nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-04-05 05:00:19 -05:00
Code

Require valid Send-Id header for access requests (#1381)

Browse Source 
* Require valid Send-Id header for access requests

* Require valid Send-Id header for Send file access

* Add ICurrentContext to Send controller test
This commit is contained in:
Thomas Rittson 2021-06-08 14:34:36 -07:00 committed by GitHub
parent 30611bd78b
commit e2ff13aa14
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 24 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
src/Api/Controllers/SendsController.cs
View File

@ -11,6 +11,7 @@ using Bit.Core.Utilities;
using Bit.Core.Settings;
using Bit.Core.Models.Api.Response;
using Bit.Core.Enums;
using Bit.Core.Context;
using Microsoft.Azure.EventGrid.Models;
using Bit.Api.Utilities;
using System.Collections.Generic;
@ -31,6 +32,7 @@ namespace Bit.Api.Controllers
private readonly ISendFileStorageService _sendFileStorageService;
private readonly ILogger<SendsController> _logger;
private readonly GlobalSettings _globalSettings;
private readonly ICurrentContext _currentContext;
public SendsController(
ISendRepository sendRepository,
@ -38,7 +40,8 @@ namespace Bit.Api.Controllers
ISendService sendService,
ISendFileStorageService sendFileStorageService,
ILogger<SendsController> logger,
GlobalSettings globalSettings)
GlobalSettings globalSettings,
ICurrentContext currentContext)
{
_sendRepository = sendRepository;
_userService = userService;
@ -46,12 +49,20 @@ namespace Bit.Api.Controllers
_sendFileStorageService = sendFileStorageService;
_logger = logger;
_globalSettings = globalSettings;
_currentContext = currentContext;
}
[AllowAnonymous]
[HttpPost("access/{id}")]
public async Task<IActionResult> Access(string id, [FromBody] SendAccessRequestModel model)
{
// Uncomment whenever we want to require the `send-id` header
//if (!_currentContext.HttpContext.Request.Headers.ContainsKey("Send-Id") ||
// _currentContext.HttpContext.Request.Headers["Send-Id"] != id)
//{
// throw new BadRequestException("Invalid Send-Id header.");
//}
var guid = new Guid(CoreHelpers.Base64UrlDecode(id));
var (send, passwordRequired, passwordInvalid) =
await _sendService.AccessAsync(guid, model.Password);
@ -83,6 +94,13 @@ namespace Bit.Api.Controllers
public async Task<IActionResult> GetSendFileDownloadData(string encodedSendId,
string fileId, [FromBody] SendAccessRequestModel model)
{
// Uncomment whenever we want to require the `send-id` header
//if (!_currentContext.HttpContext.Request.Headers.ContainsKey("Send-Id") ||
// _currentContext.HttpContext.Request.Headers["Send-Id"] != encodedSendId)
//{
// throw new BadRequestException("Invalid Send-Id header.");
//}
var sendId = new Guid(CoreHelpers.Base64UrlDecode(encodedSendId));
var send = await _sendRepository.GetByIdAsync(sendId);

6
test/Api.Test/Controllers/SendsControllerTests.cs
View File

@ -1,5 +1,6 @@
using AutoFixture.Xunit2;
using Bit.Api.Controllers;
using Bit.Core.Context;
using Bit.Core.Enums;
using Bit.Core.Models.Api;
using Bit.Core.Models.Table;
@ -28,6 +29,7 @@ namespace Bit.Api.Test.Controllers
private readonly ISendService _sendService;
private readonly ISendFileStorageService _sendFileStorageService;
private readonly ILogger<SendsController> _logger;
private readonly ICurrentContext _currentContext;
public SendsControllerTests()
{
@ -37,6 +39,7 @@ namespace Bit.Api.Test.Controllers
_sendFileStorageService = Substitute.For<ISendFileStorageService>();
_globalSettings = new GlobalSettings();
_logger = Substitute.For<ILogger<SendsController>>();
_currentContext = Substitute.For<ICurrentContext>();
_sut = new SendsController(
_sendRepository,
@ -44,7 +47,8 @@ namespace Bit.Api.Test.Controllers
_sendService,
_sendFileStorageService,
_logger,
_globalSettings
_globalSettings,
_currentContext
);
}