Disallow non ascii in equivalent domain (#5852)

* Test malicious domain change * Add tests to detect non-ascii characters * Revert "Test malicious domain change" This reverts commit 0602bf6d844b611304aba139e9f49cd38594273a. * Remove confusing comment from when I was going to detect problems differently * Update test/Core.Test/Utilities/StaticStoreTests.cs Co-authored-by: Matt Bishop <mbishop@bitwarden.com> * Update test/Core.Test/Utilities/StaticStoreTests.cs Co-authored-by: Matt Bishop <mbishop@bitwarden.com> --------- Co-authored-by: Matt Bishop <mbishop@bitwarden.com>
2025-05-29 07:14:50 -05:00 · 2025-05-23 10:31:10 -04:00 · 2025-05-23 10:31:10 -04:00 · 542941818a
commit 542941818a
parent 198d96e155
1 changed files with 27 additions and 0 deletions
--- a/test/Core.Test/Utilities/StaticStoreTests.cs
+++ b/test/Core.Test/Utilities/StaticStoreTests.cs
@ -28,4 +28,31 @@ public class StaticStoreTests
        Assert.NotNull(plan);
        Assert.Equal(planType, plan.Type);
    }
+
+    [Fact]
+    public void StaticStore_GlobalEquivalentDomains_OnlyAsciiAllowed()
+    {
+        // Ref: https://daniel.haxx.se/blog/2025/05/16/detecting-malicious-unicode/
+        // URLs can contain unicode characters that to a computer would point to completely seperate domains but to the
+        // naked eye look completely identical. For example 'g' and 'ց' look incredibly similar but when included in a 
+        // URL would lead you somewhere different. There is an opening for an attacker to contribute to Bitwarden with a 
+        // url update that could be missed in code review and then if they got a user to that URL Bitwarden could
+        // consider it equivalent with a cipher in the users vault and offer autofill when we should not.
+        // GitHub does now show a warning on non-ascii characters but it could still be missed.
+        // https://github.blog/changelog/2025-05-01-github-now-provides-a-warning-about-hidden-unicode-text/
+
+        // To defend against this:
+        // Loop through all equivalent domains and fail if any contain a non-ascii character
+        // non-ascii character can make a valid URL so it's possible that in the future we have a domain
+        // we want to allow list, that should be done through `continue`ing in the below foreach loop
+        // only if the domain strictly equals (do NOT use InvariantCulture comparison) the one added to our allow list.
+        foreach (var domain in StaticStore.GlobalDomains.SelectMany(p => p.Value))
+        {
+            for (var i = 0; i < domain.Length; i++)
+            {
+                var character = domain[i];
+                Assert.True(char.IsAscii(character), $"Domain: {domain} contains non-ASCII character: '{character}' at index: {i}");
+            }
+        }
+    }
 }