Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PM-19061 - Innovation Sprint - OPAQUE Login Strategy #13832

Merged
merged 28 commits into from
Mar 17, 2025

Conversation

JaredSnider-Bitwarden
Copy link
Contributor

@JaredSnider-Bitwarden JaredSnider-Bitwarden commented Mar 13, 2025

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-19061

📔 Objective

📸 Screenshots

⏰ Reminders before review

  • Contributor guidelines followed
  • All formatters and local linters executed and passed
  • Written new unit and / or integration tests where applicable
  • Protected functional changes with optionality (feature flags)
  • Used internationalization (i18n) for all UI strings
  • CI builds passed
  • Communicated to DevOps any deployment requirements
  • Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

  • 👍 (:+1:) or similar for great changes
  • 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
  • ❓ (:question:) for questions
  • 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
  • 🎨 (:art:) for suggestions / improvements
  • ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
  • 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
  • ⛏ (:pick:) for minor or nitpick changes

@JaredSnider-Bitwarden JaredSnider-Bitwarden changed the title Innovation/opaque login strategy Innovation Sprint - OPAQUE Login Strategy Mar 13, 2025
@JaredSnider-Bitwarden JaredSnider-Bitwarden changed the title Innovation Sprint - OPAQUE Login Strategy PM-19061 - Innovation Sprint - OPAQUE Login Strategy Mar 13, 2025
Copy link

codecov bot commented Mar 13, 2025

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 6.00%. Comparing base (28079df) to head (ed180dd).
Report is 5 commits behind head on innovation/opaque.

Additional details and impacted files
@@                Coverage Diff                 @@
##           innovation/opaque   #13832   +/-   ##
==================================================
  Coverage               6.00%    6.00%           
==================================================
  Files                     27       27           
  Lines                   1665     1665           
==================================================
  Hits                     100      100           
  Misses                  1565     1565           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Copy link
Contributor

github-actions bot commented Mar 13, 2025

Logo
Checkmarx One – Scan Summary & Details0aa3cec1-0317-40f5-b9fa-c9802d25e905

New Issues (60)

Checkmarx found the following issues in this Pull Request

Severity Issue Source File / Package Checkmarx Insight
CRITICAL CVE-2025-0611 Npm-electron-34.0.0 Vulnerable Package
CRITICAL CVE-2025-0998 Npm-electron-34.0.0 Vulnerable Package
HIGH CVE-2025-0451 Npm-electron-34.0.0 Vulnerable Package
HIGH CVE-2025-0612 Npm-electron-34.0.0 Vulnerable Package
HIGH CVE-2025-0762 Npm-electron-34.0.0 Vulnerable Package
HIGH CVE-2025-0995 Npm-electron-34.0.0 Vulnerable Package
HIGH CVE-2025-0997 Npm-electron-34.0.0 Vulnerable Package
HIGH CVE-2025-0999 Npm-electron-34.0.0 Vulnerable Package
HIGH CVE-2025-1426 Npm-electron-34.0.0 Vulnerable Package
HIGH CVE-2025-1914 Npm-electron-34.0.0 Vulnerable Package
HIGH CVE-2025-1915 Npm-electron-34.0.0 Vulnerable Package
HIGH CVE-2025-1916 Npm-electron-34.0.0 Vulnerable Package
HIGH CVE-2025-1918 Npm-electron-34.0.0 Vulnerable Package
HIGH CVE-2025-1919 Npm-electron-34.0.0 Vulnerable Package
HIGH CVE-2025-1920 Npm-electron-34.0.0 Vulnerable Package
HIGH CVE-2025-2135 Npm-electron-34.0.0 Vulnerable Package
HIGH CVE-2025-2136 Npm-electron-34.0.0 Vulnerable Package
HIGH CVE-2025-2137 Npm-electron-34.0.0 Vulnerable Package
HIGH Client_DOM_XSS /apps/web/src/connectors/redirect.ts: 6
detailsThe method Lambda embeds untrusted data in generated output with href, at line 16 of /apps/web/src/connectors/redirect.ts. This untrusted data is e...
Attack Vector
HIGH Cxdca8e59f-8bfe Npm-inflight-1.0.6 Vulnerable Package
MEDIUM Absolute_Path_Traversal /apps/cli/src/oss-serve-configurator.ts: 296
detailsMethod Lambda at line 296 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows thro...
Attack Vector
MEDIUM Absolute_Path_Traversal /apps/cli/src/oss-serve-configurator.ts: 328
detailsMethod Lambda at line 328 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows thro...
Attack Vector
MEDIUM Absolute_Path_Traversal /apps/cli/src/oss-serve-configurator.ts: 328
detailsMethod Lambda at line 328 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows thro...
Attack Vector
MEDIUM Absolute_Path_Traversal /apps/cli/src/oss-serve-configurator.ts: 296
detailsMethod Lambda at line 296 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows thro...
Attack Vector
MEDIUM CVE-2024-53382 Npm-prismjs-1.29.0 Vulnerable Package
MEDIUM CVE-2024-6531 Npm-bootstrap-4.6.0 Vulnerable Package
MEDIUM CVE-2025-0444 Npm-electron-34.0.0 Vulnerable Package
MEDIUM CVE-2025-0445 Npm-electron-34.0.0 Vulnerable Package
MEDIUM CVE-2025-0996 Npm-electron-34.0.0 Vulnerable Package
MEDIUM CVE-2025-1917 Npm-electron-34.0.0 Vulnerable Package
MEDIUM CVE-2025-1921 Npm-electron-34.0.0 Vulnerable Package
MEDIUM CVE-2025-1922 Npm-electron-34.0.0 Vulnerable Package
MEDIUM CVE-2025-1923 Npm-electron-34.0.0 Vulnerable Package
MEDIUM CVE-2025-24010 Npm-vite-5.4.6 Vulnerable Package
MEDIUM Cxbb85e86c-2fac Npm-esbuild-0.21.5 Vulnerable Package
MEDIUM Cxbb85e86c-2fac Npm-esbuild-wasm-0.23.0 Vulnerable Package
MEDIUM Cxbb85e86c-2fac Npm-esbuild-0.23.0 Vulnerable Package
MEDIUM Insecure_Storage_of_Sensitive_Data /apps/cli/src/commands/get.command.ts: 365
detailsThe application takes sensitive, personal data cipher, found at line 365 of /apps/cli/src/commands/get.command.ts, and stores it in an unprotected ...
Attack Vector
MEDIUM Insecure_Storage_of_Sensitive_Data /apps/cli/src/commands/get.command.ts: 332
detailsThe application takes sensitive, personal data cipher, found at line 332 of /apps/cli/src/commands/get.command.ts, and stores it in an unprotected ...
Attack Vector
MEDIUM Insecure_Storage_of_Sensitive_Data /apps/cli/src/commands/get.command.ts: 382
detailsThe application takes sensitive, personal data cipher, found at line 382 of /apps/cli/src/commands/get.command.ts, and stores it in an unprotected ...
Attack Vector
MEDIUM Insecure_Storage_of_Sensitive_Data /apps/cli/src/tools/export.command.ts: 69
detailsThe application takes sensitive, personal data password, found at line 69 of /apps/cli/src/tools/export.command.ts, and stores it in an unprotected...
Attack Vector
MEDIUM Insecure_Storage_of_Sensitive_Data /apps/cli/src/tools/export.command.ts: 65
detailsThe application takes sensitive, personal data password, found at line 65 of /apps/cli/src/tools/export.command.ts, and stores it in an unprotected...
Attack Vector
MEDIUM Missing_HSTS_Header /apps/cli/src/auth/commands/login.command.ts: 737
detailsThe web-application does not define an HSTS header, leaving it vulnerable to attack.
Attack Vector
MEDIUM Relative_Path_Traversal /apps/cli/src/oss-serve-configurator.ts: 365
detailsMethod Lambda at line 365 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows thro...
Attack Vector
MEDIUM Relative_Path_Traversal /apps/cli/src/oss-serve-configurator.ts: 365
detailsMethod Lambda at line 365 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows thro...
Attack Vector
LOW Angular_Usage_of_Unsafe_DOM_Sanitizer /apps/desktop/src/app/components/avatar.component.ts: 77
detailsUsage of an unsafe class bypassSecurityTrustResourceUrl, which overrides output sanitization, was found at /apps/desktop/src/app/components/avatar....
Attack Vector
LOW Angular_Usage_of_Unsafe_DOM_Sanitizer /libs/components/src/icon/icon.component.ts: 21
detailsUsage of an unsafe class bypassSecurityTrustHtml, which overrides output sanitization, was found at /libs/components/src/icon/icon.component.ts in ...
Attack Vector
LOW Angular_Usage_of_Unsafe_DOM_Sanitizer /libs/components/src/avatar/avatar.component.ts: 87
detailsUsage of an unsafe class bypassSecurityTrustResourceUrl, which overrides output sanitization, was found at /libs/components/src/avatar/avatar.compo...
Attack Vector
LOW Client_DOM_Open_Redirect /apps/web/src/connectors/redirect.ts: 6
detailsThe potentially tainted value provided by href in /apps/web/src/connectors/redirect.ts at line 6 is used as a destination URL by href in /apps/web/...
Attack Vector
LOW Client_DOM_Open_Redirect /apps/desktop/src/auth/accessibility-cookie.component.html: 18
detailsThe potentially tainted value provided by link in /apps/desktop/src/auth/accessibility-cookie.component.html at line 18 is used as a destination UR...
Attack Vector
LOW Client_DOM_Open_Redirect /apps/desktop/src/auth/scripts/duo.js: 277
detailsThe potentially tainted value provided by substring in /apps/desktop/src/auth/scripts/duo.js at line 277 is used as a destination URL by open in /a...
Attack Vector
LOW Client_Use_Of_Iframe_Without_Sandbox /apps/browser/src/autofill/deprecated/overlay/iframe-content/autofill-overlay-iframe.service.deprecated.ts: 92
detailsThe application employs an HTML iframe at whose contents are not properly sandboxed
Attack Vector
LOW Client_Use_Of_Iframe_Without_Sandbox /apps/browser/src/autofill/overlay/inline-menu/pages/menu-container/autofill-inline-menu-container.ts: 68
detailsThe application employs an HTML iframe at whose contents are not properly sandboxed
Attack Vector
LOW Client_Use_Of_Iframe_Without_Sandbox /apps/browser/src/autofill/overlay/inline-menu/iframe-content/autofill-inline-menu-iframe.service.ts: 87
detailsThe application employs an HTML iframe at whose contents are not properly sandboxed
Attack Vector
LOW Cx8bc4df28-fcf5 Npm-debug-2.6.9 Vulnerable Package
LOW Cx8bc4df28-fcf5 Npm-debug-3.2.7 Vulnerable Package
LOW Cxda14f253-4e52 Npm-bluebird-3.7.2 Vulnerable Package
LOW HttpOnly_Cookie_Flag_Not_Set /apps/web/src/connectors/sso.ts: 41
detailsThe web application's initiateBrowserSso method creates a cookie cookie, at line 41 of /apps/web/src/connectors/sso.ts, and returns it in the respo...
Attack Vector
LOW Missing_CSP_Header /apps/cli/src/auth/commands/login.command.ts: 737
detailsA Content Security Policy is not explicitly defined within the web-application.
Attack Vector
LOW Use_of_Broken_or_Risky_Cryptographic_Algorithm /libs/node/src/services/node-crypto-function.service.ts: 352
detailsIn toNodeCryptoAesMode, the application protects sensitive data using a cryptographic algorithm, "aes-256-ecb", that is considered weak or even tri...
Attack Vector

JaredSnider-Bitwarden and others added 21 commits March 13, 2025 16:51
…n logic into login comp (2) update PasswordLoginCredentials to include kdfConfig to pass into login strat
…oginMasterKey (2) Refactor makePrePasswordLoginMasterKey to accept an optional KdfConfig so we can keep the logic tested on the LoginStrategyService
@eliykat eliykat marked this pull request as ready for review March 17, 2025 10:39
@eliykat eliykat requested review from a team as code owners March 17, 2025 10:39
@eliykat eliykat requested a review from rr-bw March 17, 2025 10:39
@eliykat
Copy link
Member

eliykat commented Mar 17, 2025

Merging into feature as requested by @JaredSnider-Bitwarden . The failing builds relate to the SDK only and are expected because we can't make CI pull the sdk from a feature branch.

@eliykat eliykat merged commit a2ba965 into innovation/opaque Mar 17, 2025
57 of 90 checks passed
@eliykat eliykat deleted the innovation/opaque-login-strategy branch March 17, 2025 10:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants