Feature name
-
bw serve
security concepts
Feature function
When running bw serve
, it listens unauthenticated on all interfaces, essentially exposing all stored credentials on the network where anybody can read them regardless of whether they are allowed to or not.
This means that if I run bw serve
on machine A, then access /list/object/items
from machine B, I am presented with an complete set of unencrypted stored credentials without requiring any form of authentication.
$ bw --version
1.22.0
$ bw serve &
[1] 802691
$ ss -lt | grep 8087
LISTEN 0 511 *:8087 *:*
$ ssh 192.168.1.4 -- 'curl -vs http://192.168.1.5:8087/list/object/items 1>/dev/null'
* Trying 192.168.1.5:8087...
* TCP_NODELAY set
* Connected to 192.168.1.5 (192.168.1.5) port 8087 (#0)
> GET /list/object/items HTTP/1.1
> Host: 192.168.1.5:8087
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Content-Type: application/json; charset=utf-8
< Content-Length: 111964
< Date: Mon, 04 Apr 2022 07:56:53 GMT
< Connection: keep-alive
< Keep-Alive: timeout=5
<
{ [5618 bytes data]
* Connection #0 to host 192.168.1.5 left intact
- What will this feature do differently?
API access will be made secure. - What benefits will this feature bring?
Users credentials will not be exposed over the network without authentication.
I would propose building in additional security on the serve
command.
- Whitelisting. Add remote IP or CIDR range whitelisting, denying any and all requests that do not match.
- When
bw serve
is executed, generate a random api token, store this encrypted on the server and force it to be returned with all requests. Storage would allow API access to be persisted across sessions. - Even basic logging is better than none. When a request is made, log the request IP and path to the server output where it may be captured for audit purposes.
Related topics + references
- Are there any related topics that may help explain the need and function of this feature?
- Are there any references to this feature or function on other platforms that may be helpful?
Additionally, I recently created my own very basic API server for bitwarden in golang which implements some of these features. As reference, this can be found on github at /notapipeline/bwv/