Skip to content

[PM-22812] Attachments get corrupted when downgrading from cipherkeys #328

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. Weโ€™ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

[PM-22812] Attachments get corrupted when downgrading from cipherkeys #328

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d2b64a5
Return decrypted attachment key
gbubemismith Jun 24, 2025
e52bc41
Fixed lint link issue
gbubemismith Jun 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 28 additions & 0 deletions crates/bitwarden-vault/src/cipher/attachment.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,18 @@ pub struct AttachmentView {
pub size_name: Option<String>,
pub file_name: Option<String>,
pub key: Option<EncString>,
/// The decrypted attachmentkey in base64 format.
///
/// **TEMPORARY FIELD**: This field is a temporary workaround to provide
/// decrypted attachment keys to the TypeScript client during the migration
/// process. It will be removed once the encryption/decryption logic is
/// fully migrated to the SDK.
///
/// **Ticket**: <https://bitwarden.atlassian.net/browse/PM-23005>
///
/// Do not rely on this field for long-term use.
#[cfg(feature = "wasm")]
pub decrypted_key: Option<String>,
}

#[allow(missing_docs)]
Expand Down Expand Up @@ -160,13 +172,26 @@ impl Decryptable<KeyIds, SymmetricKeyId, AttachmentView> for Attachment {
ctx: &mut KeyStoreContext<KeyIds>,
key: SymmetricKeyId,
) -> Result<AttachmentView, CryptoError> {
let decrypted_key = if let Some(attachment_key) = &self.key {
let content_key_id = ctx.unwrap_symmetric_key(key, ATTACHMENT_KEY, attachment_key)?;

#[allow(deprecated)]
let actual_key = ctx.dangerous_get_symmetric_key(content_key_id)?;

Some(actual_key.to_base64())
} else {
None
};

Ok(AttachmentView {
id: self.id.clone(),
url: self.url.clone(),
size: self.size.clone(),
size_name: self.size_name.clone(),
file_name: self.file_name.decrypt(ctx, key)?,
key: self.key.clone(),
#[cfg(feature = "wasm")]
decrypted_key,
})
}
}
Expand Down Expand Up @@ -223,6 +248,7 @@ mod tests {
size_name: Some("100 Bytes".into()),
file_name: Some("Test.txt".into()),
key: None,
decrypted_key: None,
};

let contents = b"This is a test file that we will encrypt. It's 100 bytes long, the encrypted version will be longer!";
Expand Down Expand Up @@ -279,6 +305,7 @@ mod tests {
size_name: Some("161 Bytes".into()),
file_name: Some("Test.txt".into()),
key: Some("2.r288/AOSPiaLFkW07EBGBw==|SAmnnCbOLFjX5lnURvoualOetQwuyPc54PAmHDTRrhT0gwO9ailna9U09q9bmBfI5XrjNNEsuXssgzNygRkezoVQvZQggZddOwHB6KQW5EQ=|erIMUJp8j+aTcmhdE50zEX+ipv/eR1sZ7EwULJm/6DY=".parse().unwrap()),
decrypted_key: None,
};

let cipher = Cipher {
Expand Down Expand Up @@ -336,6 +363,7 @@ mod tests {
size_name: Some("161 Bytes".into()),
file_name: Some("Test.txt".into()),
key: None,
decrypted_key: None,
};

let cipher = Cipher {
Expand Down
6 changes: 5 additions & 1 deletion crates/bitwarden-vault/src/cipher/cipher.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -343,7 +343,7 @@ impl Decryptable<KeyIds, SymmetricKeyId, CipherView> for Cipher {
permissions: self.permissions,
view_password: self.view_password,
local_data: self.local_data.decrypt(ctx, ciphers_key).ok().flatten(),
attachments: self.attachments.decrypt(ctx, ciphers_key).ok().flatten(),
attachments: self.attachments.decrypt(ctx, ciphers_key)?,
fields: self.fields.decrypt(ctx, ciphers_key).ok().flatten(),
password_history: self
.password_history
Expand Down Expand Up @@ -962,6 +962,7 @@ mod tests {
size_name: None,
file_name: Some("Attachment test name".into()),
key: None,
decrypted_key: None,
};
cipher.attachments = Some(vec![attachment]);

Expand Down Expand Up @@ -1031,6 +1032,7 @@ mod tests {
size_name: None,
file_name: Some("Attachment test name".into()),
key: None,
decrypted_key: None,
};
cipher.attachments = Some(vec![attachment]);

Expand Down Expand Up @@ -1074,6 +1076,7 @@ mod tests {
size_name: None,
file_name: Some("Attachment test name".into()),
key: Some(attachment_key_enc),
decrypted_key: None,
};
cipher.attachments = Some(vec![attachment]);
let cred = generate_fido2(&mut key_store.context(), SymmetricKeyId::User);
Expand Down Expand Up @@ -1141,6 +1144,7 @@ mod tests {
size_name: None,
file_name: Some("Attachment test name".into()),
key: Some(attachment_key_enc.clone()),
decrypted_key: None,
};
cipher.attachments = Some(vec![attachment]);

Expand Down
Loading