Upstream/bitwarden-browser
1
0
Fork 0
mirror of https://github.com/bitwarden/browser.git synced 2024-11-21 11:35:34 +01:00
Code Issues Projects Releases Wiki Activity

Remove password options from serve unlock (#5601)

Browse Source 
These options are no longer considered safe as the file location or
environment variable could be guessed by an attacker.
This commit is contained in:
Matt Gibson 2023-06-22 08:29:37 -04:00 committed by GitHub
parent 19d2b2594c
commit a2b290a31e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
apps/cli/src/commands/serve.command.ts
View File

@ -245,6 +245,10 @@ export class ServeCommand {
}); });
router.post("/unlock", async (ctx, next) => { router.post("/unlock", async (ctx, next) => {
// Do not allow guessing password location through serve command
delete ctx.request.query.passwordFile;
delete ctx.request.query.passwordEnv;
const response = await this.unlockCommand.run( const response = await this.unlockCommand.run(
ctx.request.body.password == null ? null : (ctx.request.body.password as string), ctx.request.body.password == null ? null : (ctx.request.body.password as string),
ctx.request.query ctx.request.query