summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2024-08-11Fix data disclosure on organization endpoints (#4837)1.32.0Mathijs van Veluw
- All users were able to request organizational details from any org, even if they were not a member (anymore). Now it will check if that user is a member of the org or not. - The `/organization/<uuid>/keys` endpoint returned also the private keys. This should not be the case. Also, according to the upstream server code the endpoint changed, but the clients do not seem to use it. I added it anyway just in case they will in the future. - Also require a valid login before being able to retreve those org keys. Upstream does not do this, but i see no reason why not. Fixes: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39925
2024-08-09Update Rust to 1.80.1 (#4831)Daniel
2024-08-08Updated web-vault to v2024.6.2b (#4826)Mathijs van Veluw
2024-08-07Update crates, web-vault and fixes (#4823)Mathijs van Veluw
* Update crates, web-vault and fixes - Updated crates - Updated web-vault to v2024.6.2 This version is currently the latest version compatible with our API implementation. For newer versions we need more code updates to make it compatible. Thanks to @stefan0xC this version fixes #4628 - Added a small fix to prevent errors in the Vaultwarden and Client logs. The v2024.6.2 web-vault calls an endpoint with invalid arguments. If this happens we ignore the call and just return an Ok. - Added the bulk-collection endpoint (Though not yet available in v2024.6.2) Fixes #4628 * Prevent bulk remove collections to work
2024-08-07Fix mail::send_incomplete_2fa_login panic issue (#4792)Daniel
- fixes https://github.com/dani-garcia/vaultwarden/issues/4528
2024-08-07Remove lowercase conversion for featureStates (#4820)Daniel
- needed to match Bitwarden, some of the feature flags might have uppercase characters (for example: ```PM-4154-bulk-encryption-service```)
2024-08-01make access_all optional (#4812)Stefan Melmuk
* make access_all optional * use #[serde(default)] instead of unwrapping
2024-07-31Secure send file uploads (#4810)Mathijs van Veluw
Currently there are no checks done during the actual upload of the file of a send item. This PR adds several checks to make sure it only accepts the correct uploads.
2024-07-30Rewrite the Push Notifications section in the configuration template (#4805)Daniel
- also update the European Union related information for a working setup - fixes https://github.com/dani-garcia/vaultwarden/issues/4609
2024-07-30fix issue with adding ciphers to organizations on native ios app (#4800)Stefan Melmuk
* add organizationID alias for native ios * add reverse sanity check
2024-07-25Update rust-toolchain.toml to 1.80.0 (#4784)Daniel
2024-07-25Duo: use the formatted db email (#4779)Timshel
2024-07-25Update Rust, Crates and GHA (#4783)Mathijs van Veluw
- Update Rust to v1.80.0 - Updated GitHub Actions - Updated crates
2024-07-24Allow to increase the note size to 100_000 (#4772)Mathijs van Veluw
This PR adds a config option to allow the note size to increase to 100_000, instead of the default 10_000. Since this might cause issues with the clients (in the future), and will cause issues with importing into a Bitwarden server, i added warnings regarding this. Closes #3168
2024-07-24Add support for MFA with Duo's Universal Prompt (#4637)0x0fbc
* Add initial working Duo Universal Prompt support. * Add db schema and models for Duo 2FA state storage * store duo states in the database and validate during authentication * cleanup & comments * bump state/nonce length * replace stray use of TimeDelta * more cleanup * bind Duo oauth flow to device id, drop redundant device type handling * drop redundant alphanum string generation code * error handling cleanup * directly use JWT_VALIDITY_SECS constant instead of copying it to DuoClient instances * remove redundant explicit returns, rustfmt * rearrange constants, update comments, error message * override charset on duo state column to ascii for mysql * Reduce twofactor_duo_ctx state/nonce column size in postgres and maria * Add fixes suggested by clippy * rustfmt * Update to use the make_http_request * Don't handle OrganizationDuo * move Duo API endpoint fmt strings out of macros and into format! calls * Add missing indentation Co-authored-by: Daniel García <[email protected]> * remove redundant expiry check when purging Duo contexts --------- Co-authored-by: BlackDex <[email protected]> Co-authored-by: Daniel García <[email protected]>
2024-07-24Allow to override log level for specific target (#4305)Timshel
2024-07-24allow re-invitations of existing users (#4768)Stefan Melmuk
* allow re-invitations of existing users * auto-accept existing user if mail is disabled Apply suggestions from code review Co-authored-by: Mathijs van Veluw <[email protected]> --------- Co-authored-by: Mathijs van Veluw <[email protected]>
2024-07-24Fix Dockerfile linter warnings (#4763)Daniel
- they seem to have started appearing with buildx v0.16.0 - skip lint check for FromPlatformFlagConstDisallowed and RedundantTargetPlatform
2024-07-24Update crates & fix crate vulnerability (#4771)Daniel
- fixes GHSA-q445-7m23-qrmw by updating openssl to version 0.10.66
2024-07-17Fix Email 2FA login on native app (#4762)Mathijs van Veluw
2024-07-17Fix for RSA Keys which are read only (#4744)Mathijs van Veluw
* Fix for RSA Keys which are read only Sometimes an RSA Key file could be read only. We currently failed because we also wanted to write. Added an extra check if the file exists already and is not 0 in size. If it does already exists and is larger then 0, then open in read only mode. Fixes #4644 * Updated code to work atomically - Changed the code to work atomically - Also show the alert generated from `Io` * Fix spelling
2024-07-12Update admin interface (#4737)Mathijs van Veluw
- Updated datatables - Set Cookie Secure flag if the connection is https - Prevent possible XSS via Organization Name Converted all `innerHTML` and `innerText` to the Safe Sink version `textContent` - Removed `jsesc` function as handlebars escapes all these chars already and more by default
2024-07-12Improved HTTP client (#4740)Daniel García
* Improved HTTP client * Change config compat to use auto, rename blacklist * Fix wrong doc references
2024-07-10Fix bug where secureNotes is empty (#4730)Coby Geralnik
2024-07-10chore: Dockerfile to Remove port 3012 (#4725)Calvin Li
2024-07-10use a custom plan of enterprise tier to fix limits (#4726)Stefan Melmuk
* use a custom plan of enterprise tier to fix limits * set maxStorageGb limit to max signed int value
2024-07-08Some fixes for emergency access (#4715)1.31.0Mathijs van Veluw
- Add missing `Headers` parameter for some functions This allowed any request from allowing these endpoints by not validating the user correctly. - Changed the functions to retreive the emergency access record by using the user uuid which calls the endpoint, instead of validating afterwards. This is more secure and prevents the need of an if check.
2024-07-08Update crates and web-vault (#4714)Mathijs van Veluw
- Updated the crates Removed the patch for mimalloc - Updated the web-vault to v2024.5.1b The reason for not updating to v2024.6.x is that there are several items not working correctly or need some more research.
2024-07-08Switch registry cache compression algorithm to zstd (#4704)Daniel
- faster builds than with gzip (the default)
2024-07-04add group support for Cipher::get_collections() (#4592)Stefan Melmuk
* add group support for Cipher::get_collections() join group infos assigned to a collection to check whether user has been given access to all collections via any group or they have access to a specific collection via any group membership * fix Collection::is_writable_by_user() prevent side effects if groups are disabled * differentiate the /collection endpoints * return cipherDetails on post_collections_update() * add collections_v2 endpoint
2024-07-04Remove duplicate registry step (#4703)Daniel
2024-07-04Fix duplicate folder creations during import (#4702)Mathijs van Veluw
During import you are able to select an existing folder, or with Bitwarden exports it can contain existing folders already. In either case it didn't matter, we always created new folders. Bitwarden uses the same UUID of the selected or existing folders if they are already there. This PR fixes this by using the same behaviour. Fixes #4700
2024-07-03Fix collections and native app issue (#4685)Mathijs van Veluw
Collections were not visible in the organization view. This was because the `flexibleCollections` was set to `true` Found an issue with loading some old created Secure Notes which had `{}` or `{"type":null}` as there `data` value. This isn't allowed. When detected, replace it with `{"type":0}` Fixes #4682 Fixes #4590
2024-06-24Change some missing PascalCase keys (#4671)Daniel García
2024-06-24Remove mimalloc workaround (#4606)Daniel
- libatomic linking for armv6 has been fixed in https://github.com/purpleprotocol/mimalloc_rust/commit/992c9da4c5afba7fbf4c5815c43c8f0fbd2a8da6
2024-06-24Fix cipher creation on new android app (#4670)Daniel García
2024-06-23Change API and structs to camelCase (#4386)Daniel García
* Change API inputs/outputs and structs to camelCase * Fix fields and password history * Use convert_json_key_lcase_first * Make sends lowercase * Update admin and templates * Update org revoke * Fix sends expecting size to be a string on mobile * Convert two-factor providers to string
2024-06-20Fix some more nightly errors and remove lint that will become an error by ↵Daniel García
default (#4661)
2024-06-20Fix some nightly build errors (#4657)Daniel García
2024-06-19Update crates, web-vault and GHA (#4648)Mathijs van Veluw
- Updated all crates including Diesel and the new mysqlclient-sys - Updated the MSRV to v1.78 as that is what Diesel mandates - Added the mimalloc crate as a patch for now to fix armv6 static builds This probably makes #4606 possible - Updated web-vault to v2024.5.1 - Updated GitHub Actions Fixed an issue with the localhost images for extracting the musl binaries.
2024-06-16Update rust and remove unused header values (#4645)Daniel García
* Update rust and remove unused header values * Missed one unused var
2024-05-25Update admin interface dependencies (#4581)Mathijs van Veluw
- Updated JS/CSS dependencies - Fixed a small issue regarding DNS IP detection fixes #3946 fixes #3947
2024-05-25Remove compatibility route (#4578)Timshel
2024-05-25differentiate external groups by organization id (#4586)Stefan Melmuk
2024-05-25Update Alpine to version 3.20 (#4583)Daniel
- needed to add double quotes, otherwise it was parsed as 3.2 instead of 3.20
2024-05-25Fix web-vault version in Docker(files/Settings) (#4575)Daniel
2024-05-25Update crates (#4587)Mathijs van Veluw
- Update crates including rocket and rocket_ws
2024-05-19Fix public api for domains with path prefix (#4500)FDHoho007
2024-05-19also delete organization_api_key (#4557)Stefan Melmuk
2024-05-19Optimize Dockerfiles (#4532)Daniel
Move some ARGs closer to the build stage (potentially improving caching) Remove redundant COPY commands Remove redundant RUN command Move CARGO_HOME's "&&" operator to the first line (improves consistency)