Enpass JSON import bug on "sensitive" fields result in Custom Fields as plain text.

[jvteleco]

Hi, I am using the web version to import the Enpass JSON below. It imports correctly the first password, but if you have extra custom fields with password/sensitive activated, they are imported as visible fields, not hidden with *****. The field labeled as "old password" is the one that is not being imported "correctly". Have not tried the Windows app to see if it has also the same problem. Will do later.

Thanks

{
    "items": [
        {
            "auto_submit": 1,
            "category": "uncategorized",
            "favorite": 0,
            "fields": [
                {
                    "label": "username",
                    "order": 1,
                    "sensitive": 0,
                    "type": "username",
                    "uid": 7801,
                    "updated_at": 1523778394,
                    "value": "THISISATEST@gmail.com",
                    "value_updated_at": 1523778394
                },
                {
                    "label": "url",
                    "order": 2,
                    "sensitive": 0,
                    "type": "url",
                    "uid": 7804,
                    "updated_at": 1523778394,
                    "value": "http://www.google.com",
                    "value_updated_at": 1523778394
                },
                {
                    "label": "password",
                    "order": 3,
                    "sensitive": 1,
                    "type": "password",
                    "uid": 5203,
                    "updated_at": 1587293379,
                    "value": "12345678",
                    "value_updated_at": 1575141250
                },
                {
                    "label": "old password",
                    "order": 4,
                    "sensitive": 1,
                    "type": "password",
                    "uid": 7807,
                    "updated_at": 1587221597,
                    "value": "myOldPassword",
                    "value_updated_at": 1523778394
                },
                {
                    "label": "email recovery",
                    "order": 5,
                    "sensitive": 0,
                    "type": "email",
                    "uid": 8070,
                    "updated_at": 1575141250,
                    "value": "miRecoveryEmail@gmail.com",
                    "value_updated_at": 1575141250
                }
            ],
            "note": "THIS IS A TEST",
            "subtitle": "THISISATEST@gmail.com",
            "template_type": "import.imported",
            "title": "Enpass JSON Import Test sensitive",
            "updated_at": 1575567822,
            "uuid": "736e6c57-3159-439f-83a3-9a5d0934f872"
        }

    ]
}

[jvteleco]

Checking the enpassJsonImporter.ts, I think the issue is when calling the processKvp(). When creating the aditional custom fields, by default type: FieldType = FieldType.Text , but should be changed when appropiate to "Hidden"? Ref: https://github.com/bitwarden/jslib/blob/2de8c5ed165f00e5d3a2b1dd92763176d6150782/src/importers/baseImporter.ts#L305

In private processLogin(cipher: CipherView, fields: any[]) :(https://github.com/bitwarden/jslib/blob/2de8c5ed165f00e5d3a2b1dd92763176d6150782/src/importers/enpassJsonImporter.ts#L64)

Line 80:

} else {
                this.processKvp(cipher, field.label, field.value);
            }

In my opinion, in this "else", there should be a check that if "sensitive = 1", then FieldType = FieldType.Hidden.

This change should also be done for processCard, processNote.

[jvteleco]

If anyone has the same issue, I have written a python converter script to modify the Bitwarden backup JSON. https://github.com/jvteleco/Enpass-JSON-to-Bitwarden-converter-fix

[kspearrin]

Fixed in next update. https://github.com/bitwarden/jslib/pull/98

[jvteleco]

Thanks, that was fast! Will give it a try on next release.