starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-04-26 09:46:00 +03:00
Code Issues 39 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #2419] Lack of validation on name of the users #1257

New issue
Closed
opened 2026-03-03 02:07:33 +03:00 by kerem · 4 comments
kerem commented 2026-03-03 02:07:33 +03:00
Owner
Copy link

Originally created by @pavel1337 on GitHub (Apr 14, 2022).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/2419

Originally assigned to: @BlackDex on GitHub.

Subject of the issue

Lack of validation on name of the users

Deployment environment

  • vaultwarden version: 1.24.0

  • Install method: Docker (Base: Debian)

  • Clients used: web client

  • MySQL/MariaDB or PostgreSQL version: MySQL 8.0.23 RDS

  • Other relevant details:

Steps to reproduce

  1. Receieve an invite to vaultwarden
  2. Create account with long name (eg. using this command pwgen 100000 1)

Expected behaviour

  • validation error with something like "the name is too long"

Actual behaviour

  • I was able to create a user and login, but I cannot send secrets. I guess because the bearer token is too big, because the username is too long.

Troubleshooting data

The command I used to create a long username: pwgen 100000 1

The screenshot of the users table; I guess it should be something like varchar(x)
image

The screenshot of the organization with me in it:
Screenshot 2022-04-14 at 14-20-33 People Bitwarden Web Vault (1)

The screenshot of me trying create a send and developer tools
image

Originally created by @pavel1337 on GitHub (Apr 14, 2022). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/2419 Originally assigned to: @BlackDex on GitHub. ### Subject of the issue Lack of validation on name of the users ### Deployment environment * vaultwarden version: 1.24.0 * Install method: Docker (Base: Debian) * Clients used: web client * MySQL/MariaDB or PostgreSQL version: MySQL 8.0.23 RDS * Other relevant details: ### Steps to reproduce 1. Receieve an invite to vaultwarden 2. Create account with long name (eg. using this command ```pwgen 100000 1```) ### Expected behaviour - validation error with something like "the name is too long" ### Actual behaviour - I was able to create a user and login, but I cannot send secrets. I guess because the bearer token is too big, because the username is too long. ### Troubleshooting data The command I used to create a long username: ```pwgen 100000 1``` The screenshot of the users table; I guess it should be something like ```varchar(x)``` ![image](https://user-images.githubusercontent.com/31508908/163392934-38cf465f-262e-47d2-9ee2-789fa271dd0e.png) The screenshot of the organization with me in it: ![Screenshot 2022-04-14 at 14-20-33 People Bitwarden Web Vault (1)](https://user-images.githubusercontent.com/31508908/163393340-0620ba1f-d4c6-4d9c-979b-e7251f41b2d2.png) The screenshot of me trying create a send and developer tools ![image](https://user-images.githubusercontent.com/31508908/163394232-9d1903eb-9bc6-4f21-983c-33973fb13412.png)
kerem 2026-03-03 02:07:33 +03:00
kerem commented 2026-03-03 02:07:34 +03:00
Author
Owner
Copy link

@BlackDex commented on GitHub (Jun 4, 2022):

Looks like Bitwarden it self uses a max of 50 characters. It will be a bit difficult now to switch that for Vaultwarden to a lower size if people were already using a larger amount of characters for the names.
Though limiting it a specific amount is not a bad idea, i need to see what a good amount is.

<!-- gh-comment-id:1146639573 --> @BlackDex commented on GitHub (Jun 4, 2022): Looks like Bitwarden it self uses a max of 50 characters. It will be a bit difficult now to switch that for Vaultwarden to a lower size if people were already using a larger amount of characters for the names. Though limiting it a specific amount is not a bad idea, i need to see what a good amount is.
kerem commented 2026-03-03 02:07:34 +03:00
Author
Owner
Copy link

@dani-garcia commented on GitHub (Jun 4, 2022):

We could just limit it in the save function, if we don't want to create a new migration for this change

<!-- gh-comment-id:1146654859 --> @dani-garcia commented on GitHub (Jun 4, 2022): We could just limit it in the save function, if we don't want to create a new migration for this change
kerem commented 2026-03-03 02:07:34 +03:00
Author
Owner
Copy link

@BlackDex commented on GitHub (Jun 8, 2022):

I think it should be enough to have this only at the register function, what do you think @dani-garcia ?
That would at least prevent new users from using a large Name, but will not force current users to change it when they update there info.

btw: i have it working already locally.

<!-- gh-comment-id:1150111774 --> @BlackDex commented on GitHub (Jun 8, 2022): I think it should be enough to have this only at the register function, what do you think @dani-garcia ? That would at least prevent new users from using a large Name, but will not force current users to change it when they update there info. btw: i have it working already locally.
kerem commented 2026-03-03 02:07:34 +03:00
Author
Owner
Copy link

@dani-garcia commented on GitHub (Jun 8, 2022):

Right, but a user could also change their name from the web vault after the account was created, I know realistically no one is going to put a long enough name to break the web vault, but we should cover all bases if possible.

<!-- gh-comment-id:1150155080 --> @dani-garcia commented on GitHub (Jun 8, 2022): Right, but a user could also change their name from the web vault after the account was created, I know realistically no one is going to put a long enough name to break the web vault, but we should cover all bases if possible.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
revert-7033-patch-1
cached-config-operations
test_dylint
1.35.8
1.35.7
1.35.6
1.35.5
1.35.4
1.35.3
1.35.2
1.35.1
1.35.0
1.34.3
1.34.2
1.34.1
1.34.0
1.33.2
1.33.1
1.33.0
1.32.7
1.32.6
1.32.5
1.32.4
1.32.3
1.32.2
1.32.1
1.32.0
1.31.0
1.30.5
1.30.4
1.30.3
1.30.2
1.30.1
1.30.0
1.29.2
1.29.1
1.29.0
1.28.1
1.28.0
1.27.0
1.26.0
1.25.2
1.25.1
1.25.0
1.24.0
1.23.1
1.23.0
1.22.2
1.22.1
1.22.0
1.21.0
1.20.0
1.19.0
1.18.0
1.17.0
1.16.3
1.16.2
1.16.1
1.16.0
1.15.1
1.15.0
1.14.2
1.14.1
1.14
1.13.1
1.13.0
1.12.0
1.11.0
1.10.0
1.9.1
1.9.0
1.8.0
1.7.0
1.6.1
1.6.0
1.5.0
1.4.0
1.3.0
1.2.0
1.1.0
1.0.0
0.13.0
0.12.0
0.11.0
0.10.0
0.9.0
Labels
Clear labels   
SSO

   
Third party

   
better for forum

   
bug

   
bug

   
documentation

   
duplicate

   
enhancement

   
future Vault

   
future Vault

   
future Vault

   
good first issue

   
help wanted

   
low priority

   
notes

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
troubleshooting

   
wontfix
No labels
SSO
Third party
better for forum
bug
bug
documentation
duplicate
enhancement
future Vault
future Vault
future Vault
good first issue
help wanted
low priority
notes
pull-request
question
troubleshooting
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/vaultwarden#1257
No description provided.