bitwarden
Introduce `LimitCollectionCreation` & deprecate `LimitCollectionCreationDeletion`
đī¸ Tracking
https://bitwarden.atlassian.net/browse/PM-10863
đ Objective
đ¸ Screenshots
â° Reminders before review
- Contributor guidelines followed
- All formatters and local linters executed and passed
- Written new unit and / or integration tests where applicable
- Protected functional changes with optionality (feature flags)
- Used internationalization (i18n) for all UI strings
- CI builds passed
- Communicated to DevOps any deployment requirements
- Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team
đĻŽ Reviewer guidelines
- đ (
:+1:) or similar for great changes - đ (
:memo:) or âšī¸ (:information_source:) for notes or general info - â (
:question:) for questions - đ¤ (
:thinking:) or đ (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion - đ¨ (
:art:) for suggestions / improvements - â (
:x:) or â ī¸ (:warning:) for more significant problems or concerns needing attention - đą (
:seedling:) or âģī¸ (:recycle:) for future improvements or indications of technical debt - â (
:pick:) for minor or nitpick changes
Codecov Report
All modified and coverable lines are covered by tests :white_check_mark:
Project coverage is 41.81%. Comparing base (
7368e57) to head (af50aac). Report is 10 commits behind head on main.
Additional details and impacted files
@@ Coverage Diff @@
## main #4709 +/- ##
=======================================
Coverage 41.80% 41.81%
=======================================
Files 1320 1320
Lines 62687 62689 +2
Branches 5774 5774
=======================================
+ Hits 26209 26211 +2
Misses 35267 35267
Partials 1211 1211
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
![codecov[bot] avatar](https://avatars.githubusercontent.com/in/254?v=4 "Published by a pub.dev verified publisher"){kind=small}
Checkmarx One â Scan Summary & Details â a414d158-691e-4598-b08d-20951f835b63
New Issues
| Severity | Issue | Source File / Package | Checkmarx Insight |
|---|---|---|---|
 |
Missing_HSTS_Header | /src/Admin/Startup.cs: 40 | Attack Vector |
|
Privacy_Violation | /src/Api/Auth/Controllers/TwoFactorController.cs: 488 | Attack Vector |
|
Privacy_Violation | /src/Api/Auth/Controllers/WebAuthnController.cs: 178 | Attack Vector |
|
Privacy_Violation | /src/Api/Controllers/DevicesController.cs: 132 | Attack Vector |
|
Privacy_Violation | /src/Api/Auth/Controllers/AccountsController.cs: 863 | Attack Vector |
|
Privacy_Violation | /src/Api/Auth/Controllers/AccountsController.cs: 560 | Attack Vector |
|
Privacy_Violation | /src/Api/Vault/Controllers/CiphersController.cs: 906 | Attack Vector |
|
Privacy_Violation | /src/Api/Auth/Controllers/AccountsController.cs: 845 | Attack Vector |
|
Privacy_Violation | /src/Api/Auth/Controllers/AccountsController.cs: 412 | Attack Vector |
|
Privacy_Violation | /src/Api/AdminConsole/Controllers/OrganizationsController.cs: 274 | Attack Vector |
|
Privacy_Violation | /src/Api/Controllers/DevicesController.cs: 158 | Attack Vector |
|
Privacy_Violation | /src/Api/AdminConsole/Controllers/OrganizationsController.cs: 365 | Attack Vector |
|
Privacy_Violation | /src/Api/AdminConsole/Controllers/OrganizationsController.cs: 418 | Attack Vector |
 |
Log_Forging | /src/Api/Auth/Controllers/WebAuthnController.cs: 68 | Attack Vector |
|
Log_Forging | /src/Api/Auth/Controllers/WebAuthnController.cs: 153 | Attack Vector |
|
Log_Forging | /src/Api/Auth/Controllers/WebAuthnController.cs: 85 | Attack Vector |
|
Log_Forging | /src/Api/Auth/Controllers/AccountsController.cs: 404 | Attack Vector |
|
Log_Forging | /src/Api/Vault/Controllers/CiphersController.cs: 898 | Attack Vector |
|
Log_Forging | /src/Api/Auth/Controllers/AccountsController.cs: 855 | Attack Vector |
|
Log_Forging | /src/Api/Auth/Controllers/AccountsController.cs: 837 | Attack Vector |
|
Log_Forging | /src/Api/Auth/Controllers/AccountsController.cs: 552 | Attack Vector |
|
Log_Forging | /src/Api/Controllers/DevicesController.cs: 123 | Attack Vector |
|
Log_Forging | /src/Api/AdminConsole/Controllers/OrganizationsController.cs: 254 | Attack Vector |
|
Log_Forging | /src/Api/Controllers/DevicesController.cs: 149 | Attack Vector |
|
Log_Forging | /src/Api/AdminConsole/Controllers/OrganizationsController.cs: 330 | Attack Vector |
|
Log_Forging | /src/Api/AdminConsole/Controllers/OrganizationsController.cs: 393 | Attack Vector |
Fixed Issues
| Severity | Issue | Source File / Package |
|---|---|---|
|
CSRF | /src/Billing/Controllers/StripeController.cs: 176 |
|
CSRF | /src/Billing/Controllers/StripeController.cs: 164 |
|
CSRF | /src/Api/Auth/Controllers/AccountsController.cs: 455 |
|
CSRF | /src/Api/Auth/Controllers/AccountsController.cs: 689 |
|
Log_Forging | /src/Billing/Controllers/StripeController.cs: 164 |
|
Log_Forging | /src/Billing/Controllers/StripeController.cs: 164 |
|
Log_Forging | /src/Billing/Controllers/StripeController.cs: 164 |
|
Log_Forging | /src/Billing/Controllers/StripeController.cs: 164 |
|
Log_Forging | /src/Billing/Controllers/StripeController.cs: 164 |
|
Log_Forging | /src/Billing/Controllers/StripeController.cs: 164 |
|
Log_Forging | /src/Billing/Controllers/StripeController.cs: 164 |
|
Log_Forging | /src/Billing/Controllers/StripeController.cs: 164 |
|
Log_Forging | /src/Billing/Controllers/StripeController.cs: 164 |
|
Log_Forging | /src/Billing/Controllers/StripeController.cs: 164 |
|
Log_Forging | /src/Billing/Controllers/StripeController.cs: 164 |
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
@r-tome @eliykat @vincentsalucci This isn't ready for merge yet. I want to get a bit further and manually test. That said: if anyone finds time for a review I'd appreciate it. I haven't done a formally processed EDD migration yet, and I do not want to miss anything. Thanks!
I rebased this on main to update migration script dates and keep everything in sync for branches further down the tree than this one like https://github.com/bitwarden/server/pull/4730
No functional changes were made.
I'd also like to ignore the failing SonarCloud action run on this PR. It seems mostly upset about tests, but this is entirely database operations.
I opened up the Sonar report finding, and there's one thing listed:
https://sonarcloud.io/project/issues?severities=BLOCKER&sinceLeakPeriod=true&issueStatuses=OPEN%2CCONFIRMED&types=BUG&id=bitwarden_server&open=AZH6gLSYkzQSuElBzVms
It suggests a WHERE with your update.
Thank you @withinfocus, that's helpful and did give me an idea. I do want to update every record on the table, so a WHERE clause isn't wrong logically. But, it cuts down the amount of records accessed to only check for rows that don't match the default value of the column being updated. That sounds like a good enough reason to add one.
@eliykat this does mark a small functional change since review. When you get to it: please give a review to the very small change on https://github.com/bitwarden/server/pull/4709/commits/c37f77f645877b7ad96c3cd53e61c5e06df270a4.