mirror of
https://github.com/dani-garcia/vaultwarden.git
synced 2026-07-17 09:22:30 -05:00
[GH-ISSUE #2909] DNS lookup occurs before blacklist regex check #18182
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @viglianesed on GitHub (Nov 10, 2022).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/2909
Originally assigned to: @BlackDex on GitHub.
Subject of the issue
Vaultwarden server does a DNS lookup before checking the icon blacklist regex. https://github.com/dani-garcia/vaultwarden/blob/main/src/api/icons.rs#L264
This could cause deanonymization of the server owner/users.
Deployment environment
Install method: Docker
Clients used: n/a
Reverse proxy and version: n/a
MySQL/MariaDB or PostgreSQL version: n/a
Other relevant details: n/a
Steps to reproduce
A network DNS filtering solution like Pi-hole is recomended or any solution that logs DNS traffic.
"icon_blacklist_regex": "'^(.*\\.onion/.*)$'",or in the admin page, setIcon blacklist Regexto'^(.*\.onion/.*)$'.onionurl like ->http://1234567890.testing.dns.blacklist.onion/Expected behaviour
For privacy reasons, the
lookup_host((domain, 0)).awaitshould happen after the regex check.Actual behaviour
The regex part works and it doesn't contact the actual server:
The issue is that some user's may not filter
.onionDNS requests, so the DNS requests will be sent to the upstream DNS server where they will be most likely logged and identify the user as a Tor user.Troubleshooting data
Screenshot of a blocked DNS query:

Screenshot of the DNS regex blacklist rule:

@BlackDex commented on GitHub (Nov 10, 2022):
Thanks for your report.
I understand the issue, and i also think it is easy to resolve.