From 072f2e24c206ebdaafacb17159fb8d73967eec3d Mon Sep 17 00:00:00 2001 From: BlackDex Date: Thu, 12 Jan 2023 09:45:52 +0100 Subject: [PATCH 1/5] Update Rust to v1.66.1 to patch CVE This PR sets Rust to v1.66.1 to fix a CVE. https://blog.rust-lang.org/2023/01/10/cve-2022-46176.html https://blog.rust-lang.org/2023/01/10/Rust-1.66.1.html Also updated some packages while at it. --- Cargo.lock | 48 +++++++++++++++------------ docker/Dockerfile.j2 | 8 ++--- docker/amd64/Dockerfile.alpine | 2 +- docker/amd64/Dockerfile.buildx.alpine | 2 +- docker/arm64/Dockerfile.alpine | 2 +- docker/arm64/Dockerfile.buildx.alpine | 2 +- docker/armv6/Dockerfile.alpine | 2 +- docker/armv6/Dockerfile.buildx.alpine | 2 +- docker/armv7/Dockerfile.alpine | 2 +- docker/armv7/Dockerfile.buildx.alpine | 2 +- rust-toolchain | 2 +- 11 files changed, 40 insertions(+), 34 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 665367cf..21a4bf72 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -190,6 +190,12 @@ version = "0.20.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0ea22880d78093b0cbe17c89f64a7d457941e65759157ec6cb31a31d652b05e5" +[[package]] +name = "base64" +version = "0.21.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a4a4ddaa51a5bc52a6948f74c06d20aaaddb71924eab79b8c97a8c556e942d6a" + [[package]] name = "binascii" version = "0.1.4" @@ -261,7 +267,7 @@ dependencies = [ "cached_proc_macro", "cached_proc_macro_types", "futures", - "hashbrown 0.13.1", + "hashbrown 0.13.2", "instant", "lazy_static", "once_cell", @@ -1030,9 +1036,9 @@ checksum = "8a9ee70c43aaf417c914396645a0fa852624801b24ebb7ae78fe8272889ac888" [[package]] name = "hashbrown" -version = "0.13.1" +version = "0.13.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "33ff8ae62cd3a9102e5637afc8452c55acf3844001bd5374e0b0bd7b6616c038" +checksum = "43a3c133739dddd0d2990f9a4bdf8eb4b21ef50e4851ca85ab661199821d510e" [[package]] name = "heck" @@ -1677,9 +1683,9 @@ dependencies = [ [[package]] name = "object" -version = "0.30.1" +version = "0.30.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8d864c91689fdc196779b98dba0aceac6118594c2df6ee5d943eb6a8df4d107a" +checksum = "2b8c786513eb403643f2a88c244c2aaa270ef2153f55094587d0c48a3cf22a83" dependencies = [ "memchr", ] @@ -1769,9 +1775,9 @@ dependencies = [ [[package]] name = "parking_lot_core" -version = "0.9.5" +version = "0.9.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7ff9f3fef3968a3ec5945535ed654cb38ff72d7495a25619e2247fb15a2ed9ba" +checksum = "ba1ef8814b5c993410bb3adfad7a5ed269563e4a2f90c41f5d85be7fb47133bf" dependencies = [ "cfg-if", "libc", @@ -1820,9 +1826,9 @@ dependencies = [ [[package]] name = "pem" -version = "1.1.0" +version = "1.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "03c64931a1a212348ec4f3b4362585eca7159d0d09cbdf4a7f74f02173596fd4" +checksum = "a8835c273a76a90455d7344889b0964598e3316e2a79ede8e36f16bdcf2228b8" dependencies = [ "base64 0.13.1", ] @@ -1835,9 +1841,9 @@ checksum = "478c572c3d73181ff3c2539045f6eb99e5491218eae919370993b890cdbdd98e" [[package]] name = "pest" -version = "2.5.2" +version = "2.5.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0f6e86fb9e7026527a0d46bc308b841d73170ef8f443e1807f6ef88526a816d4" +checksum = "4257b4a04d91f7e9e6290be5d3da4804dd5784fafde3a497d73eb2b4a158c30a" dependencies = [ "thiserror", "ucd-trie", @@ -1845,9 +1851,9 @@ dependencies = [ [[package]] name = "pest_derive" -version = "2.5.2" +version = "2.5.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "96504449aa860c8dcde14f9fba5c58dc6658688ca1fe363589d6327b8662c603" +checksum = "241cda393b0cdd65e62e07e12454f1f25d57017dcc514b1514cd3c4645e3a0a6" dependencies = [ "pest", "pest_generator", @@ -1855,9 +1861,9 @@ dependencies = [ [[package]] name = "pest_generator" -version = "2.5.2" +version = "2.5.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "798e0220d1111ae63d66cb66a5dcb3fc2d986d520b98e49e1852bfdb11d7c5e7" +checksum = "46b53634d8c8196302953c74d5352f33d0c512a9499bd2ce468fc9f4128fa27c" dependencies = [ "pest", "pest_meta", @@ -1868,13 +1874,13 @@ dependencies = [ [[package]] name = "pest_meta" -version = "2.5.2" +version = "2.5.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "984298b75898e30a843e278a9f2452c31e349a073a0ce6fd950a12a74464e065" +checksum = "0ef4f1332a8d4678b41966bb4cc1d0676880e84183a1ecc3f4b69f03e99c7a51" dependencies = [ "once_cell", "pest", - "sha1", + "sha2", ] [[package]] @@ -2380,11 +2386,11 @@ dependencies = [ [[package]] name = "rustls-pemfile" -version = "1.0.1" +version = "1.0.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0864aeff53f8c05aa08d86e5ef839d3dfcf07aeba2db32f12db0ef716e87bd55" +checksum = "d194b56d58803a43635bdc398cd17e383d6f71f9182b9a192c127ca42494a59b" dependencies = [ - "base64 0.13.1", + "base64 0.21.0", ] [[package]] diff --git a/docker/Dockerfile.j2 b/docker/Dockerfile.j2 index f0f4b2c9..ae823567 100644 --- a/docker/Dockerfile.j2 +++ b/docker/Dockerfile.j2 @@ -6,19 +6,19 @@ {% set build_stage_base_image = "rust:1.66-bullseye" %} {% if "alpine" in target_file %} {% if "amd64" in target_file %} -{% set build_stage_base_image = "blackdex/rust-musl:x86_64-musl-stable-1.66.0" %} +{% set build_stage_base_image = "blackdex/rust-musl:x86_64-musl-stable-1.66.1" %} {% set runtime_stage_base_image = "alpine:3.17" %} {% set package_arch_target = "x86_64-unknown-linux-musl" %} {% elif "armv7" in target_file %} -{% set build_stage_base_image = "blackdex/rust-musl:armv7-musleabihf-stable-1.66.0" %} +{% set build_stage_base_image = "blackdex/rust-musl:armv7-musleabihf-stable-1.66.1" %} {% set runtime_stage_base_image = "balenalib/armv7hf-alpine:3.17" %} {% set package_arch_target = "armv7-unknown-linux-musleabihf" %} {% elif "armv6" in target_file %} -{% set build_stage_base_image = "blackdex/rust-musl:arm-musleabi-stable-1.66.0" %} +{% set build_stage_base_image = "blackdex/rust-musl:arm-musleabi-stable-1.66.1" %} {% set runtime_stage_base_image = "balenalib/rpi-alpine:3.17" %} {% set package_arch_target = "arm-unknown-linux-musleabi" %} {% elif "arm64" in target_file %} -{% set build_stage_base_image = "blackdex/rust-musl:aarch64-musl-stable-1.66.0" %} +{% set build_stage_base_image = "blackdex/rust-musl:aarch64-musl-stable-1.66.1" %} {% set runtime_stage_base_image = "balenalib/aarch64-alpine:3.17" %} {% set package_arch_target = "aarch64-unknown-linux-musl" %} {% endif %} diff --git a/docker/amd64/Dockerfile.alpine b/docker/amd64/Dockerfile.alpine index 07db4098..791f355f 100644 --- a/docker/amd64/Dockerfile.alpine +++ b/docker/amd64/Dockerfile.alpine @@ -27,7 +27,7 @@ FROM vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e as vault ########################## BUILD IMAGE ########################## -FROM blackdex/rust-musl:x86_64-musl-stable-1.66.0 as build +FROM blackdex/rust-musl:x86_64-musl-stable-1.66.1 as build diff --git a/docker/amd64/Dockerfile.buildx.alpine b/docker/amd64/Dockerfile.buildx.alpine index 8ee0bb1c..55cf0e57 100644 --- a/docker/amd64/Dockerfile.buildx.alpine +++ b/docker/amd64/Dockerfile.buildx.alpine @@ -27,7 +27,7 @@ FROM vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e as vault ########################## BUILD IMAGE ########################## -FROM blackdex/rust-musl:x86_64-musl-stable-1.66.0 as build +FROM blackdex/rust-musl:x86_64-musl-stable-1.66.1 as build diff --git a/docker/arm64/Dockerfile.alpine b/docker/arm64/Dockerfile.alpine index d6509ff5..cdf0b5ee 100644 --- a/docker/arm64/Dockerfile.alpine +++ b/docker/arm64/Dockerfile.alpine @@ -27,7 +27,7 @@ FROM vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e as vault ########################## BUILD IMAGE ########################## -FROM blackdex/rust-musl:aarch64-musl-stable-1.66.0 as build +FROM blackdex/rust-musl:aarch64-musl-stable-1.66.1 as build diff --git a/docker/arm64/Dockerfile.buildx.alpine b/docker/arm64/Dockerfile.buildx.alpine index b002cee9..cc1b8a06 100644 --- a/docker/arm64/Dockerfile.buildx.alpine +++ b/docker/arm64/Dockerfile.buildx.alpine @@ -27,7 +27,7 @@ FROM vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e as vault ########################## BUILD IMAGE ########################## -FROM blackdex/rust-musl:aarch64-musl-stable-1.66.0 as build +FROM blackdex/rust-musl:aarch64-musl-stable-1.66.1 as build diff --git a/docker/armv6/Dockerfile.alpine b/docker/armv6/Dockerfile.alpine index 5bc379c2..f2d2741e 100644 --- a/docker/armv6/Dockerfile.alpine +++ b/docker/armv6/Dockerfile.alpine @@ -27,7 +27,7 @@ FROM vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e as vault ########################## BUILD IMAGE ########################## -FROM blackdex/rust-musl:arm-musleabi-stable-1.66.0 as build +FROM blackdex/rust-musl:arm-musleabi-stable-1.66.1 as build diff --git a/docker/armv6/Dockerfile.buildx.alpine b/docker/armv6/Dockerfile.buildx.alpine index 7455205a..95781007 100644 --- a/docker/armv6/Dockerfile.buildx.alpine +++ b/docker/armv6/Dockerfile.buildx.alpine @@ -27,7 +27,7 @@ FROM vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e as vault ########################## BUILD IMAGE ########################## -FROM blackdex/rust-musl:arm-musleabi-stable-1.66.0 as build +FROM blackdex/rust-musl:arm-musleabi-stable-1.66.1 as build diff --git a/docker/armv7/Dockerfile.alpine b/docker/armv7/Dockerfile.alpine index ec26d0fe..b5e08689 100644 --- a/docker/armv7/Dockerfile.alpine +++ b/docker/armv7/Dockerfile.alpine @@ -27,7 +27,7 @@ FROM vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e as vault ########################## BUILD IMAGE ########################## -FROM blackdex/rust-musl:armv7-musleabihf-stable-1.66.0 as build +FROM blackdex/rust-musl:armv7-musleabihf-stable-1.66.1 as build diff --git a/docker/armv7/Dockerfile.buildx.alpine b/docker/armv7/Dockerfile.buildx.alpine index fcb8f8a1..cf3f16fb 100644 --- a/docker/armv7/Dockerfile.buildx.alpine +++ b/docker/armv7/Dockerfile.buildx.alpine @@ -27,7 +27,7 @@ FROM vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e as vault ########################## BUILD IMAGE ########################## -FROM blackdex/rust-musl:armv7-musleabihf-stable-1.66.0 as build +FROM blackdex/rust-musl:armv7-musleabihf-stable-1.66.1 as build diff --git a/rust-toolchain b/rust-toolchain index b6148bc0..0403bed1 100644 --- a/rust-toolchain +++ b/rust-toolchain @@ -1 +1 @@ -1.66.0 +1.66.1 From d122c10573f9533bda18d0b8783d7b9d13ffec50 Mon Sep 17 00:00:00 2001 From: Rychart Redwerkz Date: Tue, 10 Jan 2023 00:24:37 +0100 Subject: [PATCH 2/5] Use more modern meta tag for charset encoding --- src/static/templates/admin/base.hbs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/static/templates/admin/base.hbs b/src/static/templates/admin/base.hbs index e296b114..2fe1ee54 100644 --- a/src/static/templates/admin/base.hbs +++ b/src/static/templates/admin/base.hbs @@ -1,7 +1,7 @@ - + From 6fcf18ab5132a2e3c0ddb725f1e6fb3f3bb91c15 Mon Sep 17 00:00:00 2001 From: BlackDex Date: Mon, 9 Jan 2023 20:32:56 +0100 Subject: [PATCH 3/5] Fix remaning inline format --- src/config.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/config.rs b/src/config.rs index fa8bea66..f8990dc0 100644 --- a/src/config.rs +++ b/src/config.rs @@ -1222,7 +1222,7 @@ fn to_json<'reg, 'rc>( ) -> HelperResult { let param = h.param(0).ok_or_else(|| RenderError::new("Expected 1 parameter for \"to_json\""))?.value(); let json = serde_json::to_string(param) - .map_err(|e| RenderError::new(format!("Can't serialize parameter to JSON: {}", e)))?; + .map_err(|e| RenderError::new(format!("Can't serialize parameter to JSON: {e}")))?; out.write(&json)?; Ok(()) } From 6607faa390c7c76ccc9e74a7e532c37a7a303f1e Mon Sep 17 00:00:00 2001 From: GeekCorner <45696571+GeekCornerGH@users.noreply.github.com> Date: Tue, 10 Jan 2023 09:41:35 +0100 Subject: [PATCH 4/5] fix (2fa.directory): Allow api.2fa.directory, and remove 2fa.directory --- src/util.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/util.rs b/src/util.rs index 3297fad5..fe99e2d3 100644 --- a/src/util.rs +++ b/src/util.rs @@ -50,7 +50,7 @@ impl Fairing for AppHeaders { // Have I Been Pwned and Gravator to allow those calls to work. // # Connect src: // Leaked Passwords check: api.pwnedpasswords.com - // 2FA/MFA Site check: 2fa.directory + // 2FA/MFA Site check: api.2fa.directory // # Mail Relay: https://bitwarden.com/blog/add-privacy-and-security-using-email-aliases-with-bitwarden/ // app.simplelogin.io, app.anonaddy.com, api.fastmail.com, quack.duckduckgo.com let csp = format!( @@ -73,7 +73,7 @@ impl Fairing for AppHeaders { {icon_service_csp}; \ connect-src 'self' \ https://api.pwnedpasswords.com \ - https://2fa.directory \ + https://api.2fa.directory \ https://app.simplelogin.io/api/ \ https://app.anonaddy.com/api/ \ https://api.fastmail.com/ \ From 0cccdcab833b83ae432279cdfcad1709d885ac63 Mon Sep 17 00:00:00 2001 From: BlackDex Date: Wed, 11 Jan 2023 22:13:20 +0100 Subject: [PATCH 5/5] Add MFA icon to org member overview The Organization member overview supports showing an icon if the user has MFA enabled or not. This PR adds this feature. This is very useful if you want to enable force mfa for example. --- src/db/models/organization.rs | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/db/models/organization.rs b/src/db/models/organization.rs index a2ab75a7..331e1007 100644 --- a/src/db/models/organization.rs +++ b/src/db/models/organization.rs @@ -2,7 +2,7 @@ use num_traits::FromPrimitive; use serde_json::Value; use std::cmp::Ordering; -use super::{CollectionUser, GroupUser, OrgPolicy, OrgPolicyType, User}; +use super::{CollectionUser, GroupUser, OrgPolicy, OrgPolicyType, TwoFactor, User}; use crate::CONFIG; db_object! { @@ -365,6 +365,8 @@ impl UserOrganization { self.status }; + let twofactor_enabled = !TwoFactor::find_by_user(&user.uuid, conn).await.is_empty(); + json!({ "Id": self.uuid, "UserId": self.user_uuid, @@ -374,6 +376,7 @@ impl UserOrganization { "Status": status, "Type": self.atype, "AccessAll": self.access_all, + "TwoFactorEnabled": twofactor_enabled, "Object": "organizationUserUserDetails", })