Validate note sizes on key-rotation.

We also need to validate the note sizes on key-rotation. If we do not validate them before we store them, that could lead to a partial or total loss of the password vault. Validating these restrictions before actually processing them to store/replace the existing ciphers should prevent this. There was also a small bug when using web-sockets. The client which is triggering the password/key-rotation change should not be forced to logout via a web-socket request. That is something the client will handle it self. Refactored the logout notification to either send the device uuid or not on specific actions. Fixes #3152
2025-09-09 18:25:58 +03:00 · 2023-01-20 15:43:45 +01:00
parent cc91ac6cc0
commit e38e1a5d5f
3 changed files with 30 additions and 8 deletions
--- a/src/api/core/accounts.rs
+++ b/src/api/core/accounts.rs
@@ -324,7 +324,10 @@ async fn post_password(

    let save_result = user.save(&mut conn).await;

-    nt.send_user_update(UpdateType::LogOut, &user).await;
+    // Prevent loging out the client where the user requested this endpoint from.
+    // If you do logout the user it will causes issues at the client side.
+    // Adding the device uuid will prevent this.
+    nt.send_logout(&user, Some(headers.device.uuid)).await;

    save_result
 }
@@ -358,7 +361,7 @@ async fn post_kdf(data: JsonUpcase<ChangeKdfData>, headers: Headers, mut conn: D
    user.set_password(&data.NewMasterPasswordHash, Some(data.Key), true, None);
    let save_result = user.save(&mut conn).await;

-    nt.send_user_update(UpdateType::LogOut, &user).await;
+    nt.send_logout(&user, Some(headers.device.uuid)).await;

    save_result
 }
@@ -396,6 +399,12 @@ async fn post_rotatekey(
        err!("Invalid password")
    }

+    // Validate the import before continuing
+    // Bitwarden does not process the import if there is one item invalid.
+    // Since we check for the size of the encrypted note length, we need to do that here to pre-validate it.
+    // TODO: See if we can optimize the whole cipher adding/importing and prevent duplicate code and checks.
+    Cipher::validate_notes(&data.Ciphers)?;
+
    let user_uuid = &headers.user.uuid;

    // Update folder data
@@ -442,7 +451,10 @@ async fn post_rotatekey(

    let save_result = user.save(&mut conn).await;

-    nt.send_user_update(UpdateType::LogOut, &user).await;
+    // Prevent loging out the client where the user requested this endpoint from.
+    // If you do logout the user it will causes issues at the client side.
+    // Adding the device uuid will prevent this.
+    nt.send_logout(&user, Some(headers.device.uuid)).await;

    save_result
 }
@@ -465,7 +477,7 @@ async fn post_sstamp(
    user.reset_security_stamp();
    let save_result = user.save(&mut conn).await;

-    nt.send_user_update(UpdateType::LogOut, &user).await;
+    nt.send_logout(&user, None).await;

    save_result
 }
@@ -568,7 +580,7 @@ async fn post_email(

    let save_result = user.save(&mut conn).await;

-    nt.send_user_update(UpdateType::LogOut, &user).await;
+    nt.send_logout(&user, None).await;

    save_result
 }