run cargo tests
|
|
|
|
|
|
# Run cargo clippy, and fail on warnings
|
|
- name: "clippy features: sqlite,mysql,postgresql,enable_mimalloc"
|
|
id: clippy
|
|
if: ${{ !cancelled() && matrix.channel == 'rust-toolchain' }}
|
|
run: |
|
|
cargo clippy --features sqlite,mysql,postgresql,enable_mimalloc -- -D warnings
|
|
# End Run cargo clippy
|
|
|
|
|
|
# Run cargo fmt (Only run on rust-toolchain defined version)
|
|
- name: "check formatting"
|
|
id: formatting
|
|
if: ${{ !cancelled() && matrix.channel == 'rust-toolchain' }}
|
|
run: |
|
|
cargo fmt --all -- --check
|
|
# End Run cargo fmt
|
|
|
|
|
|
# Check for any previous failures, if there are stop, else continue.
|
|
# This is useful so all test/clippy/fmt actions are done, and they can all be addressed
|
|
- name: "Some checks failed"
|
|
if: ${{ failure() }}
|
|
run: |
|
|
echo "### :x: Checks Failed!" >> $GITHUB_STEP_SUMMARY
|
|
echo "" >> $GITHUB_STEP_SUMMARY
|
|
echo "|Job|Status|" >> $GITHUB_STEP_SUMMARY
|
|
echo "|---|------|" >> $GITHUB_STEP_SUMMARY
|
|
echo "|test (sqlite,mysql,postgresql,enable_mimalloc,query_logger)|${{ steps.test_sqlite_mysql_postgresql_mimalloc_logger.outcome }}|" >> $GITHUB_STEP_SUMMARY
|
|
echo "|test (sqlite,mysql,postgresql,enable_mimalloc)|${{ steps.test_sqlite_mysql_postgresql_mimalloc.outcome }}|" >> $GITHUB_STEP_SUMMARY
|
|
echo "|test (sqlite,mysql,postgresql)|${{ steps.test_sqlite_mysql_postgresql.outcome }}|" >> $GITHUB_STEP_SUMMARY
|
|
echo "|test (sqlite)|${{ steps.test_sqlite.outcome }}|" >> $GITHUB_STEP_SUMMARY
|
|
echo "|test (mysql)|${{ steps.test_mysql.outcome }}|" >> $GITHUB_STEP_SUMMARY
|
|
echo "|test (postgresql)|${{ steps.test_postgresql.outcome }}|" >> $GITHUB_STEP_SUMMARY
|
|
echo "|clippy (sqlite,mysql,postgresql,enable_mimalloc)|${{ steps.clippy.outcome }}|" >> $GITHUB_STEP_SUMMARY
|
|
echo "|fmt|${{ steps.formatting.outcome }}|" >> $GITHUB_STEP_SUMMARY
|
|
echo "" >> $GITHUB_STEP_SUMMARY
|
|
echo "Please check the failed jobs and fix where needed." >> $GITHUB_STEP_SUMMARY
|
|
echo "" >> $GITHUB_STEP_SUMMARY
|
|
exit 1
|
|
|
|
|
|
# Check for any previous failures, if there are stop, else continue.
|
|
# This is useful so all test/clippy/fmt actions are done, and they can all be addressed
|
|
- name: "All checks passed"
|
|
if: ${{ success() }}
|
|
run: |
|
|
echo "### :tada: Checks Passed!" >> $GITHUB_STEP_SUMMARY
|
|
echo "" >> $GITHUB_STEP_SUMMARY
|