Commit Graph

2529 Commits

Author SHA1 Message Date
Daniel García a20a641de3
Merge branch 'main' into spell-jack_mitigation 2023-02-12 18:39:27 +01:00
Daniel García 8abd38573b
Merge pull request #3116 from sirux88/admin-password-reset
Admin password reset
2023-02-12 18:38:50 +01:00
Daniel García 78abdf0e9d
Merge branch 'main' into admin-password-reset 2023-02-12 18:38:36 +01:00
Daniel García dc031d8d86
Merge pull request #2561 from BlackDex/re-license
Re-License Vaultwarden to AGPLv3
2023-02-12 18:35:35 +01:00
Daniel García de6330b09d
Merge branch 'main' into re-license 2023-02-12 18:35:09 +01:00
Helmut K. C. Tessarek 68bcc7a4b8
add argon2 kdf fields 2023-02-07 13:52:52 -05:00
BlockListed c04a1352cb
remove warn when sanitizing domain 2023-02-07 18:49:26 +01:00
BlockListed 5d1c11ceba
fix trailing slash in configuration builder 2023-02-07 18:42:36 +01:00
BlockListed a2aa7c9bc2
Revert "fix trailing slash not being removed from domain"
This reverts commit 679bc7a59b.
2023-02-07 18:41:24 +01:00
Jan Jansen b3a351ccb2 allow editing/unhiding by group
Fixes #2989

Signed-off-by: Jan Jansen <jan.jansen@gdata.de>
2023-02-07 16:20:36 +01:00
BlockListed 679bc7a59b
fix trailing slash not being removed from domain 2023-02-07 13:03:28 +01:00
BlockListed a72d0b518f
remove documentation of bug since I'm fixing it 2023-02-07 12:48:48 +01:00
Kevin P. Fleming 6741b25907 Ensure that all results from check_domain_blacklist_reason are cached. 2023-02-07 05:54:06 -05:00
Kevin P. Fleming 24b5784f02 Generate distinct log messages for regex vs. IP blacklisting.
When an icon will not be downloaded due to matching a configured
blacklist, ensure that the log message indicates the type of blacklist
that was matched.
2023-02-07 05:24:23 -05:00
BlockListed eb9b481eba
improve wording of domain description 2023-02-07 08:49:05 +01:00
BlockListed 64edc49392
change description of domain configuration
Vaultwarden send won't work if the domain includes a trailing slash.
This should be documented, as it may lead to confusion amoung users.
2023-02-06 23:19:08 +01:00
sirux88 0d1753ac74 completly hide reset password policy
on email disabled instances
2023-02-05 16:47:23 +01:00
sirux88 a6558f5548 rust lang specific improvements 2023-02-05 16:34:48 +01:00
sirux88 62dfeb80f2 improved security, disabling policy usage on
email-disabled clients and some refactoring
2023-02-04 13:29:57 +01:00
sirux88 26cd5d9643 Replaced wrong mysql column type 2023-02-04 09:23:13 +01:00
Stefan Melmuk e65fbbfc21
don't nullify key when editing emergency access
the client does not send the key on every update of an emergency access
contact so the field would be emptied on a change of the wait days or access level.
2023-02-01 23:10:09 +01:00
Jeremy Lin a2162f4d69
Allow listening on privileged ports (below 1024) as non-root
This is done by running `setcap cap_net_bind_service=+ep` on the executable
in the build stage (doing it in the runtime stage creates an extra copy of
the executable that bloats the image). This only works when using the
BuildKit-based builder, since the `COPY` instruction doesn't copy
capabilities on the legacy builder.
2023-02-01 00:35:33 -08:00
BlackDex c9ed9aa733
Fix Javascript issue on non sqlite databases
When a non sqlite database is used, loading the admin interface fails
because the backup button is not generated.
This PR is solves it by checking if the elements are valid.

Also made some other changes and fixed some eslint errors.
Showing `_post` errors is better now.

Update jquery to latest version.

Fixes #3166
2023-01-26 20:34:25 +01:00
Daniel Hammer 9b20decdc1 "Spell-Jacking" mitigation ~ prevent sensitive data leak from spell checker.
@see https://www.otto-js.com/news/article/chrome-and-edge-enhanced-spellcheck-features-expose-pii-even-your-passwords
2023-01-25 22:35:18 +01:00
sirux88 adaefc8628 fixes for current upstream main 2023-01-25 08:09:26 +01:00
sirux88 c6c45c4c49 working implementation 2023-01-25 08:06:21 +01:00
sirux88 95494083f2 added database migration 2023-01-25 08:06:21 +01:00
Jeremy Lin 686474f815
Disable Hadolint check for consecutive `RUN` instructions (DL3059)
This check doesn't seem to add enough value to justify the difficulties it
tends to create when generating `RUN` instructions from a template.
2023-01-24 13:11:13 -08:00
Jeremy Lin 2c6bd8c9dc
Rename `.buildx` Dockerfiles to `.buildkit`
This is a more accurate name, since these Dockerfiles require BuildKit, not Buildx.
2023-01-24 13:11:12 -08:00
Daniel García 9366e31452
Merge pull request #3164 from jjlin/remove-arm32v6-tag
Remove `arm32v6`-specific tag
2023-01-24 21:39:25 +01:00
Jeremy Lin 96ff32fb2f
Remove `arm32v6`-specific tag
This section of code seems to be breaking the Docker release workflow as of a
few days ago, though it's unclear why. This tag only existed to work around
an issue with Docker pulling the wrong image for ARMv6 platforms; that issue
was resolved in Docker 20.10.0, which has been out for a few years now, so it
seems like a reasonable time to drop this tag.
2023-01-24 12:33:25 -08:00
BlackDex 9342fa5744
Re-License Vaultwarden to AGPLv3
This commit prepares Vaultwarden for the Re-Licensing to AGPLv3
Solves #2450
2023-01-24 20:49:11 +01:00
Daniel García 50fc22966c
Updated web vault to 2023.1.1 and rust dependencies 2023-01-24 20:39:09 +01:00
Daniel García 4fab4c74ff
Merge branch 'BlackDex-update-kdf-config' 2023-01-24 20:06:30 +01:00
BlackDex e38e1a5d5f
Validate note sizes on key-rotation.
We also need to validate the note sizes on key-rotation.
If we do not validate them before we store them, that could lead to a
partial or total loss of the password vault. Validating these
restrictions before actually processing them to store/replace the
existing ciphers should prevent this.

There was also a small bug when using web-sockets. The client which is
triggering the password/key-rotation change should not be forced to
logout via a web-socket request. That is something the client will
handle it self. Refactored the logout notification to either send the
device uuid or not on specific actions.

Fixes #3152
2023-01-24 20:05:09 +01:00
sirux88 cc91ac6cc0
include key into user.set_password 2023-01-24 20:04:05 +01:00
BlackDex 2d8c8e18f7
Update KDF Configuration and processing
- Change default Password Hash KDF Storage from 100_000 to 600_000 iterations
- Update Password Hash when the default iteration value is different
- Validate password_iterations
- Validate client-side KDF to prevent it from being set lower than 100_000
2023-01-24 19:49:12 +01:00
Daniel García b17e2da2cf
Merge branch 'BlackDex-issue-3152' 2023-01-24 19:47:20 +01:00
sirux88 d121cce0d2
include key into user.set_password 2023-01-24 19:47:14 +01:00
Daniel García 0eba7a88fa
Merge branch 'sirux88-refactoring-user-setpassword' 2023-01-24 19:46:35 +01:00
BlackDex 34ac16e9d7
Validate note sizes on key-rotation.
We also need to validate the note sizes on key-rotation.
If we do not validate them before we store them, that could lead to a
partial or total loss of the password vault. Validating these
restrictions before actually processing them to store/replace the
existing ciphers should prevent this.

There was also a small bug when using web-sockets. The client which is
triggering the password/key-rotation change should not be forced to
logout via a web-socket request. That is something the client will
handle it self. Refactored the logout notification to either send the
device uuid or not on specific actions.

Fixes #3152
2023-01-24 09:30:10 +01:00
sirux88 906d9e2f1a Merge branch 'refactoring-user-setpassword' of https://github.com/sirux88/vaultwarden into refactoring-user-setpassword 2023-01-14 10:16:56 +01:00
sirux88 623d84aeb5 include key into user.set_password 2023-01-14 10:16:03 +01:00
sirux88 f8122cd2ca include key into user.set_password 2023-01-13 12:10:33 +01:00
Daniel García 9b7e86efc2
Update web vault to 2023.1.0 2023-01-12 19:49:06 +01:00
Daniel García e7ccfbdd0e
Merge branch 'BlackDex-optimize-ciphersync' 2023-01-12 19:19:01 +01:00
BlackDex acc1474394
Add avatar color support
The new web-vault v2023.1.0 supports a custom color for the avatar.
https://github.com/bitwarden/server/pull/2330

This PR adds this feature.
2023-01-12 19:18:57 +01:00
BlackDex c90b3031a6
Update Rust to v1.66.1 to patch CVE
This PR sets Rust to v1.66.1 to fix a CVE.
https://blog.rust-lang.org/2023/01/10/cve-2022-46176.html
https://blog.rust-lang.org/2023/01/10/Rust-1.66.1.html

Also updated some packages while at it.
2023-01-12 19:18:57 +01:00
BlackDex aaffb2e007
Add MFA icon to org member overview
The Organization member overview supports showing an icon if the user
has MFA enabled or not. This PR adds this feature.

This is very useful if you want to enable force mfa for example.
2023-01-12 19:18:57 +01:00
GeekCorner e0e95e95e4
fix (2fa.directory): Allow api.2fa.directory, and remove 2fa.directory 2023-01-12 19:18:57 +01:00