From 6bc7a3cdc05f4bf4a73641b03a254648ad36929a Mon Sep 17 00:00:00 2001 From: Kyle Spearrin Date: Sat, 27 Jun 2020 15:08:50 -0400 Subject: [PATCH] adjust cors origin checks (#800) * allow cors from bitwarden.com on cloud * allow file:// cors for safari extension * fix missing paren --- src/Api/Startup.cs | 2 +- src/Core/IdentityServer/VaultCorsPolicyService.cs | 9 +++++---- src/Core/Utilities/CoreHelpers.cs | 11 +++++++++++ src/Core/Utilities/ServiceCollectionExtensions.cs | 2 +- src/Events/Startup.cs | 2 +- src/Notifications/Startup.cs | 2 +- 6 files changed, 20 insertions(+), 8 deletions(-) diff --git a/src/Api/Startup.cs b/src/Api/Startup.cs index 1c6aef12f4..e682759c3e 100644 --- a/src/Api/Startup.cs +++ b/src/Api/Startup.cs @@ -169,7 +169,7 @@ namespace Bit.Api app.UseRouting(); // Add Cors - app.UseCors(policy => policy.SetIsOriginAllowed(o => o == globalSettings.BaseServiceUri.Vault) + app.UseCors(policy => policy.SetIsOriginAllowed(o => CoreHelpers.IsCorsOriginAllowed(o, globalSettings)) .AllowAnyMethod().AllowAnyHeader().AllowCredentials()); // Add authentication and authorization to the request pipeline. diff --git a/src/Core/IdentityServer/VaultCorsPolicyService.cs b/src/Core/IdentityServer/VaultCorsPolicyService.cs index 51476a962a..eaa19474a2 100644 --- a/src/Core/IdentityServer/VaultCorsPolicyService.cs +++ b/src/Core/IdentityServer/VaultCorsPolicyService.cs @@ -1,20 +1,21 @@ -using IdentityServer4.Services; +using Bit.Core.Utilities; +using IdentityServer4.Services; using System.Threading.Tasks; namespace Bit.Core.IdentityServer { - public class VaultCorsPolicyService : ICorsPolicyService + public class CustomCorsPolicyService : ICorsPolicyService { private readonly GlobalSettings _globalSettings; - public VaultCorsPolicyService(GlobalSettings globalSettings) + public CustomCorsPolicyService(GlobalSettings globalSettings) { _globalSettings = globalSettings; } public Task IsOriginAllowedAsync(string origin) { - return Task.FromResult(origin == _globalSettings.BaseServiceUri.Vault); + return Task.FromResult(CoreHelpers.IsCorsOriginAllowed(origin, _globalSettings)); } } } diff --git a/src/Core/Utilities/CoreHelpers.cs b/src/Core/Utilities/CoreHelpers.cs index bf71f7c562..594d8d0ae2 100644 --- a/src/Core/Utilities/CoreHelpers.cs +++ b/src/Core/Utilities/CoreHelpers.cs @@ -595,5 +595,16 @@ namespace Bit.Core.Utilities return httpContext.Connection?.RemoteIpAddress?.ToString(); } + + public static bool IsCorsOriginAllowed(string origin, GlobalSettings globalSettings) + { + return + // Web vault + origin == globalSettings.BaseServiceUri.Vault || + // Safari extension origin + origin == "file://" || + // Product website + (!globalSettings.SelfHosted && origin == "https://bitwarden.com"); + } } } diff --git a/src/Core/Utilities/ServiceCollectionExtensions.cs b/src/Core/Utilities/ServiceCollectionExtensions.cs index 89bd9a96c5..ac49a7718c 100644 --- a/src/Core/Utilities/ServiceCollectionExtensions.cs +++ b/src/Core/Utilities/ServiceCollectionExtensions.cs @@ -382,7 +382,7 @@ namespace Bit.Core.Utilities } services.AddTransient(); - services.AddTransient(); + services.AddTransient(); services.AddScoped(); services.AddScoped(); services.AddSingleton(); diff --git a/src/Events/Startup.cs b/src/Events/Startup.cs index 4149dffb70..8f877fa05b 100644 --- a/src/Events/Startup.cs +++ b/src/Events/Startup.cs @@ -101,7 +101,7 @@ namespace Bit.Events app.UseRouting(); // Add Cors - app.UseCors(policy => policy.SetIsOriginAllowed(o => o == globalSettings.BaseServiceUri.Vault) + app.UseCors(policy => policy.SetIsOriginAllowed(o => CoreHelpers.IsCorsOriginAllowed(o, globalSettings)) .AllowAnyMethod().AllowAnyHeader().AllowCredentials()); // Add authentication and authorization to the request pipeline. diff --git a/src/Notifications/Startup.cs b/src/Notifications/Startup.cs index 564db90e27..aafc8f82cd 100644 --- a/src/Notifications/Startup.cs +++ b/src/Notifications/Startup.cs @@ -102,7 +102,7 @@ namespace Bit.Notifications app.UseRouting(); // Add Cors - app.UseCors(policy => policy.SetIsOriginAllowed(o => o == globalSettings.BaseServiceUri.Vault) + app.UseCors(policy => policy.SetIsOriginAllowed(o => CoreHelpers.IsCorsOriginAllowed(o, globalSettings)) .AllowAnyMethod().AllowAnyHeader().AllowCredentials()); // Add authentication to the request pipeline.