Commit Graph

2080 Commits

Author SHA1 Message Date
Daniel García
366b1050ec
Merge pull request #2921 from BlackDex/issue-2909
Prevent DNS leak when icon regex is configured
2022-11-27 22:00:54 +01:00
Daniel García
b3aab7a6ad
Merge pull request #2920 from BlackDex/issue-2889
Added missing `register` endpoint to `identity`
2022-11-27 22:00:23 +01:00
Daniel García
aa8d050d6b
Merge pull request #2919 from BlackDex/issue-2828
Fully remove DuckDuckGo email service.
2022-11-27 21:59:51 +01:00
Daniel García
5200f0e98d
Merge pull request #2918 from BlackDex/issue-2761
Set "Bypass admin page security" as read-only
2022-11-27 21:59:39 +01:00
Daniel García
5f4abb1b7f
Merge pull request #2911 from skid9000/patch-1
Update config comment to reflect rfc8314.
2022-11-27 21:59:18 +01:00
Daniel García
dfe1e30d1b
Merge pull request #2910 from samueltardieu/const-crypto
Use constant size generic parameter for random bytes generation
2022-11-27 21:58:27 +01:00
BlackDex
0d2399d485
Prevent DNS leak when icon regex is configured
When a icon blacklist regex was configured to not check for a domain, it
still did a DNS lookup first. This could cause a DNS leakage for these
regex blocked domains.

This PR resolves this issue by first checking the regex, and afterwards
the other checks.

Fixes #2909
2022-11-14 17:25:44 +01:00
BlackDex
5bfc7cfde3
Added missing register endpoint to identity
In the upcomming web-vault and other clients they changed the register
endpoint from `/api/accounts/register` to `/identity/register`.

This PR adds the new endpoint to already be compatible with the new
clients.

Fixes #2889
2022-11-14 17:22:37 +01:00
BlackDex
723f0cbc1e
Fully remove DuckDuckGo email service.
The DuckDuckGo email service is not supported for self-hosted servers.
This option is already hidden via the latest web-vault.

This PR also removes some server side headers.

Fixes #2828
2022-11-14 17:19:30 +01:00
BlackDex
b141f789f6
Set "Bypass admin page security" as read-only
It was possible to disable the admin security via the admin interface.
This is kinda insecure as mentioned in #2761.

This PR set this value as read-only and admin's need to set the correct ENV variable.
Currently saved settings which do override this are still valid though.
If an admin want's this removed, they either need to reset the config,
or change the value in the `config.json` file.

Fixes #2761
2022-11-14 17:18:25 +01:00
Samuel Tardieu
7445ee40f8 Remove get_random_64()
Its uses are replaced by get_randm_bytes() or encode_random_bytes().
2022-11-13 10:03:06 +01:00
Skid
4a9a0f7e64
Update .env.template
Co-authored-by: Helmut K. C. Tessarek <tessarek@evermeet.cx>
2022-11-12 22:39:41 +01:00
Skid
63aad2e5d2
Update config comment to reflect rfc8314. 2022-11-12 22:07:03 +01:00
Samuel Tardieu
d0baa23f9a Use constant size generic parameter for random bytes generation
All uses of `get_random()` were in the form of:

  `&get_random(vec![0u8; SIZE])`

with `SIZE` being a constant.

Building a `Vec` is unnecessary for two reasons. First, it uses a
very short-lived dynamic memory allocation. Second, a `Vec` is a
resizable object, which is useless in those context when random
data have a fixed size and will only be read.

`get_random_bytes()` takes a constant as a generic parameter and
returns an array with the requested number of random bytes.

Stack safety analysis: the random bytes will be allocated on the
caller stack for a very short time (until the encoding function has
been called on the data). In some cases, the random bytes take
less room than the `Vec` did (a `Vec` is 24 bytes on a 64 bit
computer). The maximum used size is 180 bytes, which makes it
for 0.008% of the default stack size for a Rust thread (2MiB),
so this is a non-issue.

Also, most of the uses of those random bytes are to encode them
using an `Encoding`. The function `crypto::encode_random_bytes()`
generates random bytes and encode them with the provided
`Encoding`, leading to code deduplication.

`generate_id()` has also been converted to use a constant generic
parameter as well since the length of the requested String is always
a constant.
2022-11-11 11:59:27 +01:00
Daniel García
7a7673103f
Merge branch 'BlackDex-org-export-fixes' 2022-11-09 22:40:05 +01:00
GeekCorner
05d4788d1d
fix: removed a double space 2022-11-09 22:40:01 +01:00
BlackDex
6f0dea1b56
Add /devices/knowndevice endpoint
Added a new endpoint which the currently beta client for at least
Android v2022.10.1 seems to be calling, and crashes with the response we
currently provide

Fixes #2890
Fixes #2891
Fixes #2892
2022-11-09 22:40:00 +01:00
BlackDex
439ef44973
Update Rust version, deps and workflow
- Update Rust to v1.65.0
- Update dependencies
- Updated workflow files
- Added some extra clippy checks
- Fixed some clippy checks
2022-11-09 22:40:00 +01:00
Daniel García
2a525b42cb
Merge branch 'GeekCornerGH-fix-double-space-email' 2022-11-09 22:38:38 +01:00
BlackDex
aee91acfdc
Add /devices/knowndevice endpoint
Added a new endpoint which the currently beta client for at least
Android v2022.10.1 seems to be calling, and crashes with the response we
currently provide

Fixes #2890
Fixes #2891
Fixes #2892
2022-11-09 22:38:34 +01:00
BlackDex
17388ec43e
Update Rust version, deps and workflow
- Update Rust to v1.65.0
- Update dependencies
- Updated workflow files
- Added some extra clippy checks
- Fixed some clippy checks
2022-11-09 22:38:34 +01:00
Daniel García
bdc1cd13a7
Merge branch 'BlackDex-add-knowndevice-endpoint' 2022-11-09 22:37:53 +01:00
BlackDex
42db4b5c77
Update Rust version, deps and workflow
- Update Rust to v1.65.0
- Update dependencies
- Updated workflow files
- Added some extra clippy checks
- Fixed some clippy checks
2022-11-09 22:37:48 +01:00
Daniel García
53da073274
Merge branch 'BlackDex-update-rust-and-deps' 2022-11-09 22:37:19 +01:00
BlackDex
b010dde661
Update Rust version, deps and workflow
- Update Rust to v1.65.0
- Update dependencies
- Updated workflow files
- Added some extra clippy checks
- Fixed some clippy checks
2022-11-08 14:03:31 +01:00
BlackDex
c9ec389b24
Support Org Export for v2022.11 clients
Since v2022.9.x the org export uses a different endpoint.
But, since v2022.11.x this endpoint will return a different format.
See: https://github.com/bitwarden/clients/pull/3641 and https://github.com/bitwarden/server/pull/2316

To support both version in the case of users having an older client
either web-vault or cli this PR checks the version and responds using
the correct format. If no version can be determined it will use the new
format as a default.
2022-11-07 17:13:34 +01:00
GeekCorner
baa2841b04
fix: removed a double space 2022-11-07 08:39:56 +01:00
BlackDex
6af5c86081
Add /devices/knowndevice endpoint
Added a new endpoint which the currently beta client for at least
Android v2022.10.1 seems to be calling, and crashes with the response we
currently provide

Fixes #2890
Fixes #2891
Fixes #2892
2022-11-06 18:07:09 +01:00
Daniel García
f60a6929a9
Update dependencies 2022-10-26 21:42:38 +02:00
Daniel García
2aa97fa121
Update web vault to v2022.10.2 2022-10-26 21:42:37 +02:00
Jeremy Lin
b59809af46
Sync global_domains.json to bitwarden/server@7c783c9 (Atlassian) 2022-10-26 21:42:37 +02:00
Stefan Melmuk
ed24d51d3e
validate cron expressions on startup 2022-10-26 21:42:36 +02:00
Stefan Melmuk
870f0d0932
validate billing_email on save 2022-10-26 21:42:36 +02:00
GeekCorner
31b77bf178
feat: Bump web-vault to v2022.10.1 2022-10-23 18:34:12 +02:00
Daniel García
b525f9aa4c
Merge pull request #2724 from dani-garcia/diesel2
Update diesel to 2.0.2
2022-10-23 00:49:57 +02:00
Daniel García
8409b31d6b
Update to diesel2 2022-10-23 00:49:23 +02:00
Daniel García
b878495d64
Update sponsors 2022-10-23 00:49:06 +02:00
Daniel García
945b85da2f
Merge pull request #2852 from BlackDex/update-github-workflows
Update github workflows
2022-10-21 18:42:47 +02:00
BlackDex
d4577d161e
Update github workflows
Updated all the actions where possible.
This should at least for the most actions mean that they are using the
latest github actions core and should partially resolve the issue #2847

The only actions left are the actions from `actions-rs`.
2022-10-21 13:21:57 +02:00
Daniel García
3c8e1c3ca9
Add liberapay funding option 2022-10-20 21:07:26 +02:00
Daniel García
88dba8c4dd
Merge pull request #2846 from MFijak/group_support_diff
Group support | applied .diff
2022-10-20 21:04:46 +02:00
MFijak
21bc3bfd53 group support 2022-10-20 15:31:53 +02:00
Daniel García
4cb5122e90
Merge pull request #2844 from jjlin/healthcheck
Take `ROCKET_ADDRESS` into account in the Docker healthcheck
2022-10-20 12:26:09 +02:00
Jeremy Lin
0a2a8be0ff
Take ROCKET_ADDRESS into account in the Docker healthcheck 2022-10-20 01:04:09 -07:00
Daniel García
720a046610
Merge pull request #2804 from stefan0xC/verify-on-invite
verify email on registration by invite
2022-10-19 23:09:47 +02:00
Stefan Melmuk
64ae5d4f81
verify email on registration via invite link
if `SIGNUPS_VERIFY` is enabled new users that have been invited have
their onboarding flow interrupted because they have to first verify
their mail address before they can join an organization.

we can skip the extra verication of the email address when signing up
because a valid invitation token already means that the email address is
working and we don't allow invited users to signup with a different
address.

unfortunately, this is not possible with emergency access invitations
at the moment as they are handled differently.
2022-10-19 22:44:17 +02:00
Daniel García
ff7e22c08a
Merge pull request #2840 from jjlin/global-domains
Sync global_domains.json
2022-10-19 21:56:22 +02:00
Jeremy Lin
0c267d073f
Sync global_domains.json to bitwarden/server@ea300b2 (Amazon) 2022-10-19 12:33:04 -07:00
Daniel García
bbc6470f65
Merge branch 'BlackDex-fix-password-hint' 2022-10-19 20:40:24 +02:00
Stefan Melmuk
23f1f8a576
allow registration without invite link
if signups are allowed invited users should be able to complete their
registration even when they don't have the invite link at hand.
2022-10-19 20:39:14 +02:00