From f3c8c16d7969d2d33ef2c163680a52cfb2ce6513 Mon Sep 17 00:00:00 2001 From: Jeremy Lin Date: Tue, 11 Oct 2022 21:25:29 -0700 Subject: [PATCH 1/4] Reformat CSP header for readability --- src/util.rs | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/src/util.rs b/src/util.rs index bdbb564e..afd82db1 100644 --- a/src/util.rs +++ b/src/util.rs @@ -63,16 +63,30 @@ impl Fairing for AppHeaders { // app.simplelogin.io, app.anonaddy.com, api.fastmail.com let csp = format!( "default-src 'self'; \ + object-src 'self' blob:; \ script-src 'self'{script_src}; \ style-src 'self' 'unsafe-inline'; \ - img-src 'self' data: https://haveibeenpwned.com/ https://www.gravatar.com {icon_service_csp}; \ child-src 'self' https://*.duosecurity.com https://*.duofederal.com; \ frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; \ - connect-src 'self' https://api.pwnedpasswords.com/range/ https://2fa.directory/api/ https://app.simplelogin.io/api/ https://app.anonaddy.com/api/ https://api.fastmail.com/; \ - object-src 'self' blob:; \ - frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh moz-extension://* {allowed_iframe_ancestors};", - icon_service_csp=CONFIG._icon_service_csp(), - allowed_iframe_ancestors=CONFIG.allowed_iframe_ancestors() + frame-ancestors 'self' \ + chrome-extension://nngceckbapebfimnlniiiahkandclblb \ + chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh \ + moz-extension://* \ + {allowed_iframe_ancestors}; \ + img-src 'self' data: \ + https://haveibeenpwned.com/ \ + https://www.gravatar.com \ + {icon_service_csp}; \ + connect-src 'self' \ + https://api.pwnedpasswords.com/range/ \ + https://2fa.directory/api/ \ + https://app.simplelogin.io/api/ \ + https://app.anonaddy.com/api/ \ + https://api.fastmail.com/ \ + ;\ + ", + icon_service_csp = CONFIG._icon_service_csp(), + allowed_iframe_ancestors = CONFIG.allowed_iframe_ancestors() ); res.set_raw_header("Content-Security-Policy", csp); res.set_raw_header("X-Frame-Options", "SAMEORIGIN"); From b0e0d68632b2cfe2ba3da8d704e88ef67755ba71 Mon Sep 17 00:00:00 2001 From: Jeremy Lin Date: Tue, 11 Oct 2022 21:27:15 -0700 Subject: [PATCH 2/4] Update CSP for DuckDuckGo email forwarding Upstream PR: https://github.com/bitwarden/clients/pull/3630 --- src/util.rs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/util.rs b/src/util.rs index afd82db1..90bf7a73 100644 --- a/src/util.rs +++ b/src/util.rs @@ -60,7 +60,7 @@ impl Fairing for AppHeaders { // Leaked Passwords check: api.pwnedpasswords.com // 2FA/MFA Site check: 2fa.directory // # Mail Relay: https://bitwarden.com/blog/add-privacy-and-security-using-email-aliases-with-bitwarden/ - // app.simplelogin.io, app.anonaddy.com, api.fastmail.com + // app.simplelogin.io, app.anonaddy.com, api.fastmail.com, quack.duckduckgo.com let csp = format!( "default-src 'self'; \ object-src 'self' blob:; \ @@ -83,6 +83,7 @@ impl Fairing for AppHeaders { https://app.simplelogin.io/api/ \ https://app.anonaddy.com/api/ \ https://api.fastmail.com/ \ + https://quack.duckduckgo.com/api/email/ \ ;\ ", icon_service_csp = CONFIG._icon_service_csp(), From 646186fe389dd093fa87099f8a39e865e0a35af3 Mon Sep 17 00:00:00 2001 From: Stefan Melmuk Date: Wed, 12 Oct 2022 20:15:45 +0200 Subject: [PATCH 3/4] fix link of license badge master branch has been renamed to main. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3e25e158..9591bbc9 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ [![Docker Pulls](https://img.shields.io/docker/pulls/vaultwarden/server.svg)](https://hub.docker.com/r/vaultwarden/server) [![Dependency Status](https://deps.rs/repo/github/dani-garcia/vaultwarden/status.svg)](https://deps.rs/repo/github/dani-garcia/vaultwarden) [![GitHub Release](https://img.shields.io/github/release/dani-garcia/vaultwarden.svg)](https://github.com/dani-garcia/vaultwarden/releases/latest) -[![GPL-3.0 Licensed](https://img.shields.io/github/license/dani-garcia/vaultwarden.svg)](https://github.com/dani-garcia/vaultwarden/blob/master/LICENSE.txt) +[![GPL-3.0 Licensed](https://img.shields.io/github/license/dani-garcia/vaultwarden.svg)](https://github.com/dani-garcia/vaultwarden/blob/main/LICENSE.txt) [![Matrix Chat](https://img.shields.io/matrix/vaultwarden:matrix.org.svg?logo=matrix)](https://matrix.to/#/#vaultwarden:matrix.org) Image is based on [Rust implementation of Bitwarden API](https://github.com/dani-garcia/vaultwarden). From b4a38f1f630c3d1d25328ba983f2fa1d47eee921 Mon Sep 17 00:00:00 2001 From: Jeremy Lin Date: Wed, 12 Oct 2022 00:17:09 -0700 Subject: [PATCH 4/4] Add `CreationDate` to cipher response JSON Upstream PR: https://github.com/bitwarden/server/pull/2142 --- src/db/models/cipher.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/src/db/models/cipher.rs b/src/db/models/cipher.rs index d5f78fbe..7464fdc1 100644 --- a/src/db/models/cipher.rs +++ b/src/db/models/cipher.rs @@ -160,6 +160,7 @@ impl Cipher { "Object": "cipherDetails", "Id": self.uuid, "Type": self.atype, + "CreationDate": format_date(&self.created_at), "RevisionDate": format_date(&self.updated_at), "DeletedDate": self.deleted_at.map_or(Value::Null, |d| Value::String(format_date(&d))), "FolderId": if let Some(cipher_sync_data) = cipher_sync_data { cipher_sync_data.cipher_folders.get(&self.uuid).map(|c| c.to_string() ) } else { self.get_folder_uuid(user_uuid, conn).await },