Merge branch 'feature/PB-39183_52-Publish-production-API' into 'master'

PB-39183 Merge release into master (v4.11.1) See merge request passbolt/passbolt-ce-api!337
passbolt · Feb 17, 2025 · d96c8b6 · d96c8b6
2 parents bcaf0ad + 9b18cc6
commit d96c8b6
Show file tree

Hide file tree

Showing 30 changed files with 492 additions and 253 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,14 @@
 All notable changes to this project will be documented in this file.
 This project adheres to [Semantic Versioning](http://semver.org/).
 
+## [4.11.1] - 2025-02-17
+### Security
+- PB-39045 Fix empty fullBaseUrl leading to Host header injection attack
+
+## [4.11.1-test.1] - 2025-02-14
+### Security
+- PB-39045 Fix empty fullBaseUrl leading to Host header injection attack
+
 ## [4.11.0] - 2025-01-30
 ### Added
 - PB-35761 As an administrator I receive an email if zero_knowledge_key_share is set to true and a new user completed the setup

diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
@@ -1,53 +1,9 @@
-Release song: https://www.youtube.com/watch?v=3RmQTYLD398
+Release song: https://youtu.be/U16Xg_rQZkA?si=cVcmovGWluuo8oYj
 
-Passbolt v4.11.0 introduces beta support for encrypted metadata in the administration settings, laying groundwork for the upcoming v5 release and its new resource format. This beta feature allows developers and integrators to explore and adapt their systems ahead of the transition.
+Passbolt is pleased to announce the immediate availability of version v4.11.1. This version is a targeted security release of the API focusing on fixing the security issue reported by a security researcher.
 
-This release also resolves a security issue where an attacker could modify the Passbolt URL in certain emails if an administrator’s configuration was invalid. Additionally, role-based access control is now enforced for the “Copy to Clipboard” feature in the browser extension. Vulnerabilities in dependencies—though not directly impacting Passbolt—have been addressed as well.
-
-As one of the final updates in the v4 series, this version prepares administrators for v5. While v4.11.0 does not require PHP 8.2, v5 will. We recommend beginning to plan or upgrade PHP to ensure a smooth transition. If a server migration is needed, please consult the online documentation.
-
-Thank you to the community for your feedback and support.
-
-## [4.11.0] - 2025-01-30
-### Added
-- PB-35761 As an administrator I receive an email if zero_knowledge_key_share is set to true and a new user completed the setup
-- PB-36558 As an administrator I can mark metadata_keys as expired
-- PB-35986 As an administrator I can share missing metadata private keys for users that needs them
-- PB-35925 As an administrator I can see if users are missing access to metadata keys
-- PB-37069 As an administration I can run a command to share metadata private keys with users that need them
-- PB-37068 As a user I can see if I am missing metadata keys
-- PB-36600 As an administrator I should be notified when an administrator expires a metadata key
-- PB-35418 As an administrator I should receive an email notification when a metadata key is deleted
-- PB-37361 As an administrator I can rotate metadata keys encrypting resources metadata
-- PB-37697 As an administrator I can upgrade resources to v5 format
-- PB-35927 As an administrator I can define an allow_v4_v5_upgrade metadata type settings
-- PB-35923 As an administrator I cannot add a new metadata key if there is only 2 that are active
-- PB-34463 As an administrator I cannot reuse metadata keys as the account recovery key
-- PB-35929 Update edit resource to support allow_v4_v5_upgrade settings
-- PB-35932 Update edit folders to support allow_v4_v5_upgrade settings
-
-### Fixed
-- PB-37719 Fix resource types index controller should not return deleted resource types per default
-- PB-36925 Cast configure usage to avoid fatal type error on missing fullBaseUrl
-- PB-36576 Fix as a user I cannot create or edit a tag with an expired or deleted metadata key
-- PB-37097 Fix prevent to use v5 resource_type_ids if v5 flag is off
-- PB-36930 Fix some email sentences not translated and markers errors in translation
-- PB-37096 Fix healthcheck relying on symfony/process should fail gracefully in case of process run exception (GITHUB #531)
-- PB-36989 Fix namespace composer warnings
-- PB-37343 Fixes postgres dump by adding PGPASSWORD env since .pgpass is not generated on the passbolt installation
-- PB-38026 As an administrator running the cleanup command I should not see issues on soft deleted groups
-- PB-38261 Fix always failing IsNotAccountRecoveryFingerprintRule for metadata keys
-- PB-38262 Fix always failing metadata key creation when zero-knowledge is disabled, and no metadata keys are present
+We would like to express our appreciation to the community for their assistance in making Passbolt more secure. Further details can be found in [the incident report](https://www.passbolt.com/incidents/host-header-injection-vulnerability).
 
+## [4.11.1] - 2025-02-17
 ### Security
-- PB-37974 Upgrade CakePHP to v4.5.9
-- PB-38166 Passbolt app router should not fall back on Host header if full-base url is not set
-
-### Maintenance
-- PB-35785 Upgrade psalm/phpstan to latest version as applicable
-- PB-35119 Fix tests failing when full base url is not-https
-- PB-37000 Fix bug of wrong relation for Rbacs to Log.Actions.
-- PB-37072 Fix LatestVersionApplicationHealthcheck test failing due to github not reachable
-- PB-37071 Fix PHPUnit 10 deprecations
-- PB-36237 Fix frequently failing TOTP setup/verify tests
-- PB-38184 Fix synk vulnerability for nesbot/carbon PHP Remote File Inclusion
+- PB-39045 Fix empty fullBaseUrl leading to Host header injection attack
diff --git a/config/bootstrap.php b/config/bootstrap.php
@@ -154,6 +154,8 @@
  * This URL is used as the base of all absolute links.
  */
 $fullBaseUrl = Configure::read('App.fullBaseUrl');
+// Store original full base url from config before it's been modified
+Configure::write('passbolt.originalFullBaseUrl', $fullBaseUrl);
 if (!$fullBaseUrl) {
     /*
      * When using proxies or load balancers, SSL/TLS connections might

diff --git a/config/default.php b/config/default.php
@@ -40,6 +40,8 @@
         // Edition.
         'edition' => 'ce',
         'featurePluginAdder' => \App\BaseSolutionBootstrapper::class,
+        // set in bootstrap.php
+        'originalFullBaseUrl' => '',
         'v5' => [
             'enabled' => filter_var(env('PASSBOLT_V5_ENABLED', false), FILTER_VALIDATE_BOOLEAN),
         ],
@@ -328,7 +330,9 @@
                 'secure' => filter_var(env('PASSBOLT_SECURITY_COOKIE_SECURE', true), FILTER_VALIDATE_BOOLEAN)
             ],
             'setHeaders' => filter_var(env('PASSBOLT_SECURITY_SET_HEADERS', true), FILTER_VALIDATE_BOOLEAN),
-            'preventHostHeaderFallback' => filter_var(env('PASSBOLT_SECURITY_PREVENT_HOST_HEADER_FALLBACK', false), FILTER_VALIDATE_BOOLEAN),
+            // By default, false (unsafe) for BC, will be true in v5.0
+            'fullBaseUrlEnforce' => filter_var(env('PASSBOLT_SECURITY_FULLBASEURL_ENFORCE', false), FILTER_VALIDATE_BOOLEAN),
+            'emptyFullBaseUrlWarn' => filter_var(env('PASSBOLT_SECURITY_EMPTY_FULLBASEURL_WARN', true), FILTER_VALIDATE_BOOLEAN),
             'csrfProtection' => [
                 'active' => true,
                 'unlockedActions' => [

diff --git a/config/version.php b/config/version.php
@@ -1,8 +1,8 @@
 <?php
 return [
     'passbolt' => [
-        'version' => '4.11.0',
-        'name' => 'Fortunate Son',
+        'version' => '4.11.1',
+        'name' => 'Rebel Rebel',
     ],
     'php' => [
         'minVersion' => '7.4',

diff --git a/resources/locales/de_DE/default.po b/resources/locales/de_DE/default.po
@@ -1,8 +1,8 @@
 msgid ""
 msgstr ""
 "Project-Id-Version: 41c2572bd9bd4cc908d3e09e0cbed6e5\n"
-"POT-Creation-Date: 2025-01-29 05:51+0000\n"
-"PO-Revision-Date: 2025-01-29 07:23\n"
+"POT-Creation-Date: 2025-02-14 07:10+0000\n"
+"PO-Revision-Date: 2025-02-14 10:59\n"
 "Last-Translator: NAME <EMAIL@ADDRESS>\n"
 "Language-Team: German\n"
 "MIME-Version: 1.0\n"
@@ -391,6 +391,9 @@ msgstr "Benutzer existiert nicht."
 msgid "No admin were found in the database."
 msgstr "Es wurde kein Administrator in der Datenbank gefunden."
 
+msgid "The `{0}` configuration must be a valid non-empty string."
+msgstr ""
+
 msgid "Invalid expiry time {0}."
 msgstr "Ungültige Gültigkeitsdauer {0}."
 
@@ -1102,6 +1105,9 @@ msgstr "{0} hat das Passwort {1} gelöscht"
 msgid "You edited a resource"
 msgstr ""
 
+msgid "{0} edited a resource"
+msgstr ""
+
 msgid "You edited the resource {0}"
 msgstr ""
 
@@ -1495,12 +1501,15 @@ msgstr "Bearbeite security.salt in {0}"
 msgid "App.fullBaseUrl validation OK."
 msgstr "App.fullBaseUrl Validierung OK."
 
-msgid "App.fullBaseUrl does not validate. {0}."
-msgstr "App.fullBaseUrl ist nicht gültig. {0}."
+msgid "App.fullBaseUrl does not validate. A valid URL/IP is accepted, but found \"{0}\"."
+msgstr ""
 
 msgid "Select a valid domain name as defined by section 2.3.1 of http://www.ietf.org/rfc/rfc1035.txt"
 msgstr "Wählen Sie einen gültigen Domänennamen gemäß Abschnitt 2.3.1 von http://www.ietf.org/rfc/rfc1035.txt"
 
+msgid "IMPORTANT: Using an empty App.fullBaseUrl can lead to host header injection attack: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/17-Testing_for_Host_Header_Injection"
+msgstr ""
+
 msgid "The application is able to connect to the database"
 msgstr "Die Anwendung kann sich mit der Datenbank verbinden"
 

diff --git a/resources/locales/en_UK/default.po b/resources/locales/en_UK/default.po
@@ -5,7 +5,7 @@
 msgid ""
 msgstr ""
 "Project-Id-Version: PROJECT VERSION\n"
-"POT-Creation-Date: 2025-01-29 05:51+0000\n"
+"POT-Creation-Date: 2025-02-14 07:10+0000\n"
 "PO-Revision-Date: YYYY-mm-DD HH:MM+ZZZZ\n"
 "Last-Translator: NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <EMAIL@ADDRESS>\n"
@@ -389,6 +389,9 @@ msgstr ""
 msgid "No admin were found in the database."
 msgstr ""
 
+msgid "The `{0}` configuration must be a valid non-empty string."
+msgstr ""
+
 msgid "Invalid expiry time {0}."
 msgstr ""
 
@@ -1100,6 +1103,9 @@ msgstr ""
 msgid "You edited a resource"
 msgstr ""
 
+msgid "{0} edited a resource"
+msgstr ""
+
 msgid "You edited the resource {0}"
 msgstr ""
 
@@ -1493,12 +1499,15 @@ msgstr ""
 msgid "App.fullBaseUrl validation OK."
 msgstr ""
 
-msgid "App.fullBaseUrl does not validate. {0}."
+msgid "App.fullBaseUrl does not validate. A valid URL/IP is accepted, but found \"{0}\"."
 msgstr ""
 
 msgid "Select a valid domain name as defined by section 2.3.1 of http://www.ietf.org/rfc/rfc1035.txt"
 msgstr ""
 
+msgid "IMPORTANT: Using an empty App.fullBaseUrl can lead to host header injection attack: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/17-Testing_for_Host_Header_Injection"
+msgstr ""
+
 msgid "The application is able to connect to the database"
 msgstr ""
 

diff --git a/resources/locales/es_ES/cake.po b/resources/locales/es_ES/cake.po
@@ -2,7 +2,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: 41c2572bd9bd4cc908d3e09e0cbed6e5\n"
 "POT-Creation-Date: 2020-11-11 13:56+0100\n"
-"PO-Revision-Date: 2024-02-01 11:19\n"
+"PO-Revision-Date: 2025-02-14 10:59\n"
 "Last-Translator: NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Spanish\n"
 "MIME-Version: 1.0\n"
@@ -31,7 +31,7 @@ msgstr "Ha ocurrido un error interno"
 
 #: Controller/Component/AuthComponent.php:462
 msgid "You are not authorized to access that location."
-msgstr "No estás autorizado a acceder a esa ubicación."
+msgstr "No está autorizado a acceder a esa ubicación."
 
 #: Error/ExceptionRenderer.php:304
 msgid "Not Found"

diff --git a/resources/locales/es_ES/default.po b/resources/locales/es_ES/default.po
@@ -1,8 +1,8 @@
 msgid ""
 msgstr ""
 "Project-Id-Version: 41c2572bd9bd4cc908d3e09e0cbed6e5\n"
-"POT-Creation-Date: 2025-01-29 05:51+0000\n"
-"PO-Revision-Date: 2025-01-29 11:23\n"
+"POT-Creation-Date: 2025-02-14 07:10+0000\n"
+"PO-Revision-Date: 2025-02-14 10:59\n"
 "Last-Translator: NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Spanish\n"
 "MIME-Version: 1.0\n"
@@ -391,6 +391,9 @@ msgstr "El usuario no existe."
 msgid "No admin were found in the database."
 msgstr "No se ha encontrado ningún administrador en la base de datos."
 
+msgid "The `{0}` configuration must be a valid non-empty string."
+msgstr ""
+
 msgid "Invalid expiry time {0}."
 msgstr "Tiempo de expiración no válido {0}."
 
@@ -1102,6 +1105,9 @@ msgstr "{0} ha eliminado la contraseña {1}"
 msgid "You edited a resource"
 msgstr "Se ha editado un recurso"
 
+msgid "{0} edited a resource"
+msgstr ""
+
 msgid "You edited the resource {0}"
 msgstr "Se ha editado el recurso {0}"
 
@@ -1495,12 +1501,15 @@ msgstr "Edite el security.salt en {0}"
 msgid "App.fullBaseUrl validation OK."
 msgstr "Validación de App.fullBaseUrl OK."
 
-msgid "App.fullBaseUrl does not validate. {0}."
-msgstr "App.fullBaseUrl no es válida. {0}."
+msgid "App.fullBaseUrl does not validate. A valid URL/IP is accepted, but found \"{0}\"."
+msgstr ""
 
 msgid "Select a valid domain name as defined by section 2.3.1 of http://www.ietf.org/rfc/rfc1035.txt"
 msgstr "Seleccione un nombre de dominio válido como se define en la sección 2.3.1 de http://www.ietf.org/rfc/rfc1035.txt"
 
+msgid "IMPORTANT: Using an empty App.fullBaseUrl can lead to host header injection attack: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/17-Testing_for_Host_Header_Injection"
+msgstr ""
+
 msgid "The application is able to connect to the database"
 msgstr "La aplicación es capaz de conectarse a la base de datos"
 

diff --git a/resources/locales/fr_FR/default.po b/resources/locales/fr_FR/default.po
@@ -1,8 +1,8 @@
 msgid ""
 msgstr ""
 "Project-Id-Version: 41c2572bd9bd4cc908d3e09e0cbed6e5\n"
-"POT-Creation-Date: 2025-01-29 05:51+0000\n"
-"PO-Revision-Date: 2025-01-29 07:23\n"
+"POT-Creation-Date: 2025-02-14 07:10+0000\n"
+"PO-Revision-Date: 2025-02-14 10:59\n"
 "Last-Translator: NAME <EMAIL@ADDRESS>\n"
 "Language-Team: French\n"
 "MIME-Version: 1.0\n"
@@ -391,6 +391,9 @@ msgstr "L'utilisateur n'existe pas."
 msgid "No admin were found in the database."
 msgstr "Aucun administrateur n'a été trouvé dans la base de données."
 
+msgid "The `{0}` configuration must be a valid non-empty string."
+msgstr ""
+
 msgid "Invalid expiry time {0}."
 msgstr "Délai d'expiration invalide {0}."
 
@@ -1102,6 +1105,9 @@ msgstr "{0} a supprimé le mot de passe {1}"
 msgid "You edited a resource"
 msgstr ""
 
+msgid "{0} edited a resource"
+msgstr ""
+
 msgid "You edited the resource {0}"
 msgstr ""
 
@@ -1495,12 +1501,15 @@ msgstr "Modifier le fichier security.salt dans {0}"
 msgid "App.fullBaseUrl validation OK."
 msgstr ""
 
-msgid "App.fullBaseUrl does not validate. {0}."
+msgid "App.fullBaseUrl does not validate. A valid URL/IP is accepted, but found \"{0}\"."
 msgstr ""
 
 msgid "Select a valid domain name as defined by section 2.3.1 of http://www.ietf.org/rfc/rfc1035.txt"
 msgstr "Sélectionnez un nom de domaine valide tel que défini par la section 2.3.1 de http://www.ietf.org/rfc/rfc1035.txt"
 
+msgid "IMPORTANT: Using an empty App.fullBaseUrl can lead to host header injection attack: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/17-Testing_for_Host_Header_Injection"
+msgstr ""
+
 msgid "The application is able to connect to the database"
 msgstr "L'application est capable de se connecter à la base de données"
 

diff --git a/resources/locales/it_IT/default.po b/resources/locales/it_IT/default.po
@@ -1,8 +1,8 @@
 msgid ""
 msgstr ""
 "Project-Id-Version: 41c2572bd9bd4cc908d3e09e0cbed6e5\n"
-"POT-Creation-Date: 2025-01-29 05:51+0000\n"
-"PO-Revision-Date: 2025-01-29 07:23\n"
+"POT-Creation-Date: 2025-02-14 07:10+0000\n"
+"PO-Revision-Date: 2025-02-14 10:59\n"
 "Last-Translator: NAME <EMAIL@ADDRESS>\n"
 "Language-Team: Italian\n"
 "MIME-Version: 1.0\n"
@@ -391,6 +391,9 @@ msgstr "L'utente non esiste."
 msgid "No admin were found in the database."
 msgstr "Nel database non è stato trovato nessun amministratore."
 
+msgid "The `{0}` configuration must be a valid non-empty string."
+msgstr ""
+
 msgid "Invalid expiry time {0}."
 msgstr "Scadenza {0} non valida."
 
@@ -1102,6 +1105,9 @@ msgstr "{0} ha cancellato la password {1}"
 msgid "You edited a resource"
 msgstr ""
 
+msgid "{0} edited a resource"
+msgstr ""
+
 msgid "You edited the resource {0}"
 msgstr ""
 
@@ -1495,12 +1501,15 @@ msgstr ""
 msgid "App.fullBaseUrl validation OK."
 msgstr ""
 
-msgid "App.fullBaseUrl does not validate. {0}."
+msgid "App.fullBaseUrl does not validate. A valid URL/IP is accepted, but found \"{0}\"."
 msgstr ""
 
 msgid "Select a valid domain name as defined by section 2.3.1 of http://www.ietf.org/rfc/rfc1035.txt"
 msgstr ""
 
+msgid "IMPORTANT: Using an empty App.fullBaseUrl can lead to host header injection attack: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/17-Testing_for_Host_Header_Injection"
+msgstr ""
+
 msgid "The application is able to connect to the database"
 msgstr ""