Commit Graph

2300 Commits

Author SHA1 Message Date
Daniel Hammer
9b20decdc1 "Spell-Jacking" mitigation ~ prevent sensitive data leak from spell checker.
@see https://www.otto-js.com/news/article/chrome-and-edge-enhanced-spellcheck-features-expose-pii-even-your-passwords
2023-01-25 22:35:18 +01:00
Daniel García
9366e31452 Merge pull request #3164 from jjlin/remove-arm32v6-tag
Remove `arm32v6`-specific tag
2023-01-24 21:39:25 +01:00
Jeremy Lin
96ff32fb2f Remove arm32v6-specific tag
This section of code seems to be breaking the Docker release workflow as of a
few days ago, though it's unclear why. This tag only existed to work around
an issue with Docker pulling the wrong image for ARMv6 platforms; that issue
was resolved in Docker 20.10.0, which has been out for a few years now, so it
seems like a reasonable time to drop this tag.
2023-01-24 12:33:25 -08:00
Daniel García
50fc22966c Updated web vault to 2023.1.1 and rust dependencies 2023-01-24 20:39:09 +01:00
Daniel García
4fab4c74ff Merge branch 'BlackDex-update-kdf-config' 2023-01-24 20:06:30 +01:00
BlackDex
e38e1a5d5f Validate note sizes on key-rotation.
We also need to validate the note sizes on key-rotation.
If we do not validate them before we store them, that could lead to a
partial or total loss of the password vault. Validating these
restrictions before actually processing them to store/replace the
existing ciphers should prevent this.

There was also a small bug when using web-sockets. The client which is
triggering the password/key-rotation change should not be forced to
logout via a web-socket request. That is something the client will
handle it self. Refactored the logout notification to either send the
device uuid or not on specific actions.

Fixes #3152
2023-01-24 20:05:09 +01:00
sirux88
cc91ac6cc0 include key into user.set_password 2023-01-24 20:04:05 +01:00
BlackDex
2d8c8e18f7 Update KDF Configuration and processing
- Change default Password Hash KDF Storage from 100_000 to 600_000 iterations
- Update Password Hash when the default iteration value is different
- Validate password_iterations
- Validate client-side KDF to prevent it from being set lower than 100_000
2023-01-24 19:49:12 +01:00
Daniel García
b17e2da2cf Merge branch 'BlackDex-issue-3152' 2023-01-24 19:47:20 +01:00
sirux88
d121cce0d2 include key into user.set_password 2023-01-24 19:47:14 +01:00
Daniel García
0eba7a88fa Merge branch 'sirux88-refactoring-user-setpassword' 2023-01-24 19:46:35 +01:00
BlackDex
34ac16e9d7 Validate note sizes on key-rotation.
We also need to validate the note sizes on key-rotation.
If we do not validate them before we store them, that could lead to a
partial or total loss of the password vault. Validating these
restrictions before actually processing them to store/replace the
existing ciphers should prevent this.

There was also a small bug when using web-sockets. The client which is
triggering the password/key-rotation change should not be forced to
logout via a web-socket request. That is something the client will
handle it self. Refactored the logout notification to either send the
device uuid or not on specific actions.

Fixes #3152
2023-01-24 09:30:10 +01:00
sirux88
906d9e2f1a Merge branch 'refactoring-user-setpassword' of https://github.com/sirux88/vaultwarden into refactoring-user-setpassword 2023-01-14 10:16:56 +01:00
sirux88
623d84aeb5 include key into user.set_password 2023-01-14 10:16:03 +01:00
sirux88
f8122cd2ca include key into user.set_password 2023-01-13 12:10:33 +01:00
Daniel García
9b7e86efc2 Update web vault to 2023.1.0 2023-01-12 19:49:06 +01:00
Daniel García
e7ccfbdd0e Merge branch 'BlackDex-optimize-ciphersync' 2023-01-12 19:19:01 +01:00
BlackDex
acc1474394 Add avatar color support
The new web-vault v2023.1.0 supports a custom color for the avatar.
https://github.com/bitwarden/server/pull/2330

This PR adds this feature.
2023-01-12 19:18:57 +01:00
BlackDex
c90b3031a6 Update Rust to v1.66.1 to patch CVE
This PR sets Rust to v1.66.1 to fix a CVE.
https://blog.rust-lang.org/2023/01/10/cve-2022-46176.html
https://blog.rust-lang.org/2023/01/10/Rust-1.66.1.html

Also updated some packages while at it.
2023-01-12 19:18:57 +01:00
BlackDex
aaffb2e007 Add MFA icon to org member overview
The Organization member overview supports showing an icon if the user
has MFA enabled or not. This PR adds this feature.

This is very useful if you want to enable force mfa for example.
2023-01-12 19:18:57 +01:00
GeekCorner
e0e95e95e4 fix (2fa.directory): Allow api.2fa.directory, and remove 2fa.directory 2023-01-12 19:18:57 +01:00
BlackDex
fa70b440d0 Fix remaning inline format 2023-01-12 19:18:56 +01:00
Rychart Redwerkz
42acb2ebb6 Use more modern meta tag for charset encoding 2023-01-12 19:18:56 +01:00
Daniel García
174bea8d6e Merge branch 'BlackDex-add-avatar-color-feature' 2023-01-12 19:17:22 +01:00
BlackDex
f68a57950b Update Rust to v1.66.1 to patch CVE
This PR sets Rust to v1.66.1 to fix a CVE.
https://blog.rust-lang.org/2023/01/10/cve-2022-46176.html
https://blog.rust-lang.org/2023/01/10/Rust-1.66.1.html

Also updated some packages while at it.
2023-01-12 19:17:16 +01:00
BlackDex
f747bf126b Add MFA icon to org member overview
The Organization member overview supports showing an icon if the user
has MFA enabled or not. This PR adds this feature.

This is very useful if you want to enable force mfa for example.
2023-01-12 19:17:15 +01:00
GeekCorner
1ca197fd46 fix (2fa.directory): Allow api.2fa.directory, and remove 2fa.directory 2023-01-12 19:17:15 +01:00
BlackDex
63d05d929b Fix remaning inline format 2023-01-12 19:17:15 +01:00
Rychart Redwerkz
ef5bf5d326 Use more modern meta tag for charset encoding 2023-01-12 19:17:15 +01:00
Daniel García
9d6e35d803 Merge branch 'BlackDex-update-rust-fix-cve' 2023-01-12 19:16:32 +01:00
BlackDex
0cccdcab83 Add MFA icon to org member overview
The Organization member overview supports showing an icon if the user
has MFA enabled or not. This PR adds this feature.

This is very useful if you want to enable force mfa for example.
2023-01-12 19:16:28 +01:00
GeekCorner
6607faa390 fix (2fa.directory): Allow api.2fa.directory, and remove 2fa.directory 2023-01-12 19:16:28 +01:00
BlackDex
6fcf18ab51 Fix remaning inline format 2023-01-12 19:16:28 +01:00
Rychart Redwerkz
d122c10573 Use more modern meta tag for charset encoding 2023-01-12 19:16:28 +01:00
Daniel García
ae9553ca1c Merge branch 'BlackDex-add-mfa-icon-to-orgs' 2023-01-12 19:16:16 +01:00
GeekCorner
ff919039c9 fix (2fa.directory): Allow api.2fa.directory, and remove 2fa.directory 2023-01-12 19:16:12 +01:00
BlackDex
80eb15d46a Fix remaning inline format 2023-01-12 19:16:11 +01:00
Rychart Redwerkz
c36b870c54 Use more modern meta tag for charset encoding 2023-01-12 19:16:11 +01:00
Daniel García
b7cbca590c Merge branch 'GeekCornerGH-fix/2fa_directory-csp' 2023-01-12 19:15:42 +01:00
BlackDex
606a1bbfcb Fix remaning inline format 2023-01-12 19:15:38 +01:00
Rychart Redwerkz
3e5369c8dd Use more modern meta tag for charset encoding 2023-01-12 19:15:38 +01:00
Daniel García
dd5e4cec73 Merge branch 'BlackDex-fix-remaining-inline' 2023-01-12 19:15:14 +01:00
Rychart Redwerkz
a31a040abd Use more modern meta tag for charset encoding 2023-01-12 19:15:06 +01:00
Daniel García
f0125b95c1 Merge branch 'redwerkz-patch-1' 2023-01-12 19:14:49 +01:00
BlackDex
072f2e24c2 Update Rust to v1.66.1 to patch CVE
This PR sets Rust to v1.66.1 to fix a CVE.
https://blog.rust-lang.org/2023/01/10/cve-2022-46176.html
https://blog.rust-lang.org/2023/01/10/Rust-1.66.1.html

Also updated some packages while at it.
2023-01-12 09:45:52 +01:00
BlackDex
36b5350f9b Add avatar color support
The new web-vault v2023.1.0 supports a custom color for the avatar.
https://github.com/bitwarden/server/pull/2330

This PR adds this feature.
2023-01-11 22:20:03 +01:00
BlackDex
c7489c9fdf Add MFA icon to org member overview
The Organization member overview supports showing an icon if the user
has MFA enabled or not. This PR adds this feature.

This is very useful if you want to enable force mfa for example.
2023-01-11 22:13:20 +01:00
BlackDex
3181e4e96e Optimize CipherSyncData for very large vaults
As mentioned in #3111, using a very very large vault causes some issues.
Mainly because of a SQLite limit, but, it could also cause issue on
MariaDB/MySQL or PostgreSQL. It also uses a lot of memory, and memory
allocations.

This PR solves this by removing the need of all the cipher_uuid's just
to gather the correct attachments.

It will use the user_uuid and org_uuid's to get all attachments linked
to both, weither the user has access to them or not. This isn't an
issue, since the matching is done per cipher and the attachment data is
only returned if there is a matching cipher to where the user has access to.

I also modified some code to be able to use `::with_capacity(n)` where
possible. This prevents re-allocations if the `Vec` increases size,
which will happen a lot if there are a lot of ciphers.

According to my tests measuring the time it takes to sync, it seems to
have lowered the duration a bit more.

Fixes #3111
2023-01-11 20:23:53 +01:00
GeekCorner
2ee0d53c5f fix (2fa.directory): Allow api.2fa.directory, and remove 2fa.directory 2023-01-10 09:41:35 +01:00
Rychart Redwerkz
dfa629ecc7 Use more modern meta tag for charset encoding 2023-01-10 00:24:37 +01:00