/data directory is exposed #2165

New Issue

OVERLORD · 2025-10-09T17:48:42+03:00

OVERLORD commented

2025-10-09 17:48:42 +03:00

Originally created by @carlchan on GitHub.

Looks like the default rocket config exposes the /data directory, allowing download of the db.sqlite3 password database. While everything in it is encrypted, that doesn't seem like a good idea.

reproduce via going directly to
https://bitwarden_rs.domain/data/db.sqlite3

Originally created by @carlchan on GitHub. Looks like the default rocket config exposes the /data directory, allowing download of the db.sqlite3 password database. While everything in it is encrypted, that doesn't seem like a good idea. reproduce via going directly to https://bitwarden_rs.domain/data/db.sqlite3

OVERLORD added the troubleshooting label 2025-10-09 17:48:42 +03:00

OVERLORD closed this issue

2025-10-09 17:48:43 +03:00

OVERLORD commented

2025-10-09 17:48:44 +03:00

@mprasil commented on GitHub:

There must be something else at play here. bitwarden_rs serves static files from web-vault sub-directory by default. I can't reproduce the issue personally, can you maybe provide some steps to reproduce?

@mprasil commented on GitHub: There must be something else at play here. `bitwarden_rs` serves static files from `web-vault` sub-directory by default. I can't reproduce the issue personally, can you maybe provide some steps to reproduce?

OVERLORD commented

2025-10-09 17:48:45 +03:00

@mprasil commented on GitHub:

This is what I get when trying the same:

[2019-03-06 16:40:52][rocket::rocket][INFO] GET /data/db.sqlite3 text/html:
[2019-03-06 16:40:52][_][INFO] Matched: GET /<p..> [10] (web_files)
[2019-03-06 16:40:52][_][ERROR] Response was a non-`Responder` `Err`: Os { code: 2, kind: NotFound, message: "No such file or directory" }.

Do you have your data folder somewhere inside your web-vault folder by any chance?

@mprasil commented on GitHub: This is what I get when trying the same: ``` [2019-03-06 16:40:52][rocket::rocket][INFO] GET /data/db.sqlite3 text/html: [2019-03-06 16:40:52][_][INFO] Matched: GET /<p..> [10] (web_files) [2019-03-06 16:40:52][_][ERROR] Response was a non-`Responder` `Err`: Os { code: 2, kind: NotFound, message: "No such file or directory" }. ``` Do you have your data folder somewhere inside your `web-vault` folder by any chance?

OVERLORD commented

2025-10-09 17:48:45 +03:00

@carlchan commented on GitHub:

huh. you're right! how did that get there??

Yes that would be it, sorry, thank you.

@carlchan commented on GitHub: huh. you're right! how did that get there?? Yes that would be it, sorry, thank you.

OVERLORD commented

2025-10-09 17:48:45 +03:00

@carlchan commented on GitHub:

Hmm. I just have a mostly default config, with web-vault enabled (instaleld using pre-compiled version)

here's the relevant log from cargo:

[2019-03-06 11:36:53][rocket::rocket][INFO] GET /data/db.sqlite3:
[2019-03-06 11:36:53][][INFO] Matched: GET /<p..> [10] (web_files)
[2019-03-06 11:36:53][][INFO] Outcome: Success
[2019-03-06 11:36:53][_][INFO] Response succeeded.

@carlchan commented on GitHub: Hmm. I just have a mostly default config, with web-vault enabled (instaleld using pre-compiled version) here's the relevant log from cargo: > [2019-03-06 11:36:53][rocket::rocket][INFO] GET /data/db.sqlite3: > [2019-03-06 11:36:53][_][INFO] Matched: GET /<p..> [10] (web_files) > [2019-03-06 11:36:53][_][INFO] Outcome: Success > [2019-03-06 11:36:53][_][INFO] Response succeeded.

OVERLORD referenced this issue

2025-10-09 17:56:01 +03:00

[META] Feature Requests #2294

OVERLORD referenced this issue

2025-10-09 18:20:47 +03:00

[PR #2165] [MERGED] Basic ratelimit for user login (including 2FA) and admin login #3300

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#2165