Skip to content

Commit

Permalink
Merge pull request #4488 from corentin-soriano/pwd_log
Browse files Browse the repository at this point in the history 
Enforce password log on copy or shown action.
  • Loading branch information
@nilsteampassnet
nilsteampassnet authored Nov 25, 2024
2 parents 9f3e75d + 747d530 commit f4bd2db
Show file tree
Hide file tree
Showing 4 changed files with 216 additions and 190 deletions.
65 changes: 65 additions & 0 deletions includes/core/load.js.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2082,4 +2082,69 @@ function hashUserId(userId) {
const hash = CryptoJS.SHA256(userId);
return hash.toString(CryptoJS.enc.Hex).substring(0, 16);
}

/**
* Get item password to show or copy it in clipboard.
*
* @param {string} action - Log action (ex: at_password_shown).
* @param {string} id_type - 'item_key' or 'item_id'.
* @param {number|string} id_value - The item key or id.
*
* @returns {string} - The item cleartext password if user has access.
*/
function getItemPassword(action, id_type, id_value) {
let item_password = '';

// Get password from server
$.ajax({
type: "POST",
async: false,
url: 'sources/items.queries.php',
data: 'type=get_item_password&action=' + action + '&' + id_type +
'=' + id_value + '&key=<?php echo $session->get('key'); ?>',
dataType: "",
success: function(data) {
//decrypt data
try {
data = prepareExchangedData(data, "decode", "<?php echo $session->get('key'); ?>");
} catch (e) {
// error
toastr.remove();
toastr.warning(
'<?php echo $lang->get('no_item_to_display'); ?>'
);
return false;
}

// No access
if (data.password_error !== '') {
toastr.remove();
toastr.error(
data.password_error,
'<?php echo $lang->get('caution'); ?>', {
timeOut: 5000,
progressBar: true
}
);
return false;
}

const password = simplePurifier(atob(data.password), false, false, false, false).utf8Decode();
if (password === '') {
toastr.info(
'<?php echo $lang->get('password_is_empty'); ?>',
'', {
timeOut: 2000,
positionClass: 'toast-bottom-right',
progressBar: true
}
);
}

item_password = password;
}
});

return item_password;
}
</script>
161 changes: 51 additions & 110 deletions pages/items.js.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -383,14 +383,13 @@ function(teampassApplication) {
$(document).on('click', '#card-item-pwd-show-button', function() {
if ($(this).hasClass('pwd-shown') === false) {
$(this).addClass('pwd-shown');
// Prepare data to show
// Is data crypted?
var data = unCryptData($('#hidden-item-pwd').val(), '<?php echo $session->get('key'); ?>');
if (data !== false && data !== undefined) {
$('#hidden-item-pwd').val(
data.password
);
}

// Get item password from server
const item_pwd = getItemPassword(
'at_password_shown',
'item_id',
store.get('teampassItem').id
);

// Change class and show spinner
$('.pwd-show-spinner')
Expand All @@ -399,16 +398,9 @@ function(teampassApplication) {

// display raw password
$('#card-item-pwd')
.text($('#hidden-item-pwd').val())
.text(item_pwd)
.addClass('pointer_none');

// log password is shown
itemLog(
'at_password_shown',
store.get('teampassItem').id,
$('#card-item-label').text()
);

// Autohide
setTimeout(() => {
$(this).removeClass('pwd-shown');
Expand Down Expand Up @@ -2581,34 +2573,24 @@ function(ret) {
mouseStillDown = false;
showPwdContinuous();
});
var showPwdContinuous = function() {
if (mouseStillDown === true) {
// Prepare data to show
// Is data crypted?
var data = unCryptData($('#hidden-item-pwd').val(), '<?php echo $session->get('key'); ?>');
if (data !== false && data !== undefined) {
$('#hidden-item-pwd').val(
data.password
);
}

$('#card-item-pwd')
.html(
// XSS Filtering
$('<span span style="cursor:none;">').text($('#hidden-item-pwd').val()).html()
);
const showPwdContinuous = function() {
if (mouseStillDown === true
&& !$('#card-item-pwd').hasClass('pwd-shown')) {

// Get item password from server
const item_pwd = getItemPassword(
'at_password_shown',
'item_id',
store.get('teampassItem').id
);

$('#card-item-pwd').text(item_pwd);
$('#card-item-pwd').addClass('pwd-shown');

// Auto hide password
setTimeout('showPwdContinuous("card-item-pwd")', 50);
// log password is shown
if ($('#card-item-pwd').hasClass('pwd-shown') === false) {
itemLog(
'at_password_shown',
store.get('teampassItem').id,
$('#card-item-label').text()
);
$('#card-item-pwd').addClass('pwd-shown');
}
} else {
} else if(mouseStillDown !== true) {
$('#card-item-pwd')
.html('<?php echo $var['hidden_asterisk']; ?>')
.removeClass('pwd-shown');
Expand Down Expand Up @@ -3380,6 +3362,14 @@ function(teampassItem) {
}
);
} else {
// Get password and fill the field.
const item_pwd = getItemPassword(
'at_password_shown_edit_form',
'item_id',
store.get('teampassItem').id
);
$('#form-item-password').val(item_pwd);

$('#card-item-visibility').html(store.get('teampassItem').itemVisibility);
$('#card-item-minimum-complexity').html(store.get('teampassItem').itemMinimumComplexity);

Expand Down Expand Up @@ -3980,57 +3970,18 @@ function(teampassItem) {
// Send query and get password
var result = '',
error = false;

$.ajax({
type: "POST",
async: false,
url: 'sources/items.queries.php',
data: 'type=show_item_password&item_key=' + trigger.getAttribute('data-item-key') +
'&key=<?php echo $session->get('key'); ?>',
dataType: "",
success: function(data) {
//decrypt data
try {
data = prepareExchangedData(data, "decode", "<?php echo $session->get('key'); ?>");
} catch (e) {
// error
toastr.remove();
toastr.warning(
'<?php echo $lang->get('no_item_to_display'); ?>'
);
return false;
}
if (data.error === true) {
error = true;
} else {
if (data.password_error !== '') {
error = true;
} else {
result = simplePurifier(atob(data.password), false, false, false, false).utf8Decode();
}
if (result === '') {
toastr.info(
'<?php echo $lang->get('password_is_empty'); ?>',
'', {
timeOut: 2000,
positionClass: 'toast-bottom-right',
progressBar: true
}
);
}
}
}
});
return result;

// Get item password from server
const item_pwd = getItemPassword(
'at_password_copied',
'item_key',
trigger.getAttribute('data-item-key')
);

return item_pwd;
}
});
clipboardForPassword.on('success', function(e) {
itemLog(
'at_password_copied',
e.trigger.dataset.itemId,
e.trigger.dataset.itemLabel
);

clipboardForPassword.on('success', function(e) {
// Warn user about clipboard clear
if (store.get('teampassSettings').clipboard_life_duration === undefined || parseInt(store.get('teampassSettings').clipboard_life_duration) === 0) {
toastr.remove();
Expand Down Expand Up @@ -4834,11 +4785,6 @@ function(teampassUser) {
$('#card-item-pwd').after('<i class="fa-solid fa-bell text-orange fa-shake ml-3 delete-after-usage infotip" title="'+data.pwd_encryption_error_message+'"></i>');
}

// Uncrypt the pwd
if (data.pw !== undefined) {
data.pw = simplePurifier(atob(data.pw), false, false, false, false).utf8Decode();
}

// Update hidden variables
store.update(
'teampassItem',
Expand Down Expand Up @@ -4901,7 +4847,7 @@ function(teampassItem) {
$('.form-item').removeClass('hidden');
$('#folders-tree-card').addClass('hidden');
}
$('#pwd-definition-size').val(data.pw.length);
$('#pwd-definition-size').val(data.pw_length);

// Prepare card
const itemIcon = (data.fa_icon !== "") ? '<i class="'+data.fa_icon+' mr-1"></i>' : '';
Expand All @@ -4914,8 +4860,6 @@ function(teampassItem) {
$('#card-item-description').removeClass('hidden');
}
$('#card-item-pwd').html('<?php echo $var['hidden_asterisk']; ?>');
$('#hidden-item-pwd, #form-item-suggestion-password').val(data.pw);
$('#form-item-password, #form-item-password-confirmation, #form-item-server-old-password').val(data.pw);
$('#card-item-login').html(data.login);
$('#form-item-login, #form-item-suggestion-login, #form-item-server-login').val(data.login);

Expand Down Expand Up @@ -5179,24 +5123,25 @@ function(teampassItem) {
}

// Prepare clipboard - COPY PASSWORD
if (data.pw !== '' && store.get('teampassItem').readyToUse === true) {
if (data.pw_length > 0 && store.get('teampassItem').readyToUse === true) {
// Delete existing clipboard
if (clipboardForPasswordListItems) {
clipboardForPasswordListItems.destroy();
}
// New clipboard
clipboardForPasswordListItems = new ClipboardJS('#card-item-pwd-button', {
text: function() {
return (data.pw);
// Get item password from server
const item_pwd = getItemPassword(
'at_password_copied',
'item_id',
data.id
);

return item_pwd;
}
})
.on('success', function(e) {
itemLog(
'at_password_copied',
store.get('teampassItem').id,
$('#card-item-label').text()
);

// Warn user about clipboard clear
if (store.get('teampassSettings').clipboard_life_duration === undefined || parseInt(store.get('teampassSettings').clipboard_life_duration) === 0) {
toastr.remove();
Expand Down Expand Up @@ -6427,10 +6372,6 @@ function(data) {
);
});

$('#item-button-password-copy').click(function() {
$('#form-item-password-confirmation').val($('#form-item-password').val());
});

/**
* On tag badge click, launch the search query
*/
Expand Down
Loading

0 comments on commit f4bd2db

Please sign in to comment.