server
server copied to clipboard
bitwarden
Auth/pm 8107/remove v2 duo
đī¸ Tracking
đ Objective
đ¸ Screenshots
â° Reminders before review
- Contributor guidelines followed
- All formatters and local linters executed and passed
- Written new unit and / or integration tests where applicable
- Protected functional changes with optionality (feature flags)
- Used internationalization (i18n) for all UI strings
- CI builds passed
- Communicated to DevOps any deployment requirements
- Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team
đĻŽ Reviewer guidelines
- đ (
:+1:) or similar for great changes - đ (
:memo:) or âšī¸ (:information_source:) for notes or general info - â (
:question:) for questions - đ¤ (
:thinking:) or đ (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion - đ¨ (
:art:) for suggestions / improvements - â (
:x:) or â ī¸ (:warning:) for more significant problems or concerns needing attention - đą (
:seedling:) or âģī¸ (:recycle:) for future improvements or indications of technical debt - â (
:pick:) for minor or nitpick changes
Checkmarx One â Scan Summary & Details â 98ae3dfd-6c35-4be2-b00c-c57055cc8a66
New Issues
| Severity | Issue | Source File / Package | Checkmarx Insight |
|---|---|---|---|
 |
CSRF | /src/Api/Auth/Controllers/AccountsController.cs: 366 | Attack Vector |
|
CSRF | /src/Billing/Controllers/StripeController.cs: 176 | Attack Vector |
|
CSRF | /src/Api/Billing/Public/Controllers/OrganizationController.cs: 47 | Attack Vector |
|
CSRF | /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 272 | Attack Vector |
|
CSRF | /src/Api/AdminConsole/Controllers/OrganizationsController.cs: 191 | Attack Vector |
|
CSRF | /src/Api/AdminConsole/Controllers/OrganizationsController.cs: 460 | Attack Vector |
|
CSRF | /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 540 | Attack Vector |
|
CSRF | /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 554 | Attack Vector |
|
CSRF | /src/Api/AdminConsole/Controllers/OrganizationsController.cs: 493 | Attack Vector |
|
CSRF | /src/Api/AdminConsole/Controllers/OrganizationsController.cs: 518 | Attack Vector |
|
CSRF | /src/Api/AdminConsole/Public/Controllers/OrganizationController.cs: 43 | Attack Vector |
|
CSRF | /src/Api/AdminConsole/Public/Controllers/OrganizationController.cs: 43 | Attack Vector |
|
CSRF | /src/Api/Controllers/CollectionsController.cs: 247 | Attack Vector |
|
CSRF | /src/Api/AdminConsole/Controllers/GroupsController.cs: 238 | Attack Vector |
|
CSRF | /src/Api/AdminConsole/Public/Controllers/OrganizationController.cs: 43 | Attack Vector |
|
Privacy_Violation | /src/Core/Services/Implementations/UserService.cs: 852 | Attack Vector |
|
Privacy_Violation | /src/Core/Auth/UserFeatures/TdeOffboardingPassword/TdeOffboardingPasswordCommand.cs: 81 | Attack Vector |
|
Privacy_Violation | /src/Core/Auth/UserFeatures/TdeOffboardingPassword/TdeOffboardingPasswordCommand.cs: 81 | Attack Vector |
|
Privacy_Violation | /src/Api/Vault/Models/Request/CipherRequestModel.cs: 198 | Attack Vector |
|
Privacy_Violation | /src/Core/Auth/UserFeatures/UserMasterPassword/SetInitialMasterPasswordCommand.cs: 59 | Attack Vector |
|
Privacy_Violation | /src/Core/Auth/UserFeatures/UserMasterPassword/SetInitialMasterPasswordCommand.cs: 59 | Attack Vector |
|
Privacy_Violation | /src/Core/Services/Implementations/UserService.cs: 567 | Attack Vector |
|
Privacy_Violation | /src/Core/Services/Implementations/UserService.cs: 765 | Attack Vector |
|
Privacy_Violation | /src/Core/Services/Implementations/UserService.cs: 763 | Attack Vector |
|
Privacy_Violation | /src/Core/Services/Implementations/UserService.cs: 736 | Attack Vector |
|
Privacy_Violation | /src/Core/Services/Implementations/UserService.cs: 765 | Attack Vector |
|
Privacy_Violation | /src/Core/Services/Implementations/UserService.cs: 736 | Attack Vector |
|
Privacy_Violation | /src/Core/Services/Implementations/UserService.cs: 514 | Attack Vector |
|
Privacy_Violation | /src/Core/Services/Implementations/UserService.cs: 514 | Attack Vector |
|
Privacy_Violation | /src/Core/Services/Implementations/UserService.cs: 569 | Attack Vector |
|
Privacy_Violation | /src/Core/Services/Implementations/UserService.cs: 569 | Attack Vector |
|
Privacy_Violation | /src/Core/Services/Implementations/UserService.cs: 710 | Attack Vector |
|
Privacy_Violation | /src/Core/Services/Implementations/UserService.cs: 710 | Attack Vector |
|
SSL_Verification_Bypass | /src/Api/Auth/Models/Request/OrganizationSsoRequestModel.cs: 146 | Attack Vector |
|
SSL_Verification_Bypass | /bitwarden_license/src/Sso/Utilities/DynamicAuthenticationSchemeProvider.cs: 405 | Attack Vector |
|
SSL_Verification_Bypass | /src/Core/Utilities/CoreHelpers.cs: 140 | Attack Vector |
|
SSL_Verification_Bypass | /src/Core/Utilities/CoreHelpers.cs: 115 | Attack Vector |
|
SSL_Verification_Bypass | /src/Core/Utilities/CoreHelpers.cs: 93 | Attack Vector |
|
SSL_Verification_Bypass | /src/Core/Utilities/CoreHelpers.cs: 105 | Attack Vector |
|
Unpinned Actions Full Length Commit SHA | /version-bump.yml: 29 | Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps... |
|
Unpinned Actions Full Length Commit SHA | /version-bump.yml: 137 | Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps... |
|
Unpinned Actions Full Length Commit SHA | /version-bump.yml: 220 | Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps... |
|
Unpinned Actions Full Length Commit SHA | /build.yml: 598 | Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps... |
|
Unpinned Actions Full Length Commit SHA | /version-bump.yml: 129 | Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps... |
|
Unpinned Actions Full Length Commit SHA | /version-bump.yml: 122 | Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps... |
|
Unpinned Actions Full Length Commit SHA | /version-bump.yml: 61 | Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps... |
|
Unpinned Actions Full Length Commit SHA | /container-registry-purge.yml: 90 | Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps... |
 |
Log_Forging | /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 439 | Attack Vector |
|
Log_Forging | /src/Notifications/Controllers/SendController.cs: 27 | Attack Vector |
|
Log_Forging | /src/Api/Vault/Controllers/CiphersController.cs: 574 | Attack Vector |
|
Log_Forging | /src/Api/Vault/Controllers/CiphersController.cs: 553 | Attack Vector |
|
Log_Forging | /src/Api/Vault/Controllers/CiphersController.cs: 530 | Attack Vector |
|
Log_Forging | /src/Api/Vault/Controllers/CiphersController.cs: 603 | Attack Vector |
|
Log_Forging | /bitwarden_license/src/Scim/Controllers/v2/UsersController.cs: 114 | Attack Vector |
|
Log_Forging | /bitwarden_license/src/Scim/Controllers/v2/GroupsController.cs: 98 | Attack Vector |
|
Open_Redirect | /src/Admin/Controllers/ToolsController.cs: 490 | Attack Vector |
|
Open_Redirect | /bitwarden_license/src/Sso/Controllers/AccountController.cs: 167 | Attack Vector |
|
Unpinned Actions Full Length Commit SHA | /version-bump.yml: 137 | Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps... |
|
Unpinned Actions Full Length Commit SHA | /version-bump.yml: 122 | Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps... |
|
Unpinned Actions Full Length Commit SHA | /version-bump.yml: 220 | Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps... |
|
Unpinned Actions Full Length Commit SHA | /build.yml: 598 | Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps... |
|
Unpinned Actions Full Length Commit SHA | /version-bump.yml: 129 | Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps... |
Fixed Issues
| Severity | Issue | Source File / Package |
|---|---|---|
|
CSRF | /src/Billing/Controllers/RecoveryController.cs: 38 |
|
CSRF | /src/Api/Billing/Controllers/OrganizationsController.cs: 105 |
|
CSRF | /src/Api/Billing/Controllers/OrganizationsController.cs: 49 |
|
CSRF | /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 536 |
|
CSRF | /src/Api/Auth/Controllers/TwoFactorController.cs: 112 |
|
CSRF | /src/Api/SecretsManager/Controllers/SecretsController.cs: 79 |
|
CSRF | /src/Api/SecretsManager/Controllers/SecretsController.cs: 128 |
|
CSRF | /src/Api/SecretsManager/Controllers/SecretsTrashController.cs: 32 |
|
Privacy_Violation | /src/Api/Auth/Models/Request/Accounts/SetPasswordRequestModel.cs: 28 |
|
Privacy_Violation | /src/Core/Services/Implementations/UserService.cs: 1293 |
|
Unpinned Actions Full Length Commit SHA | /repository-management.yml: 119 |
|
Unpinned Actions Full Length Commit SHA | /repository-management.yml: 104 |
|
Unpinned Actions Full Length Commit SHA | /repository-management.yml: 111 |
|
Unpinned Actions Full Length Commit SHA | /build.yml: 582 |
|
Unpinned Actions Full Length Commit SHA | /repository-management.yml: 60 |
|
Unpinned Actions Full Length Commit SHA | /build.yml: 631 |
|
Heap_Inspection | /src/Core/Constants.cs: 129 |
|
Heap_Inspection | /src/Core/Vault/Services/Implementations/LocalAttachmentStorageService.cs: 34 |
|
Heap_Inspection | /src/Api/Vault/Controllers/CiphersController.cs: 1125 |
|
Log_Forging | /src/Billing/Controllers/RecoveryController.cs: 38 |
|
Log_Forging | /src/Billing/Controllers/RecoveryController.cs: 38 |
|
Log_Forging | /src/Billing/Controllers/RecoveryController.cs: 38 |
|
Log_Forging | /src/Billing/Controllers/RecoveryController.cs: 38 |
|
Log_Forging | /src/Api/AdminConsole/Controllers/ProvidersController.cs: 72 |
|
Log_Forging | /src/Api/AdminConsole/Controllers/ProvidersController.cs: 72 |
|
Log_Forging | /src/Billing/Controllers/RecoveryController.cs: 38 |
|
Log_Forging | /src/Billing/Controllers/StripeController.cs: 164 |
|
Log_Forging | /src/Billing/Controllers/RecoveryController.cs: 38 |
|
Log_Forging | /src/Billing/Controllers/StripeController.cs: 164 |
|
Log_Forging | /src/Billing/Controllers/RecoveryController.cs: 38 |
|
Log_Forging | /src/Billing/Controllers/RecoveryController.cs: 38 |
|
Log_Forging | /src/Billing/Controllers/RecoveryController.cs: 38 |
|
Log_Forging | /src/Billing/Controllers/RecoveryController.cs: 38 |
|
Log_Forging | /src/Billing/Controllers/RecoveryController.cs: 38 |
|
Log_Forging | /src/Identity/Billing/Controller/AccountsController.cs: 23 |
|
Log_Forging | /src/Billing/Controllers/RecoveryController.cs: 38 |
|
Log_Forging | /src/Billing/Controllers/RecoveryController.cs: 38 |
|
Log_Forging | /src/Billing/Controllers/RecoveryController.cs: 38 |
|
Log_Forging | /src/Billing/Controllers/RecoveryController.cs: 38 |
|
Log_Forging | /src/Billing/Controllers/RecoveryController.cs: 38 |
|
Log_Forging | /src/Billing/Controllers/StripeController.cs: 164 |
|
Log_Forging | /src/Billing/Controllers/RecoveryController.cs: 38 |
|
Log_Forging | /src/Billing/Controllers/StripeController.cs: 164 |
|
Log_Forging | /src/Billing/Controllers/RecoveryController.cs: 38 |
|
Log_Forging | /src/Billing/Controllers/RecoveryController.cs: 38 |
|
Log_Forging | /src/Billing/Controllers/RecoveryController.cs: 38 |
|
Log_Forging | /src/Billing/Controllers/RecoveryController.cs: 38 |
|
Log_Forging | /src/Billing/Controllers/RecoveryController.cs: 38 |
|
Log_Forging | /src/Billing/Controllers/RecoveryController.cs: 38 |
|
Log_Forging | /src/Api/Billing/Controllers/ProviderBillingController.cs: 52 |
|
Unpinned Actions Full Length Commit SHA | /repository-management.yml: 111 |
|
Unpinned Actions Full Length Commit SHA | /repository-management.yml: 119 |
|
Unpinned Actions Full Length Commit SHA | /build.yml: 582 |
|
Unpinned Actions Full Length Commit SHA | /repository-management.yml: 104 |
|
Unpinned Actions Full Length Commit SHA | /build.yml: 631 |
|
Unpinned Actions Full Length Commit SHA | /repository-management.yml: 60 |
|
Use_Of_Hardcoded_Password | /src/Core/Constants.cs: 141 |
|
Use_Of_Hardcoded_Password | /src/Core/Constants.cs: 129 |
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}