bitwarden/server
1
0
Fork 0
mirror of https://github.com/bitwarden/server synced 2025-12-11 13:53:40 +00:00
Code Issues Releases Wiki Activity
Files
3133dc91aee000dbc6e6d78a4feb64cf47a6ec11
server/test/Core.Test/Utilities/StaticStoreTests.cs
Alex Morask f595818ede [PM-24549] Remove feature flag: use-pricing-service (#6567) 
* Remove feature flag and move StaticStore plans to MockPlans for tests

* Remove old plan models / move sponsored plans out of StaticStore

* Run dotnet format

* Add pricing URI to Development appsettings for local development and integration tests

* Updated Api Integration tests to get current plan type

* Run dotnet format

* Fix failing tests
2025-11-19 09:53:30 -06:00

36 lines
1.8 KiB
C#
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

using Bit.Core.Utilities;
using Xunit;
namespace Bit.Core.Test.Utilities;
public class StaticStoreTests
{
[Fact]
public void StaticStore_GlobalEquivalentDomains_OnlyAsciiAllowed()
{
// Ref: https://daniel.haxx.se/blog/2025/05/16/detecting-malicious-unicode/
// URLs can contain unicode characters that to a computer would point to completely seperate domains but to the
// naked eye look completely identical. For example 'g' and 'ց' look incredibly similar but when included in a
// URL would lead you somewhere different. There is an opening for an attacker to contribute to Bitwarden with a
// url update that could be missed in code review and then if they got a user to that URL Bitwarden could
// consider it equivalent with a cipher in the users vault and offer autofill when we should not.
// GitHub does now show a warning on non-ascii characters but it could still be missed.
// https://github.blog/changelog/2025-05-01-github-now-provides-a-warning-about-hidden-unicode-text/
// To defend against this:
// Loop through all equivalent domains and fail if any contain a non-ascii character
// non-ascii character can make a valid URL so it's possible that in the future we have a domain
// we want to allow list, that should be done through `continue`ing in the below foreach loop
// only if the domain strictly equals (do NOT use InvariantCulture comparison) the one added to our allow list.
foreach (var domain in StaticStore.GlobalDomains.SelectMany(p => p.Value))
{
for (var i = 0; i < domain.Length; i++)
{
var character = domain[i];
Assert.True(char.IsAscii(character), $"Domain: {domain} contains non-ASCII character: '{character}' at index: {i}");
}
}
}
}
Reference in New Issue View Git Blame Copy Permalink