Browser extension: Vault export adds additional quote symbol in password

keteague commented 2 months ago

Steps To Reproduce

In the Chrome extension
Settings > Export vault > CSV format
Settings > Export vault > .json format
Copy the password from the BitWarden extension for Chrome and Firefox into a text editor
Open the exported CSV file, locate the password entry, and copy it from the export file to the other text editor for a top/bottom comparison. Here, we see the exported password is 1 character longer than the (correct) password that's still in the BitWarden vault, and we see an extra quotation mark added.
Open the exported JSON file, locate the password, and copy it to the other text editor for a top/bottom comparison - there is not an extra quotation mark, but there is an added backslash symbol.
Repeat all of the above steps with the Firefox extension and get the same result.

Expected Result

Original/correct password that is in the Bitwarden vault n3:X]c}~(bq5ng{jprd=E6.hS+9Y?_Ask/x@gRu,)y4Jfq}%#B?Yrt&Z9yX(,d6gKM_3h4FPLV[p5D;.Cbzu7"/^8+@c

Actual Result

Oddly enough, I can't post my result here because GitHub's parser is jacking it up, too. You can view the original (correct) and exported results here: https://text.is/0N60

Screenshots or Videos

No response

Additional Context

I submitted this problem yesterday with insufficient data and passed it off as a problem with viewing the exported CSV file in LibreOffice Calc. Today, I have more data to submit this as a bug report.
Tested this in both Chrome 124.0.6367.118 (Official Build) (64-bit) and Firefox 115.8.0esr (64-bit)
Reviewing my JSON export for other passwords, I have one other password that contains quotation marks separated far apart from each other, and each of them are prefixed with a \ symbol, while the original/correct password in the vault does not have them.
It seems there's a problem with handling the export of passwords that contains quotation marks.

Operating System

Linux

Operating System Version

Debian GNU/Linux

Web Browser

Chrome

Browser Version

124.0.6367.118

Build Version

(Official Build) (64-bit)

Issue Tracking Info

[X] I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

Krychaz commented 2 months ago

Hi there,

Thank you for your report!

I was able to reproduce this issue, and I have flagged this to our engineering team.

If you wish to add any further information/screenshots/recordings etc., please feel free to do so at any time - our engineering team will be happy to review these.

Thanks once again!

ev4x commented 1 month ago

I just want to add to this issue it also regarding the export from the web vault so not only the browser plugins and it does not happen with every password which contains " in it.

keteague commented 1 month ago

Which characters have you found to be a problem.

I may be incorrect, but I suspect the issue is related to BitWarden encasing the password, in full, within quotes. As such, if the password contains quotes, it has to escape them so it doesn't end the password string prematurely. Programmatically, that can be done using an extra quote or a backslash.

On Wed, May 29, 2024, 6:40 PM ev4x @.***> wrote:

I just want to add to this issue it also regarding the export from the web vault so not only the browser plugins and it does not happen with every password which contains " in it.

— Reply to this email directly, view it on GitHub https://github.com/bitwarden/clients/issues/9124#issuecomment-2138422192, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFRPVMISGRXXPYJTBT46X4TZEZRQRAVCNFSM6AAAAABHQSBW5SVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMZYGQZDEMJZGI . You are receiving this because you authored the thread.Message ID: @.***>

ev4x commented 1 month ago

I found it in one which contained q"+ in the json it was q"\+ but the \ is not in every password which has the the " character even if Bitwarden interpret it right i think this makes issues with compatibility and readability.

keteague commented 1 month ago

If I may respectfully suggest, review your reply. I'm not sure if what is in that reply makes sense (to me). I had a problem submitting this issue because github's message parser was butchering my password making my comparison look the same

On Thu, May 30, 2024, 7:48 AM ev4x @.***> wrote:

I found it in one which contained q"+ in the json it was q"+ but the \ is not in every password which has the the " character even if Bitwarden interpret it right i think this makes issues with compatibility and readability.

— Reply to this email directly, view it on GitHub https://github.com/bitwarden/clients/issues/9124#issuecomment-2139485728, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFRPVMJVPTTQ5HEBNLTY5NLZE4N23AVCNFSM6AAAAABHQSBW5SVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMZZGQ4DKNZSHA . You are receiving this because you authored the thread.Message ID: @.***>

keteague commented 1 month ago

I exported my vault in CSV format using the BitWarden app from the Apple App Store and it doesn't contain any additional characters in the two examples that I posted previously. The exported passwords appear to be exactly the same as what is currently in my vault.

App version: 2024.5.0 (24604)

bitwarden / clients