[PM-25250] Prevent configuration and access of self hosted urls over http (#17095)

* feat: ban urls not using https * feat: add exception for dev env * feat: block fetching of insecure URLs * feat: add exception for dev env * feat: block notifications from using insecure URL * fix: bug where submission was possible regardless of error * feat: add exception for dev env * fix: missing constructor param
2025-12-12 22:33:35 +00:00 · 2025-10-31 08:12:44 +01:00
parent 2dd314e992
commit 48fb8b2bfe
11 changed files with 106 additions and 11 deletions
--- a/apps/browser/src/_locales/en/messages.json
+++ b/apps/browser/src/_locales/en/messages.json
@@ -1641,6 +1641,9 @@
  "selfHostedEnvFormInvalid": {
    "message": "You must add either the base Server URL or at least one custom environment."
  },
  "selfHostedEnvMustUseHttps": {
    "message": "URLs must use HTTPS."
  },
  "customEnvironment": {
    "message": "Custom environment"
  },
--- a/apps/browser/src/background/main.background.ts
+++ b/apps/browser/src/background/main.background.ts
@@ -1215,7 +1215,7 @@ export default class MainBackground {
      logoutCallback,
      this.messagingService,
      this.accountService,
-      new SignalRConnectionService(this.apiService, this.logService),
+      new SignalRConnectionService(this.apiService, this.logService, this.platformUtilsService),
      this.authService,
      this.webPushConnectionService,
      this.authRequestAnsweringService,
--- a/apps/desktop/src/locales/en/messages.json
+++ b/apps/desktop/src/locales/en/messages.json
@@ -1035,6 +1035,9 @@
  "selfHostedEnvFormInvalid": {
    "message": "You must add either the base Server URL or at least one custom environment."
  },
  "selfHostedEnvMustUseHttps": {
    "message": "URLs must use HTTPS."
  },
  "customEnvironment": {
    "message": "Custom environment"
  },
--- a/apps/web/src/locales/en/messages.json
+++ b/apps/web/src/locales/en/messages.json
@@ -7132,6 +7132,9 @@
  "selfHostedEnvFormInvalid": {
    "message": "You must add either the base Server URL or at least one custom environment."
  },
  "selfHostedEnvMustUseHttps": {
    "message": "URLs must use HTTPS."
  },
  "apiUrl": {
    "message": "API server URL"
  },
--- a/libs/angular/src/services/jslib-services.module.ts
+++ b/libs/angular/src/services/jslib-services.module.ts
@@ -968,7 +968,7 @@ const safeProviders: SafeProvider[] = [
  safeProvider({
    provide: SignalRConnectionService,
    useClass: SignalRConnectionService,
-    deps: [ApiServiceAbstraction, LogService],
+    deps: [ApiServiceAbstraction, LogService, PlatformUtilsServiceAbstraction],
  }),
  safeProvider({
    provide: WebPushConnectionService,
@@ -1223,7 +1223,7 @@ const safeProviders: SafeProvider[] = [
  safeProvider({
    provide: AnonymousHubServiceAbstraction,
    useClass: AnonymousHubService,
-    deps: [EnvironmentService, AuthRequestServiceAbstraction],
+    deps: [EnvironmentService, AuthRequestServiceAbstraction, PlatformUtilsServiceAbstraction],
  }),
  safeProvider({
    provide: ValidationServiceAbstraction,
--- a/libs/auth/src/angular/self-hosted-env-config-dialog/self-hosted-env-config-dialog.component.ts
+++ b/libs/auth/src/angular/self-hosted-env-config-dialog/self-hosted-env-config-dialog.component.ts
@@ -1,5 +1,5 @@
 import { CommonModule } from "@angular/common";
-import { Component, OnDestroy, OnInit } from "@angular/core";
+import { Component, inject, OnDestroy, OnInit } from "@angular/core";
 import {
  AbstractControl,
  FormBuilder,
@@ -16,6 +16,8 @@ import {
  EnvironmentService,
  Region,
 } from "@bitwarden/common/platform/abstractions/environment.service";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
 import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
 // This import has been flagged as unallowed for this class. It may be involved in a circular dependency loop.
 // eslint-disable-next-line no-restricted-imports
 import {
@@ -51,6 +53,25 @@ function selfHostedEnvSettingsFormValidator(): ValidatorFn {
  };
 }
 function onlyHttpsValidator(): ValidatorFn {
  const i18nService = inject(I18nService);
  const platformUtilsService = inject(PlatformUtilsService);
  return (control: AbstractControl): ValidationErrors | null => {
    const url = control.value as string;
    if (url && !url.startsWith("https://") && !platformUtilsService.isDev()) {
      return {
        onlyHttpsAllowed: {
          message: i18nService.t("selfHostedEnvMustUseHttps"),
        },
      }; // invalid
    }
    return null; // valid
  };
 }
 /**
 * Dialog for configuring self-hosted environment settings.
 */
@@ -89,12 +110,12 @@ export class SelfHostedEnvConfigDialogComponent implements OnInit, OnDestroy {
  formGroup = this.formBuilder.group(
    {
-      baseUrl: [""],
+      baseUrl: ["", [onlyHttpsValidator()]],
-      webVaultUrl: [""],
+      webVaultUrl: ["", [onlyHttpsValidator()]],
-      apiUrl: [""],
+      apiUrl: ["", [onlyHttpsValidator()]],
-      identityUrl: [""],
+      identityUrl: ["", [onlyHttpsValidator()]],
-      iconsUrl: [""],
+      iconsUrl: ["", [onlyHttpsValidator()]],
-      notificationsUrl: [""],
+      notificationsUrl: ["", [onlyHttpsValidator()]],
    },
    { validators: selfHostedEnvSettingsFormValidator() },
  );
@@ -162,10 +183,11 @@ export class SelfHostedEnvConfigDialogComponent implements OnInit, OnDestroy {
      });
  }
  submit = async () => {
    this.formGroup.markAllAsTouched();
    this.showErrorSummary = false;
    if (this.formGroup.invalid) {
-      this.showErrorSummary = true;
+      this.showErrorSummary = Boolean(this.formGroup.errors?.["atLeastOneUrlIsRequired"]);
      return;
    }
--- a/libs/common/src/auth/services/anonymous-hub.service.ts
+++ b/libs/common/src/auth/services/anonymous-hub.service.ts
@@ -18,6 +18,8 @@ import {
  NotificationResponse,
 } from "../../models/response/notification.response";
 import { EnvironmentService } from "../../platform/abstractions/environment.service";
 import { PlatformUtilsService } from "../../platform/abstractions/platform-utils.service";
 import { InsecureUrlNotAllowedError } from "../../services/api-errors";
 import { AnonymousHubService as AnonymousHubServiceAbstraction } from "../abstractions/anonymous-hub.service";
 export class AnonymousHubService implements AnonymousHubServiceAbstraction {
@@ -27,10 +29,14 @@ export class AnonymousHubService implements AnonymousHubServiceAbstraction {
  constructor(
    private environmentService: EnvironmentService,
    private authRequestService: AuthRequestServiceAbstraction,
    private platformUtilsService: PlatformUtilsService,
  ) {}
  async createHubConnection(token: string) {
    this.url = (await firstValueFrom(this.environmentService.environment$)).getNotificationsUrl();
    if (!this.url.startsWith("https://") && !this.platformUtilsService.isDev()) {
      throw new InsecureUrlNotAllowedError();
    }
    this.anonHubConnection = new HubConnectionBuilder()
      .withUrl(this.url + "/anonymous-hub?Token=" + token, {
--- a/libs/common/src/platform/server-notifications/internal/signalr-connection.service.ts
+++ b/libs/common/src/platform/server-notifications/internal/signalr-connection.service.ts
@@ -10,8 +10,10 @@ import { Observable, Subscription } from "rxjs";
 import { ApiService } from "../../../abstractions/api.service";
 import { NotificationResponse } from "../../../models/response/notification.response";
 import { InsecureUrlNotAllowedError } from "../../../services/api-errors";
 import { UserId } from "../../../types/guid";
 import { LogService } from "../../abstractions/log.service";
 import { PlatformUtilsService } from "../../abstractions/platform-utils.service";
 // 2 Minutes
 const MIN_RECONNECT_TIME = 2 * 60 * 1000;
@@ -69,12 +71,17 @@ export class SignalRConnectionService {
  constructor(
    private readonly apiService: ApiService,
    private readonly logService: LogService,
    private readonly platformUtilsService: PlatformUtilsService,
    private readonly hubConnectionBuilderFactory: () => HubConnectionBuilder = () =>
      new HubConnectionBuilder(),
    private readonly timeoutManager: TimeoutManager = globalThis,
  ) {}
  connect$(userId: UserId, notificationsUrl: string) {
    if (!notificationsUrl.startsWith("https://") && !this.platformUtilsService.isDev()) {
      throw new InsecureUrlNotAllowedError();
    }
    return new Observable<SignalRNotification>((subsciber) => {
      const connection = this.hubConnectionBuilderFactory()
        .withUrl(notificationsUrl + "/hub", {
--- a/libs/common/src/services/api-errors.ts
+++ b/libs/common/src/services/api-errors.ts
@@ -0,0 +1,9 @@
 export class InsecureUrlNotAllowedError extends Error {
  constructor(url?: string) {
    if (url === undefined) {
      super("Insecure URL not allowed. All URLs must use HTTPS.");
    } else {
      super(`Insecure URL not allowed: ${url}. All URLs must use HTTPS.`);
    }
  }
 }
--- a/libs/common/src/services/api.service.spec.ts
+++ b/libs/common/src/services/api.service.spec.ts
@@ -20,6 +20,7 @@ import { Environment, EnvironmentService } from "../platform/abstractions/enviro
 import { LogService } from "../platform/abstractions/log.service";
 import { PlatformUtilsService } from "../platform/abstractions/platform-utils.service";
 import { InsecureUrlNotAllowedError } from "./api-errors";
 import { ApiService, HttpOperations } from "./api.service";
 describe("ApiService", () => {
@@ -411,4 +412,39 @@ describe("ApiService", () => {
      ).rejects.toMatchObject(error);
    },
  );
  it("throws error when trying to fetch an insecure URL", async () => {
    environmentService.getEnvironment$.calledWith(testActiveUser).mockReturnValue(
      of({
        getApiUrl: () => "http://example.com",
      } satisfies Partial<Environment> as Environment),
    );
    httpOperations.createRequest.mockImplementation((url, request) => {
      return {
        url: url,
        cache: request.cache,
        credentials: request.credentials,
        method: request.method,
        mode: request.mode,
        signal: request.signal ?? undefined,
        headers: new Headers(request.headers),
      } satisfies Partial<Request> as unknown as Request;
    });
    const nativeFetch = jest.fn<Promise<Response>, [request: Request]>();
    nativeFetch.mockImplementation((request) => {
      return Promise.resolve({
        ok: true,
        status: 204,
        headers: new Headers(),
      } satisfies Partial<Response> as Response);
    });
    sut.nativeFetch = nativeFetch;
    await expect(
      async () => await sut.send("GET", "/something", null, true, true, null),
    ).rejects.toThrow(InsecureUrlNotAllowedError);
    expect(nativeFetch).not.toHaveBeenCalled();
  });
 });
--- a/libs/common/src/services/api.service.ts
+++ b/libs/common/src/services/api.service.ts
@@ -117,6 +117,8 @@ import { AttachmentResponse } from "../vault/models/response/attachment.response
 import { CipherResponse } from "../vault/models/response/cipher.response";
 import { OptionalCipherResponse } from "../vault/models/response/optional-cipher.response";
 import { InsecureUrlNotAllowedError } from "./api-errors";
 export type HttpOperations = {
  createRequest: (url: string, request: RequestInit) => Request;
 };
@@ -1310,6 +1312,10 @@ export class ApiService implements ApiServiceAbstraction {
  }
  async fetch(request: Request): Promise<Response> {
    if (!request.url.startsWith("https://") && !this.platformUtilsService.isDev()) {
      throw new InsecureUrlNotAllowedError();
    }
    if (request.method === "GET") {
      request.headers.set("Cache-Control", "no-store");
      request.headers.set("Pragma", "no-cache");