[PR #3157] [MERGED] Validate note sizes on key-rotation. #3234

New issue

Closed

opened 2026-03-03 09:42:01 +03:00 by kerem · 0 comments

kerem commented

2026-03-03 09:42:01 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/dani-garcia/vaultwarden/pull/3157
Author: @BlackDex
Created: 1/20/2023
Status: ✅ Merged
Merged: 1/24/2023
Merged by: @dani-garcia

Base: main ← Head: issue-3152

📝 Commits (1)

34ac16e Validate note sizes on key-rotation.

📊 Changes

3 files changed (+30 additions, -8 deletions)

View changed files

📝 src/api/admin.rs (+3 -3)
📝 src/api/core/accounts.rs (+17 -5)
📝 src/api/notifications.rs (+10 -0)

📄 Description

We also need to validate the note sizes on key-rotation. If we do not validate them before we store them, that could lead to a partial or total loss of the password vault. Validating these restrictions before actually processing them to store/replace the existing ciphers should prevent this.

There was also a small bug when using web-sockets. The client which is triggering the password/key-rotation change should not be forced to logout via a web-socket request. That is something the client will handle it self. Refactored the logout notification to either send the device uuid or not on specific actions.

Fixes #3152

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/dani-garcia/vaultwarden/pull/3157 **Author:** [@BlackDex](https://github.com/BlackDex) **Created:** 1/20/2023 **Status:** ✅ Merged **Merged:** 1/24/2023 **Merged by:** [@dani-garcia](https://github.com/dani-garcia) **Base:** `main` ← **Head:** `issue-3152` --- ### 📝 Commits (1) - [`34ac16e`](https://github.com/dani-garcia/vaultwarden/commit/34ac16e9d77272a74c17eaaa90e79ca9d20f3af2) Validate note sizes on key-rotation. ### 📊 Changes **3 files changed** (+30 additions, -8 deletions) <details> <summary>View changed files</summary> 📝 `src/api/admin.rs` (+3 -3) 📝 `src/api/core/accounts.rs` (+17 -5) 📝 `src/api/notifications.rs` (+10 -0) </details> ### 📄 Description We also need to validate the note sizes on key-rotation. If we do not validate them before we store them, that could lead to a partial or total loss of the password vault. Validating these restrictions before actually processing them to store/replace the existing ciphers should prevent this. There was also a small bug when using web-sockets. The client which is triggering the password/key-rotation change should not be forced to logout via a web-socket request. That is something the client will handle it self. Refactored the logout notification to either send the device uuid or not on specific actions. Fixes #3152 --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>