[PM-36584] Bidirectional C2 in icons.bitwarden.net

[jengstrom-bw]

🎟️ Tracking

jira

📔 Objective

strip PNG metadata chunks
In IconLink.cs, FetchAsync just returns the raw bytes. Before we hand them back, we should walk the PNG chunk list and only keep the ones we actually need for rendering:

Keep: IHDR, PLTE, IDAT, IEND, tRNS, sRGB, gAMA, cHRM

Drop everything else. That kills tEXt/iTXt/zTXt and anything else an attacker might try. PNG chunk structure is simple (4-byte length, 4-byte type, data, CRC). Apply the same logic to PNG frames embedded inside ICO files.

Also drop SVG support from the proxy

[github-actions]

🤖 Bitwarden Claude Code Review

Overall Assessment: APPROVE

This PR closes a bidirectional C2 channel through icons.bitwarden.net by walking PNG chunk lists and only keeping rendering-essential chunks (IHDR, PLTE, IDAT, IEND, tRNS, sRGB, gAMA, cHRM), applying the same logic to PNG frames embedded in ICO files, and dropping SVG from the proxy's allowed media types. All previously raised concerns — fail-open on malformed chunks, the dead _svgXmlMediaType constant, the memory-amplification DoS via attacker-controlled ICO entry counts, and the redundant count == 0 guard — were addressed in commits fab4868, 210e760, 00d1754, and edb977d. Bounds arithmetic uses (long) to prevent integer overflow, parsers fail closed on malformed input, and tests cover the allowed/denied chunk matrix, IEND truncation, signature validation, ICO offset/size rewriting, and malformed embedded PNGs.

Code Review Details

No new findings. All previously raised issues have been resolved.

[codecov]

Codecov Report

❌ Patch coverage is 81.18812% with 19 lines in your changes missing coverage. Please review.
✅ Project coverage is 60.09%. Comparing base (766c33b) to head (edb977d).
⚠️ Report is 10 commits behind head on main.

Files with missing lines	Patch %	Lines
src/Icons/Models/IconLink.cs	81.18%	11 Missing and 8 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7668      +/-   ##
==========================================
+ Coverage   59.98%   60.09%   +0.11%     
==========================================
  Files        2133     2132       -1     
  Lines       93731    93985     +254     
  Branches     8311     8355      +44     
==========================================
+ Hits        56220    56479     +259     
+ Misses      35531    35514      -17     
- Partials     1980     1992      +12     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sonarqubecloud]

Quality Gate passed

Issues
3 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud