From a2b290a31e60a9dba714b938bbff9bbd0537be3c Mon Sep 17 00:00:00 2001
From: Matt Gibson <mgibson@bitwarden.com>
Date: Thu, 22 Jun 2023 08:29:37 -0400
Subject: [PATCH] Remove password options from `serve` unlock (#5601)

These options are no longer considered safe as the file location or
environment variable could be guessed by an attacker.
---
 apps/cli/src/commands/serve.command.ts | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/apps/cli/src/commands/serve.command.ts b/apps/cli/src/commands/serve.command.ts
index 92e8747bc33..8808dcaafb8 100644
--- a/apps/cli/src/commands/serve.command.ts
+++ b/apps/cli/src/commands/serve.command.ts
@@ -245,6 +245,10 @@ export class ServeCommand {
     });
 
     router.post("/unlock", async (ctx, next) => {
+      // Do not allow guessing password location through serve command
+      delete ctx.request.query.passwordFile;
+      delete ctx.request.query.passwordEnv;
+
       const response = await this.unlockCommand.run(
         ctx.request.body.password == null ? null : (ctx.request.body.password as string),
         ctx.request.query