diff options
author | Mathijs van Veluw <[email protected]> | 2024-12-15 00:27:20 +0100 |
---|---|---|
committer | GitHub <[email protected]> | 2024-12-15 00:27:20 +0100 |
commit | 4d6d3443aef8fd749436151fcff332e9fefa263f (patch) | |
tree | cae5fb0e78ac3d9adbbbf3e045a3bdf61e96881c /src/config.rs | |
parent | 9cd400db6c5da858a4f49eb883469cbd6cb7337d (diff) | |
download | vaultwarden-4d6d3443aef8fd749436151fcff332e9fefa263f.tar.gz vaultwarden-4d6d3443aef8fd749436151fcff332e9fefa263f.zip |
Allow adding connect-src entries (#5293)
Bitwarden allows to use self-hosted forwarded email services.
But for this to work you need to add custom URL's to the `connect-src` CSP entry.
This commit allows setting this and checks if the URL starts with `https://` else it will abort loading.
Fixes #5290
Signed-off-by: BlackDex <[email protected]>
Diffstat (limited to 'src/config.rs')
-rw-r--r-- | src/config.rs | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/src/config.rs b/src/config.rs index 1a56475f..8daf35f4 100644 --- a/src/config.rs +++ b/src/config.rs @@ -238,6 +238,7 @@ macro_rules! make_config { // Besides Pass, only String types will be masked via _privacy_mask. const PRIVACY_CONFIG: &[&str] = &[ "allowed_iframe_ancestors", + "allowed_connect_src", "database_url", "domain_origin", "domain_path", @@ -610,6 +611,9 @@ make_config! { /// Allowed iframe ancestors (Know the risks!) |> Allows other domains to embed the web vault into an iframe, useful for embedding into secure intranets allowed_iframe_ancestors: String, true, def, String::new(); + /// Allowed connect-src (Know the risks!) |> Allows other domains to URLs which can be loaded using script interfaces like the Forwarded email alias feature + allowed_connect_src: String, true, def, String::new(); + /// Seconds between login requests |> Number of seconds, on average, between login and 2FA requests from the same IP address before rate limiting kicks in login_ratelimit_seconds: u64, false, def, 60; /// Max burst size for login requests |> Allow a burst of requests of up to this size, while maintaining the average indicated by `login_ratelimit_seconds`. Note that this applies to both the login and the 2FA, so it's recommended to allow a burst size of at least 2 @@ -761,6 +765,13 @@ fn validate_config(cfg: &ConfigItems) -> Result<(), Error> { ); } + let connect_src = cfg.allowed_connect_src.to_lowercase(); + for url in connect_src.split_whitespace() { + if !url.starts_with("https://") || Url::parse(url).is_err() { + err!("ALLOWED_CONNECT_SRC variable contains one or more invalid URLs. Only FQDN's starting with https are allowed"); + } + } + let whitelist = &cfg.signups_domains_whitelist; if !whitelist.is_empty() && whitelist.split(',').any(|d| d.trim().is_empty()) { err!("`SIGNUPS_DOMAINS_WHITELIST` contains empty tokens"); |