nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-04-05 21:18:13 -05:00
Code

Require valid Send-Id header for access requests (#1381)

Browse Source 
* Require valid Send-Id header for access requests

* Require valid Send-Id header for Send file access

* Add ICurrentContext to Send controller test
This commit is contained in:
Thomas Rittson 2021-06-08 14:34:36 -07:00 committed by GitHub
parent 30611bd78b
commit e2ff13aa14
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 24 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
src/Api/Controllers/SendsController.cs
View File

@ -11,6 +11,7 @@ using Bit.Core.Utilities;
using Bit.Core.Settings; using Bit.Core.Settings;
using Bit.Core.Models.Api.Response; using Bit.Core.Models.Api.Response;
using Bit.Core.Enums; using Bit.Core.Enums;
using Bit.Core.Context;
using Microsoft.Azure.EventGrid.Models; using Microsoft.Azure.EventGrid.Models;
using Bit.Api.Utilities; using Bit.Api.Utilities;
using System.Collections.Generic; using System.Collections.Generic;
@ -31,6 +32,7 @@ namespace Bit.Api.Controllers
private readonly ISendFileStorageService _sendFileStorageService; private readonly ISendFileStorageService _sendFileStorageService;
private readonly ILogger<SendsController> _logger; private readonly ILogger<SendsController> _logger;
private readonly GlobalSettings _globalSettings; private readonly GlobalSettings _globalSettings;
private readonly ICurrentContext _currentContext;
public SendsController( public SendsController(
ISendRepository sendRepository, ISendRepository sendRepository,
@ -38,7 +40,8 @@ namespace Bit.Api.Controllers
ISendService sendService, ISendService sendService,
ISendFileStorageService sendFileStorageService, ISendFileStorageService sendFileStorageService,
ILogger<SendsController> logger, ILogger<SendsController> logger,
GlobalSettings globalSettings) GlobalSettings globalSettings,
ICurrentContext currentContext)
{ {
_sendRepository = sendRepository; _sendRepository = sendRepository;
_userService = userService; _userService = userService;
@ -46,12 +49,20 @@ namespace Bit.Api.Controllers
_sendFileStorageService = sendFileStorageService; _sendFileStorageService = sendFileStorageService;
_logger = logger; _logger = logger;
_globalSettings = globalSettings; _globalSettings = globalSettings;
_currentContext = currentContext;
} }
[AllowAnonymous] [AllowAnonymous]
[HttpPost("access/{id}")] [HttpPost("access/{id}")]
public async Task<IActionResult> Access(string id, [FromBody] SendAccessRequestModel model) public async Task<IActionResult> Access(string id, [FromBody] SendAccessRequestModel model)
{ {
// Uncomment whenever we want to require the `send-id` header
//if (!_currentContext.HttpContext.Request.Headers.ContainsKey("Send-Id") ||
// _currentContext.HttpContext.Request.Headers["Send-Id"] != id)
//{
// throw new BadRequestException("Invalid Send-Id header.");
//}
var guid = new Guid(CoreHelpers.Base64UrlDecode(id)); var guid = new Guid(CoreHelpers.Base64UrlDecode(id));
var (send, passwordRequired, passwordInvalid) = var (send, passwordRequired, passwordInvalid) =
await _sendService.AccessAsync(guid, model.Password); await _sendService.AccessAsync(guid, model.Password);
@ -83,6 +94,13 @@ namespace Bit.Api.Controllers
public async Task<IActionResult> GetSendFileDownloadData(string encodedSendId, public async Task<IActionResult> GetSendFileDownloadData(string encodedSendId,
string fileId, [FromBody] SendAccessRequestModel model) string fileId, [FromBody] SendAccessRequestModel model)
{ {
// Uncomment whenever we want to require the `send-id` header
//if (!_currentContext.HttpContext.Request.Headers.ContainsKey("Send-Id") ||
// _currentContext.HttpContext.Request.Headers["Send-Id"] != encodedSendId)
//{
// throw new BadRequestException("Invalid Send-Id header.");
//}
var sendId = new Guid(CoreHelpers.Base64UrlDecode(encodedSendId)); var sendId = new Guid(CoreHelpers.Base64UrlDecode(encodedSendId));
var send = await _sendRepository.GetByIdAsync(sendId); var send = await _sendRepository.GetByIdAsync(sendId);

6
test/Api.Test/Controllers/SendsControllerTests.cs
View File

@ -1,5 +1,6 @@
using AutoFixture.Xunit2; using AutoFixture.Xunit2;
using Bit.Api.Controllers; using Bit.Api.Controllers;
using Bit.Core.Context;
using Bit.Core.Enums; using Bit.Core.Enums;
using Bit.Core.Models.Api; using Bit.Core.Models.Api;
using Bit.Core.Models.Table; using Bit.Core.Models.Table;
@ -28,6 +29,7 @@ namespace Bit.Api.Test.Controllers
private readonly ISendService _sendService; private readonly ISendService _sendService;
private readonly ISendFileStorageService _sendFileStorageService; private readonly ISendFileStorageService _sendFileStorageService;
private readonly ILogger<SendsController> _logger; private readonly ILogger<SendsController> _logger;
private readonly ICurrentContext _currentContext;
public SendsControllerTests() public SendsControllerTests()
{ {
@ -37,6 +39,7 @@ namespace Bit.Api.Test.Controllers
_sendFileStorageService = Substitute.For<ISendFileStorageService>(); _sendFileStorageService = Substitute.For<ISendFileStorageService>();
_globalSettings = new GlobalSettings(); _globalSettings = new GlobalSettings();
_logger = Substitute.For<ILogger<SendsController>>(); _logger = Substitute.For<ILogger<SendsController>>();
_currentContext = Substitute.For<ICurrentContext>();
_sut = new SendsController( _sut = new SendsController(
_sendRepository, _sendRepository,
@ -44,7 +47,8 @@ namespace Bit.Api.Test.Controllers
_sendService, _sendService,
_sendFileStorageService, _sendFileStorageService,
_logger, _logger,
_globalSettings _globalSettings,
_currentContext
); );
} }