[GH-ISSUE #424] /data directory is exposed #248

New issue

Closed

opened 2026-03-03 01:27:12 +03:00 by kerem · 4 comments

kerem commented 2026-03-03 01:27:12 +03:00

Owner

Copy link

Originally created by @carlchan on GitHub (Mar 6, 2019).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/424

Looks like the default rocket config exposes the /data directory, allowing download of the db.sqlite3 password database. While everything in it is encrypted, that doesn't seem like a good idea.

reproduce via going directly to
https://bitwarden_rs.domain/data/db.sqlite3

Originally created by @carlchan on GitHub (Mar 6, 2019). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/424 Looks like the default rocket config exposes the /data directory, allowing download of the db.sqlite3 password database. While everything in it is encrypted, that doesn't seem like a good idea. reproduce via going directly to https://bitwarden_rs.domain/data/db.sqlite3

kerem 2026-03-03 01:27:12 +03:00

• closed this issue
• added the
  troubleshooting
  label

kerem commented 2026-03-03 01:27:13 +03:00

Author

Owner

Copy link

@mprasil commented on GitHub (Mar 6, 2019):

There must be something else at play here. bitwarden_rs serves static files from web-vault sub-directory by default. I can't reproduce the issue personally, can you maybe provide some steps to reproduce?

<!-- gh-comment-id:470179731 --> @mprasil commented on GitHub (Mar 6, 2019): There must be something else at play here. `bitwarden_rs` serves static files from `web-vault` sub-directory by default. I can't reproduce the issue personally, can you maybe provide some steps to reproduce?

kerem commented 2026-03-03 01:27:13 +03:00

Author

Owner

Copy link

@carlchan commented on GitHub (Mar 6, 2019):

Hmm. I just have a mostly default config, with web-vault enabled (instaleld using pre-compiled version)

here's the relevant log from cargo:

[2019-03-06 11:36:53][rocket::rocket][INFO] GET /data/db.sqlite3:
[2019-03-06 11:36:53][][INFO] Matched: GET /<p..> [10] (web_files)
[2019-03-06 11:36:53][][INFO] Outcome: Success
[2019-03-06 11:36:53][_][INFO] Response succeeded.

<!-- gh-comment-id:470180285 --> @carlchan commented on GitHub (Mar 6, 2019): Hmm. I just have a mostly default config, with web-vault enabled (instaleld using pre-compiled version) here's the relevant log from cargo: > [2019-03-06 11:36:53][rocket::rocket][INFO] GET /data/db.sqlite3: > [2019-03-06 11:36:53][_][INFO] Matched: GET /<p..> [10] (web_files) > [2019-03-06 11:36:53][_][INFO] Outcome: Success > [2019-03-06 11:36:53][_][INFO] Response succeeded.

kerem commented 2026-03-03 01:27:13 +03:00

Author

Owner

Copy link

@mprasil commented on GitHub (Mar 6, 2019):

This is what I get when trying the same:

[2019-03-06 16:40:52][rocket::rocket][INFO] GET /data/db.sqlite3 text/html:
[2019-03-06 16:40:52][_][INFO] Matched: GET /<p..> [10] (web_files)
[2019-03-06 16:40:52][_][ERROR] Response was a non-`Responder` `Err`: Os { code: 2, kind: NotFound, message: "No such file or directory" }.

Do you have your data folder somewhere inside your web-vault folder by any chance?

<!-- gh-comment-id:470182178 --> @mprasil commented on GitHub (Mar 6, 2019): This is what I get when trying the same: ``` [2019-03-06 16:40:52][rocket::rocket][INFO] GET /data/db.sqlite3 text/html: [2019-03-06 16:40:52][_][INFO] Matched: GET /<p..> [10] (web_files) [2019-03-06 16:40:52][_][ERROR] Response was a non-`Responder` `Err`: Os { code: 2, kind: NotFound, message: "No such file or directory" }. ``` Do you have your data folder somewhere inside your `web-vault` folder by any chance?

kerem commented 2026-03-03 01:27:13 +03:00

Author

Owner

Copy link

@carlchan commented on GitHub (Mar 6, 2019):

huh. you're right! how did that get there??

Yes that would be it, sorry, thank you.

<!-- gh-comment-id:470183281 --> @carlchan commented on GitHub (Mar 6, 2019): huh. you're right! how did that get there?? Yes that would be it, sorry, thank you.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

revert-7033-patch-1

cached-config-operations

test_dylint

1.35.8

1.35.7

1.35.6

1.35.5

1.35.4

1.35.3

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels   

SSO

  

Third party

  

better for forum

  

bug

  

bug

  

documentation

  

duplicate

  

enhancement

  

future Vault

  

future Vault

  

future Vault

  

good first issue

  

help wanted

  

low priority

  

notes

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

troubleshooting

  

wontfix

No labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

pull-request

question

troubleshooting

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/vaultwarden#248

No description provided.