nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-06-06 03:00:36 -05:00
Code

Merge branch 'main' into ac/pm-18238/add-requiretwofactorpolicyrequirement

Browse Source
This commit is contained in:
Rui Tome 2025-05-26 10:19:03 +01:00
commit d98b4b3c4e
No known key found for this signature in database
GPG Key ID: 526239D96A8EC066
1 changed files with 27 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
test/Core.Test/Utilities/StaticStoreTests.cs
View File

@ -28,4 +28,31 @@ public class StaticStoreTests
Assert.NotNull(plan);
Assert.Equal(planType, plan.Type);
}
[Fact]
public void StaticStore_GlobalEquivalentDomains_OnlyAsciiAllowed()
{
// Ref: https://daniel.haxx.se/blog/2025/05/16/detecting-malicious-unicode/
// URLs can contain unicode characters that to a computer would point to completely seperate domains but to the
// naked eye look completely identical. For example 'g' and 'ց' look incredibly similar but when included in a
// URL would lead you somewhere different. There is an opening for an attacker to contribute to Bitwarden with a
// url update that could be missed in code review and then if they got a user to that URL Bitwarden could
// consider it equivalent with a cipher in the users vault and offer autofill when we should not.
// GitHub does now show a warning on non-ascii characters but it could still be missed.
// https://github.blog/changelog/2025-05-01-github-now-provides-a-warning-about-hidden-unicode-text/
// To defend against this:
// Loop through all equivalent domains and fail if any contain a non-ascii character
// non-ascii character can make a valid URL so it's possible that in the future we have a domain
// we want to allow list, that should be done through `continue`ing in the below foreach loop
// only if the domain strictly equals (do NOT use InvariantCulture comparison) the one added to our allow list.
foreach (var domain in StaticStore.GlobalDomains.SelectMany(p => p.Value))
{
for (var i = 0; i < domain.Length; i++)
{
var character = domain[i];
Assert.True(char.IsAscii(character), $"Domain: {domain} contains non-ASCII character: '{character}' at index: {i}");
}
}
}
}