[PM-25250] Prevent configuration and access of self hosted urls over http (#17095)

* feat: ban urls not using https * feat: add exception for dev env * feat: block fetching of insecure URLs * feat: add exception for dev env * feat: block notifications from using insecure URL * fix: bug where submission was possible regardless of error * feat: add exception for dev env * fix: missing constructor param
2025-12-15 15:53:27 +00:00 · 2025-10-31 08:12:44 +01:00
parent 2dd314e992
commit 48fb8b2bfe
11 changed files with 106 additions and 11 deletions
--- a/libs/auth/src/angular/self-hosted-env-config-dialog/self-hosted-env-config-dialog.component.ts
+++ b/libs/auth/src/angular/self-hosted-env-config-dialog/self-hosted-env-config-dialog.component.ts
@@ -1,5 +1,5 @@
 import { CommonModule } from "@angular/common";
-import { Component, OnDestroy, OnInit } from "@angular/core";
+import { Component, inject, OnDestroy, OnInit } from "@angular/core";
 import {
  AbstractControl,
  FormBuilder,
@@ -16,6 +16,8 @@ import {
  EnvironmentService,
  Region,
 } from "@bitwarden/common/platform/abstractions/environment.service";
+import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
+import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
 // This import has been flagged as unallowed for this class. It may be involved in a circular dependency loop.
 // eslint-disable-next-line no-restricted-imports
 import {
@@ -51,6 +53,25 @@ function selfHostedEnvSettingsFormValidator(): ValidatorFn {
  };
 }

+function onlyHttpsValidator(): ValidatorFn {
+  const i18nService = inject(I18nService);
+  const platformUtilsService = inject(PlatformUtilsService);
+
+  return (control: AbstractControl): ValidationErrors | null => {
+    const url = control.value as string;
+
+    if (url && !url.startsWith("https://") && !platformUtilsService.isDev()) {
+      return {
+        onlyHttpsAllowed: {
+          message: i18nService.t("selfHostedEnvMustUseHttps"),
+        },
+      }; // invalid
+    }
+
+    return null; // valid
+  };
+}
+
 /**
 * Dialog for configuring self-hosted environment settings.
 */
@@ -89,12 +110,12 @@ export class SelfHostedEnvConfigDialogComponent implements OnInit, OnDestroy {

  formGroup = this.formBuilder.group(
    {
-      baseUrl: [""],
-      webVaultUrl: [""],
-      apiUrl: [""],
-      identityUrl: [""],
-      iconsUrl: [""],
-      notificationsUrl: [""],
+      baseUrl: ["", [onlyHttpsValidator()]],
+      webVaultUrl: ["", [onlyHttpsValidator()]],
+      apiUrl: ["", [onlyHttpsValidator()]],
+      identityUrl: ["", [onlyHttpsValidator()]],
+      iconsUrl: ["", [onlyHttpsValidator()]],
+      notificationsUrl: ["", [onlyHttpsValidator()]],
    },
    { validators: selfHostedEnvSettingsFormValidator() },
  );
@@ -162,10 +183,11 @@ export class SelfHostedEnvConfigDialogComponent implements OnInit, OnDestroy {
      });
  }
  submit = async () => {
+    this.formGroup.markAllAsTouched();
    this.showErrorSummary = false;

    if (this.formGroup.invalid) {
-      this.showErrorSummary = true;
+      this.showErrorSummary = Boolean(this.formGroup.errors?.["atLeastOneUrlIsRequired"]);
      return;
    }