server icon indicating copy to clipboard operation
server copied to clipboard
verified publisher icon bitwarden

[PM-11249] Update cipher revision date when an attachment is added or deleted

Open nick-livefront opened this issue 1 year ago โ€ข 5 comments

๐ŸŽŸ๏ธ Tracking

PM-11249

๐Ÿ“” Objective

Current Issue: When an attachment is added or deleted, web/browser clients are not being updated of the change.

Cause: The logic within the CoreSyncService on the client side uses the cipher revision date to determine if a sync is needed. Server side the cipher revision date isn't updated.

Proposed Fix: Update the revision date on the cipher if an attachment is added or deleted.

๐Ÿ“ธ Screenshots

Before After

๐Ÿฆฎ Reviewer guidelines

  • ๐Ÿ‘ (:+1:) or similar for great changes
  • ๐Ÿ“ (:memo:) or โ„น๏ธ (:information_source:) for notes or general info
  • โ“ (:question:) for questions
  • ๐Ÿค” (:thinking:) or ๐Ÿ’ญ (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
  • ๐ŸŽจ (:art:) for suggestions / improvements
  • โŒ (:x:) or โš ๏ธ (:warning:) for more significant problems or concerns needing attention
  • ๐ŸŒฑ (:seedling:) or โ™ป๏ธ (:recycle:) for future improvements or indications of technical debt
  • โ› (:pick:) for minor or nitpick changes

nick-livefront avatar Oct 09 '24 18:10 nick-livefront

โ“ Are you still able to modify the cipher after uploading an attachment? I'm worried that we don't return the updated cipher in the attachment endpoint so the cipher.revisionDate will be stale client side, which will prevent users from making changes until they manually re-sync or refresh their vault (on the client that uploaded the attachment).

shane-melton avatar Oct 09 '24 18:10 shane-melton

Codecov Report

Attention: Patch coverage is 0% with 15 lines in your changes missing coverage. Please review.

Project coverage is 44.31%. Comparing base (a9a1230) to head (72fe323). Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
...re/Vault/Services/Implementations/CipherService.cs 0.00% 9 Missing :warning:
...e/Vault/Models/Data/DeleteAttachmentReponseData.cs 0.00% 5 Missing :warning:
src/Api/Vault/Controllers/CiphersController.cs 0.00% 1 Missing :warning:
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #4873      +/-   ##
==========================================
- Coverage   44.32%   44.31%   -0.01%     
==========================================
  Files        1482     1483       +1     
  Lines       68376    68388      +12     
  Branches     6172     6172              
==========================================
  Hits        30307    30307              
- Misses      36761    36773      +12     
  Partials     1308     1308

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

codecov[bot] avatar Oct 09 '24 18:10 codecov[bot]

โ“ Are you still able to modify the cipher after uploading an attachment? I'm worried that we don't return the updated cipher in the attachment endpoint so the cipher.revisionDate will be stale client side, which will prevent users from making changes until they manually re-sync or refresh their vault (on the client that uploaded the attachment).

Nice catch, I only tested on the client that received the update which in turn would have the updated cipher.

On the same client you are not able to. ๐Ÿค”

nick-livefront avatar Oct 09 '24 18:10 nick-livefront

Logo Checkmarx One โ€“ Scan Summary & Details โ€“ fcd6880d-cbd0-45e0-a445-4bb8ac2be417

New Issues (12)

Checkmarx found the following issues in this Pull Request

Severity Issue Source File / Package Checkmarx Insight
MEDIUM CSRF /src/Billing/Controllers/PayPalController.cs: 66
detailsMethod PostIpn at line 66 of /src/Billing/Controllers/PayPalController.cs gets a parameter from a user request from Body. This parameter value flow...
Attack Vector
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 1100
detailsMethod DeleteAttachment at line 1100 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This paramete...
Attack Vector
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 1100
detailsMethod DeleteAttachment at line 1100 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This paramete...
Attack Vector
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 1100
detailsMethod DeleteAttachment at line 1100 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from DeleteAttachment....
Attack Vector
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 1023
detailsMethod PostAttachment at line 1023 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter ...
Attack Vector
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 997
detailsMethod PostFileForExistingAttachment at line 997 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. T...
Attack Vector
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 1046
detailsMethod PostAttachmentAdmin at line 1046 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This param...
Attack Vector
MEDIUM Privacy_Violation /src/Core/AdminConsole/OrganizationAuth/UpdateOrganizationAuthRequestCommand.cs: 84
detailsMethod UpdateAsync at line 84 of /src/Core/AdminConsole/OrganizationAuth/UpdateOrganizationAuthRequestCommand.cs sends user information outside the...
Attack Vector
MEDIUM Privacy_Violation /src/Core/NotificationHub/NotificationHubPushNotificationService.cs: 195
detailsMethod PushAuthRequestAsync at line 195 of /src/Core/NotificationHub/NotificationHubPushNotificationService.cs sends user information outside the a...
Attack Vector
LOW Log_Forging /src/Api/Auth/Controllers/AuthRequestsController.cs: 87
detailsMethod PostAdminRequest at line 87 of /src/Api/Auth/Controllers/AuthRequestsController.cs gets user input from element model. This elementโ€™s value ...
Attack Vector
LOW Log_Forging /src/Api/Auth/Controllers/AuthRequestsController.cs: 75
detailsMethod Post at line 75 of /src/Api/Auth/Controllers/AuthRequestsController.cs gets user input from element model. This elementโ€™s value flows throug...
Attack Vector
LOW Missing_CSP_Header /src/Core/MailTemplates/Handlebars/AdminConsole/DomainClaimedByOrganization.html.hbs: 7
detailsA Content Security Policy is not explicitly defined within the web-application.
Attack Vector
Fixed Issues (28)

Great job! The following issues were fixed in this Pull Request

Severity Issue Source File / Package
MEDIUM CSRF /src/Api/Tools/Controllers/OrganizationExportController.cs: 53
MEDIUM CSRF /src/Admin/AdminConsole/Controllers/OrganizationsController.cs: 375
MEDIUM CSRF /src/Api/AdminConsole/Controllers/GroupsController.cs: 80
MEDIUM CSRF /src/Api/AdminConsole/Controllers/GroupsController.cs: 121
MEDIUM CSRF /src/Api/AdminConsole/Public/Controllers/PoliciesController.cs: 46
MEDIUM CSRF /src/Api/AdminConsole/Public/Controllers/PoliciesController.cs: 65
MEDIUM CSRF /src/Api/Auth/Controllers/AccountsController.cs: 470
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 220
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 220
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 1100
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 173
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 533
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 533
MEDIUM CSRF /src/Api/Vault/Controllers/CiphersController.cs: 1100
MEDIUM Privacy_Violation /src/Api/Auth/Models/Request/Accounts/SetPasswordRequestModel.cs: 28
LOW Log_Forging /src/Api/Billing/Controllers/OrganizationBillingController.cs: 238
LOW Log_Forging /src/Api/Billing/Controllers/OrganizationBillingController.cs: 238
LOW Log_Forging /src/Api/Billing/Controllers/OrganizationBillingController.cs: 238
LOW Log_Forging /src/Api/Billing/Controllers/ProviderBillingController.cs: 104
LOW Log_Forging /src/Api/Billing/Controllers/ProviderBillingController.cs: 104
LOW Log_Forging /src/Api/Billing/Controllers/ProviderBillingController.cs: 104
LOW Log_Forging /src/Billing/Controllers/RecoveryController.cs: 38
LOW Log_Forging /src/Billing/Controllers/RecoveryController.cs: 38
LOW Log_Forging /src/Api/Vault/Controllers/CiphersController.cs: 173
LOW Log_Forging /src/Billing/Controllers/StripeController.cs: 164
LOW Log_Forging /src/Billing/Controllers/StripeController.cs: 164
LOW Log_Forging /src/Api/Auth/Controllers/AccountsController.cs: 261
LOW Log_Forging /src/Api/Auth/Controllers/AccountsController.cs: 381

github-actions[bot] avatar Oct 09 '24 18:10 github-actions[bot]

Marking this a draft as I have yet to track down all of the necessary changes on server and client side. Priorities have changed so I'll be taking up some other work in the mean time.

See the ticket for more details about solutioning these scenarios.

nick-livefront avatar Oct 11 '24 16:10 nick-livefront

@shane-melton I order to support this change for deleting an attachment, the UI needed to know the updated revision timestamp. I added logic to return the updated cipher to both the client and here 13acab5

nick-livefront avatar Oct 28 '24 19:10 nick-livefront

Moving to a draft as this work is being tabled for a couple weeks why we wait for the extension refresh to roll out.

nick-livefront avatar Nov 06 '24 20:11 nick-livefront