Disallow non ascii in equivalent domain (#5852)

* Test malicious domain change * Add tests to detect non-ascii characters * Revert "Test malicious domain change" This reverts commit 0602bf6d844b611304aba139e9f49cd38594273a. * Remove confusing comment from when I was going to detect problems differently * Update test/Core.Test/Utilities/StaticStoreTests.cs Co-authored-by: Matt Bishop <mbishop@bitwarden.com> * Update test/Core.Test/Utilities/StaticStoreTests.cs Co-authored-by: Matt Bishop <mbishop@bitwarden.com> --------- Co-authored-by: Matt Bishop <mbishop@bitwarden.com>
2025-05-29 07:14:50 -05:00 · 2025-05-23 10:31:10 -04:00 · 2025-05-23 10:31:10 -04:00 · 542941818a
commit 542941818a
parent 198d96e155
1 changed files with 27 additions and 0 deletions
--- a/test/Core.Test/Utilities/StaticStoreTests.cs
+++ b/test/Core.Test/Utilities/StaticStoreTests.cs
@ -28,4 +28,31 @@ public class StaticStoreTests
        Assert.NotNull(plan);
        Assert.Equal(planType, plan.Type);
    }
    [Fact]
    public void StaticStore_GlobalEquivalentDomains_OnlyAsciiAllowed()
    {
        // Ref: https://daniel.haxx.se/blog/2025/05/16/detecting-malicious-unicode/
        // URLs can contain unicode characters that to a computer would point to completely seperate domains but to the
        // naked eye look completely identical. For example 'g' and 'ց' look incredibly similar but when included in a 
        // URL would lead you somewhere different. There is an opening for an attacker to contribute to Bitwarden with a 
        // url update that could be missed in code review and then if they got a user to that URL Bitwarden could
        // consider it equivalent with a cipher in the users vault and offer autofill when we should not.
        // GitHub does now show a warning on non-ascii characters but it could still be missed.
        // https://github.blog/changelog/2025-05-01-github-now-provides-a-warning-about-hidden-unicode-text/
        // To defend against this:
        // Loop through all equivalent domains and fail if any contain a non-ascii character
        // non-ascii character can make a valid URL so it's possible that in the future we have a domain
        // we want to allow list, that should be done through `continue`ing in the below foreach loop
        // only if the domain strictly equals (do NOT use InvariantCulture comparison) the one added to our allow list.
        foreach (var domain in StaticStore.GlobalDomains.SelectMany(p => p.Value))
        {
            for (var i = 0; i < domain.Length; i++)
            {
                var character = domain[i];
                Assert.True(char.IsAscii(character), $"Domain: {domain} contains non-ASCII character: '{character}' at index: {i}");
            }
        }
    }
 }