[PM-32249] Allow custom desktop protocol in CORS#7080
Open
dani-garcia wants to merge 2 commits intomainfrom
Open
[PM-32249] Allow custom desktop protocol in CORS#7080dani-garcia wants to merge 2 commits intomainfrom
dani-garcia wants to merge 2 commits intomainfrom
Conversation
Contributor
|
Great job! No new security vulnerabilities introduced in this pull request |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #7080 +/- ##
==========================================
- Coverage 56.45% 56.45% -0.01%
==========================================
Files 2013 2013
Lines 88112 88115 +3
Branches 7863 7863
==========================================
+ Hits 49742 49743 +1
- Misses 36554 36556 +2
Partials 1816 1816 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🎟️ Tracking
https://bitwarden.atlassian.net/browse/PM-32249
https://bitwarden.atlassian.net/browse/VULN-411
📔 Objective
The desktop application is currently loading files using the privileged
file://scheme. If the application has an XSS vulnerability, the attacker could use this to read arbitrary files on the user's machine. To solve this, we have to define a custom scheme and a scheme handler for it, which gives us control over what files are and aren't accessible. The problem is that one of those privileges that we lose is the ability to ignore CORS, so now server has to specifically allow CORS from the custom scheme origin for the desktop app to be able to make requests.This PR allows server to correctly accept CORS requests from the custom desktop scheme. Once versions of the server without this change are out of support, we'll be able to update the clients to use the new scheme.
POC on clients using a custom scheme: bitwarden/clients#19208
Some more info on electron's page: https://www.electronjs.org/docs/latest/tutorial/security#18-avoid-usage-of-the-file-protocol-and-prefer-usage-of-custom-protocols
📸 Screenshots