Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[PM-5157] Update Duo metadata #9196

Closed
wants to merge 4 commits into from
Closed

[PM-5157] Update Duo metadata #9196

wants to merge 4 commits into from

Conversation

ike-kottlowski
Copy link
Contributor

Type of change

- [ ] Bug fix
- [ ] New feature development
- [x] Tech debt (refactoring, code cleanup, dependency upgrades, etc)
- [ ] Build/deploy pipeline (DevOps)
- [ ] Other

Objective

Change naming of Duo 2FA Parameters.

Code changes

  • messaged.json: added new entry for ClientId and ClientSecret to replace the old IntegrationKey and SecretKey
  • All other code changes are name changes.

Screenshots

Before you submit

  • Please add unit tests where it makes sense to do so (encouraged but not required)
  • If this change requires a documentation update - notify the documentation team
  • If this change has particular deployment requirements - notify the DevOps team
  • Ensure that all UI additions follow WCAG AA requirements

@ike-kottlowski ike-kottlowski requested a review from a team as a code owner May 15, 2024 17:38
@github-actions github-actions bot added the needs-qa Marks a PR as requiring QA approval label May 15, 2024
@codecov Codecov
Copy link

codecov bot commented May 15, 2024

Codecov Report

Attention: Patch coverage is 0% with 6 lines in your changes are missing coverage. Please review.

Project coverage is 28.11%. Comparing base (25f55e1) to head (4cd3edd).

Files Patch % Lines
.../src/app/auth/settings/two-factor-duo.component.ts 0.00% 4 Missing ⚠️
...rc/auth/models/response/two-factor-duo.response.ts 0.00% 2 Missing ⚠️
Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #9196   +/-   ##
=======================================
  Coverage   28.10%   28.11%           
=======================================
  Files        2431     2431           
  Lines       70390    70390           
  Branches    13128    13128           
=======================================
+ Hits        19781    19788    +7     
+ Misses      49082    49075    -7     
  Partials     1527     1527

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@ike-kottlowski ike-kottlowski changed the title Auth/pm 5157/update duo metadata [PM-5157] Update Duo metadata May 15, 2024
@ike-kottlowski ike-kottlowski marked this pull request as draft May 15, 2024 17:52
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented May 15, 2024
edited

Logo
Checkmarx One – Scan Summary & Details571da482-3d3e-4237-a78d-dcec58bbb314

New Issues

Severity Issue Source File / Package Checkmarx Insight
MEDIUM Angular_Improper_Type_Pipe_Usage /apps/web/src/app/billing/organizations/adjust-subscription.component.html: 54 Attack Vector
MEDIUM Angular_Improper_Type_Pipe_Usage /apps/web/src/app/billing/organizations/adjust-subscription.component.html: 18 Attack Vector
LOW Use_of_Broken_or_Risky_Cryptographic_Algorithm /apps/browser/src/auth/background/service-factories/pin-crypto-service.factory.ts: 47 Attack Vector
LOW Use_of_Broken_or_Risky_Cryptographic_Algorithm /apps/browser/src/background/service-factories/vault-timeout-service.factory.ts: 97 Attack Vector
LOW Use_of_Broken_or_Risky_Cryptographic_Algorithm /apps/cli/src/platform/services/node-env-secure-storage.service.ts: 81 Attack Vector
LOW Use_of_Broken_or_Risky_Cryptographic_Algorithm /apps/cli/src/platform/services/node-env-secure-storage.service.ts: 62 Attack Vector

Fixed Issues

Severity Issue Source File / Package
HIGH Client_DOM_Code_Injection /apps/web/src/connectors/common.ts: 2
HIGH Client_DOM_Code_Injection /apps/browser/src/autofill/services/collect-autofill-content.service.ts: 1054
HIGH Client_DOM_Stored_XSS /apps/web/src/connectors/sso.ts: 33
HIGH Client_DOM_XSS /apps/browser/src/auth/scripts/duo.js: 285
HIGH Client_DOM_XSS /apps/browser/src/auth/scripts/duo.js: 285
HIGH Client_DOM_XSS /apps/desktop/src/auth/scripts/duo.js: 285
HIGH Client_DOM_XSS /apps/desktop/src/auth/scripts/duo.js: 285
HIGH Client_DOM_XSS /apps/web/src/connectors/common.ts: 2
HIGH Client_DOM_XSS /apps/web/src/connectors/common.ts: 2
HIGH Client_DOM_XSS /apps/web/src/connectors/common.ts: 2
HIGH Client_DOM_XSS /apps/web/src/connectors/common.ts: 2
HIGH Client_DOM_XSS /apps/web/src/connectors/sso.ts: 21
HIGH Client_DOM_XSS /apps/web/src/connectors/sso.ts: 19
HIGH Client_DOM_XSS /apps/web/src/connectors/sso.ts: 15
MEDIUM Absolute_Path_Traversal /apps/cli/src/commands/serve.command.ts: 315
MEDIUM Absolute_Path_Traversal /apps/cli/src/commands/serve.command.ts: 347
MEDIUM Absolute_Path_Traversal /apps/cli/src/commands/serve.command.ts: 315
MEDIUM Absolute_Path_Traversal /apps/cli/src/commands/serve.command.ts: 347
MEDIUM Angular_Improper_Type_Pipe_Usage /bitwarden_license/bit-web/src/app/admin-console/providers/setup/setup.component.html: 28
MEDIUM Angular_Improper_Type_Pipe_Usage /bitwarden_license/bit-web/src/app/admin-console/providers/setup/setup.component.html: 1
MEDIUM Angular_Improper_Type_Pipe_Usage /apps/browser/src/vault/popup/components/fido2/fido2-use-browser-link.component.html: 1
MEDIUM Client_Privacy_Violation /apps/browser/src/background/runtime.background.ts: 308
MEDIUM Client_Privacy_Violation /apps/web/src/app/tools/reports/pages/breach-report.component.html: 14
MEDIUM Client_Privacy_Violation /apps/browser/src/auth/popup/account-switching/account.component.ts: 12
MEDIUM Client_Privacy_Violation /apps/browser/src/auth/popup/account-switching/account.component.ts: 12
MEDIUM Client_Privacy_Violation /apps/browser/src/auth/popup/account-switching/account.component.ts: 12
MEDIUM Client_Privacy_Violation /libs/components/src/color-password/color-password.component.ts: 25
MEDIUM Client_Privacy_Violation /libs/components/src/color-password/color-password.component.ts: 26
MEDIUM Client_Privacy_Violation /apps/desktop/src/auth/lock.component.html: 32
MEDIUM Client_Privacy_Violation /apps/web/src/app/auth/lock.component.html: 18
MEDIUM Client_Privacy_Violation /apps/web/src/app/billing/shared/add-credit.component.ts: 135
MEDIUM Client_Privacy_Violation /apps/web/src/app/billing/shared/add-credit.component.ts: 70
MEDIUM Client_Privacy_Violation /apps/web/src/app/billing/shared/add-credit.component.ts: 80
MEDIUM Client_Privacy_Violation /apps/web/src/app/billing/shared/add-credit.component.ts: 146
MEDIUM Client_Privacy_Violation /apps/web/src/app/billing/shared/add-credit.component.ts: 30
MEDIUM Client_Privacy_Violation /apps/web/src/app/auth/lock.component.html: 18
MEDIUM Client_Privacy_Violation /apps/desktop/src/auth/lock.component.html: 32
MEDIUM Client_Privacy_Violation /apps/web/src/app/auth/recover-two-factor.component.html: 37
MEDIUM Client_Privacy_Violation /apps/web/src/app/billing/shared/add-credit.component.html: 46
MEDIUM Client_Privacy_Violation /apps/desktop/src/vault/app/vault/view.component.html: 534
MEDIUM Client_Privacy_Violation /apps/web/src/connectors/webauthn-fallback.ts: 116
MEDIUM Client_Privacy_Violation /bitwarden_license/bit-web/src/app/auth/sso/sso.component.ts: 161
MEDIUM Client_Privacy_Violation /bitwarden_license/bit-web/src/app/auth/sso/sso.component.ts: 161
MEDIUM Client_Privacy_Violation /libs/components/src/color-password/color-password.component.ts: 14
MEDIUM Client_Privacy_Violation /apps/desktop/src/vault/app/vault/view.component.html: 60
MEDIUM Client_Privacy_Violation /apps/desktop/src/vault/app/vault/view.component.html: 56
MEDIUM Client_Privacy_Violation /apps/browser/src/tools/popup/generator/password-generator-history.component.html: 26
MEDIUM Client_Privacy_Violation /apps/browser/src/vault/popup/components/vault/password-history.component.html: 18
MEDIUM Client_Privacy_Violation /apps/desktop/src/app/tools/password-generator-history.component.html: 15
MEDIUM Client_Privacy_Violation /apps/desktop/src/vault/app/vault/password-history.component.html: 12
MEDIUM Client_Privacy_Violation /apps/desktop/src/vault/app/vault/view.component.html: 50
MEDIUM Client_Privacy_Violation /libs/components/src/color-password/color-password.component.ts: 14
MEDIUM Client_Privacy_Violation /apps/browser/src/tools/popup/generator/password-generator-history.component.html: 26
MEDIUM Client_Privacy_Violation /apps/browser/src/vault/popup/components/vault/password-history.component.html: 18
MEDIUM Client_Privacy_Violation /apps/desktop/src/app/tools/password-generator-history.component.html: 15
MEDIUM Client_Privacy_Violation /apps/desktop/src/vault/app/vault/password-history.component.html: 12
MEDIUM Missing_HSTS_Header /apps/cli/src/auth/commands/login.command.ts: 705
MEDIUM SSRF /libs/importer/src/importers/lastpass/access/services/rest-client.ts: 69
MEDIUM SSRF /libs/importer/src/importers/lastpass/access/services/rest-client.ts: 69
LOW Angular_Usage_of_Unsafe_DOM_Sanitizer /apps/desktop/src/app/components/avatar.component.ts: 75
LOW Angular_Usage_of_Unsafe_DOM_Sanitizer /libs/components/src/avatar/avatar.component.ts: 80
LOW Angular_Usage_of_Unsafe_DOM_Sanitizer /libs/components/src/icon/icon.component.ts: 18
LOW Angular_Usage_of_Unsafe_DOM_Sanitizer /libs/components/src/icon/icon.component.ts: 18
LOW Client_DOM_Open_Redirect /apps/desktop/src/auth/accessibility-cookie.component.html: 18
LOW Client_DOM_Open_Redirect /apps/web/src/connectors/common.ts: 2
LOW Client_DOM_Open_Redirect /apps/web/src/connectors/common.ts: 2
LOW Client_DOM_Open_Redirect /apps/web/src/connectors/common.ts: 2
LOW Client_DOM_Open_Redirect /apps/web/src/connectors/sso.ts: 21
LOW Client_DOM_Open_Redirect /apps/web/src/connectors/common.ts: 2
LOW Client_DOM_Open_Redirect /apps/web/src/connectors/sso.ts: 19
LOW Client_DOM_Open_Redirect /apps/web/src/connectors/common.ts: 2
LOW Client_DOM_Open_Redirect /apps/web/src/connectors/sso.ts: 15
LOW Client_DOM_Open_Redirect /apps/browser/src/tools/popup/generator/password-generator-history.component.ts: 18
LOW Client_DOM_Open_Redirect /apps/browser/src/auth/popup/account-switching/current-account.component.ts: 31
LOW Client_DOM_Open_Redirect /apps/desktop/src/auth/login/login-via-auth-request.component.ts: 62
LOW Client_DOM_Open_Redirect /apps/desktop/src/auth/login/login-via-auth-request.component.ts: 62
LOW Client_DOM_Open_Redirect /apps/browser/src/auth/popup/account-switching/account.component.ts: 24
LOW Client_DOM_Open_Redirect /apps/browser/src/auth/popup/login-via-auth-request.component.ts: 54
LOW Client_DOM_Open_Redirect /apps/browser/src/auth/popup/login-via-auth-request.component.ts: 54
LOW Client_DOM_Open_Redirect /apps/desktop/src/auth/login/login-via-auth-request.component.ts: 62
LOW Client_DOM_Open_Redirect /apps/desktop/src/auth/login/login-via-auth-request.component.ts: 62
LOW Client_DOM_Open_Redirect /apps/browser/src/auth/popup/login-via-auth-request.component.ts: 54
LOW Client_DOM_Open_Redirect /apps/browser/src/auth/popup/login-via-auth-request.component.ts: 54
LOW Client_DOM_Open_Redirect /apps/browser/src/vault/popup/components/vault/password-history.component.ts: 21
LOW Client_DOM_Open_Redirect /apps/browser/src/billing/popup/settings/premium.component.ts: 27
LOW Client_DOM_Open_Redirect /apps/browser/src/vault/popup/components/vault/attachments.component.ts: 32
LOW Client_DOM_Open_Redirect /libs/common/src/auth/iframe-component.ts: 49
LOW Client_DOM_Open_Redirect /apps/browser/src/auth/scripts/duo.js: 277
LOW Client_DOM_Open_Redirect /apps/browser/src/auth/scripts/duo.js: 277
LOW Client_DOM_Open_Redirect /apps/desktop/src/auth/scripts/duo.js: 277
LOW Client_DOM_Open_Redirect /apps/desktop/src/auth/scripts/duo.js: 277
LOW Client_DOM_Open_Redirect /libs/common/src/auth/webauthn-iframe.ts: 25
LOW Client_DOM_Open_Redirect /apps/desktop/src/auth/scripts/duo.js: 277
LOW Client_DOM_Open_Redirect /apps/desktop/src/auth/scripts/duo.js: 277
LOW Client_DOM_Open_Redirect /apps/browser/src/auth/scripts/duo.js: 277
LOW Client_DOM_Open_Redirect /apps/browser/src/auth/scripts/duo.js: 277
LOW Client_DOM_Open_Redirect /apps/desktop/src/auth/scripts/duo.js: 277
LOW Client_DOM_Open_Redirect /apps/desktop/src/auth/scripts/duo.js: 277
LOW Client_DOM_Open_Redirect /apps/browser/src/auth/scripts/duo.js: 277
LOW Client_DOM_Open_Redirect /apps/browser/src/auth/scripts/duo.js: 277
LOW Client_DOM_Open_Redirect /libs/common/src/auth/webauthn-iframe.ts: 25
LOW Client_DOM_Open_Redirect /apps/desktop/src/auth/scripts/duo.js: 277
LOW Client_DOM_Open_Redirect /apps/desktop/src/auth/scripts/duo.js: 277
LOW Client_DOM_Open_Redirect /apps/browser/src/auth/scripts/duo.js: 277
LOW Client_DOM_Open_Redirect /apps/browser/src/auth/scripts/duo.js: 277
LOW Client_Hardcoded_Domain /apps/web/src/app/billing/shared/payment.component.ts: 56
LOW Client_Hardcoded_Domain /apps/web/src/app/billing/shared/payment.component.ts: 56
LOW Client_Hardcoded_Domain /apps/web/src/connectors/captcha.ts: 57
LOW Client_Use_Of_Iframe_Without_Sandbox /apps/browser/src/autofill/content/notification-bar.ts: 868
LOW Client_Use_Of_Iframe_Without_Sandbox /apps/browser/src/autofill/overlay/iframe-content/autofill-overlay-iframe.service.ts: 90
LOW Client_Use_Of_Iframe_Without_Sandbox /apps/web/src/connectors/duo.ts: 8
LOW Client_Use_Of_Iframe_Without_Sandbox /apps/web/src/connectors/duo.ts: 8
LOW Client_Weak_Cryptographic_Hash /libs/common/src/platform/services/web-crypto-function.service.ts: 142
LOW Client_Weak_Cryptographic_Hash /apps/desktop/src/proxy/ipc.ts: 24
LOW Missing_CSP_Header /apps/cli/src/auth/commands/login.command.ts: 705
LOW Unprotected_Cookie /apps/web/src/app/auth/two-factor.component.ts: 143
LOW Unprotected_Cookie /apps/web/src/connectors/duo-redirect.ts: 57
LOW Unprotected_Cookie /apps/web/src/connectors/duo-redirect.ts: 112
LOW Unprotected_Cookie /apps/web/src/connectors/sso.ts: 33
LOW Unprotected_Cookie /apps/web/src/app/auth/sso.component.ts: 137
LOW Unsafe_Use_Of_Target_blank /apps/web/src/app/auth/settings/two-factor-recovery.component.ts: 25
LOW Use_of_Broken_or_Risky_Cryptographic_Algorithm /apps/browser/src/auth/background/service-factories/pin-service.factory.ts: 64
LOW Use_of_Broken_or_Risky_Cryptographic_Algorithm /apps/browser/src/auth/background/service-factories/device-trust-service.factory.ts: 83
LOW Use_of_Broken_or_Risky_Cryptographic_Algorithm /apps/browser/src/auth/background/service-factories/device-trust-service.factory.ts: 82
LOW Use_of_Broken_or_Risky_Cryptographic_Algorithm /apps/browser/src/auth/background/service-factories/auth-request-service.factory.ts: 54
LOW Use_of_Broken_or_Risky_Cryptographic_Algorithm /apps/browser/src/auth/background/service-factories/login-strategy-service.factory.ts: 130
LOW Use_of_Broken_or_Risky_Cryptographic_Algorithm /apps/browser/src/tools/background/service_factories/import-service.factory.ts: 63
LOW Use_of_Broken_or_Risky_Cryptographic_Algorithm /apps/browser/src/platform/background/service-factories/key-generation-service.factory.ts: 23
LOW Use_of_Broken_or_Risky_Cryptographic_Algorithm /apps/browser/src/auth/background/service-factories/user-verification-service.factory.ts: 77
LOW Use_of_Broken_or_Risky_Cryptographic_Algorithm /apps/browser/src/auth/background/service-factories/auth-service.factory.ts: 51
LOW Use_of_Broken_or_Risky_Cryptographic_Algorithm /apps/browser/src/auth/background/service-factories/key-connector-service.factory.ts: 70
LOW Use_of_Broken_or_Risky_Cryptographic_Algorithm /apps/browser/src/background/service-factories/send-service.factory.ts: 50
LOW Use_of_Broken_or_Risky_Cryptographic_Algorithm /apps/browser/src/background/service-factories/vault-timeout-settings-service.factory.ts: 73
LOW Use_of_Broken_or_Risky_Cryptographic_Algorithm /apps/browser/src/platform/background/service-factories/crypto-service.factory.ts: 78
LOW Use_of_Broken_or_Risky_Cryptographic_Algorithm /apps/browser/src/vault/background/service_factories/cipher-service.factory.ts: 75
LOW Use_of_Broken_or_Risky_Cryptographic_Algorithm

More results are available on AST platform

@ike-kottlowski
Copy link
Contributor Author

ike-kottlowski commented May 16, 2024
edited

closing since this PR is out of scope for the task PM-5157

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JaredSnider-Bitwarden JaredSnider-Bitwarden Awaiting requested review from JaredSnider-Bitwarden JaredSnider-Bitwarden is a code owner automatically assigned from bitwarden/team-auth-dev

Assignees
No one assigned
Labels
needs-qa Marks a PR as requiring QA approval
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@ike-kottlowski