Browser extension: Vault export adds additional quote symbol in password

[keteague]

Steps To Reproduce

1. In the Chrome extension
2. Settings > Export vault > CSV format
3. Settings > Export vault > .json format
4. Copy the password from the BitWarden extension for Chrome and Firefox into a text editor
5. Open the exported CSV file, locate the password entry, and copy it from the export file to the other text editor for a top/bottom comparison. Here, we see the exported password is 1 character longer than the (correct) password that's still in the BitWarden vault, and we see an extra quotation mark added.
6. Open the exported JSON file, locate the password, and copy it to the other text editor for a top/bottom comparison - there is not an extra quotation mark, but there is an added backslash symbol.
7. Repeat all of the above steps with the Firefox extension and get the same result.

Expected Result

Original/correct password that is in the Bitwarden vault
n3:X]c}~(bq5ng{jprd=E6.hS+9Y?_Ask/x@gRu,)y4Jfq}%#B?Yrt&Z9yX(,d6gKM_3h4FPLV[p5D;.Cbzu7"/^8+@c

Actual Result

Oddly enough, I can't post my result here because GitHub's parser is jacking it up, too. You can view the original (correct) and exported results here: https://text.is/0N60

Screenshots or Videos

No response

Additional Context

• I submitted this problem yesterday with insufficient data and passed it off as a problem with viewing the exported CSV file in LibreOffice Calc. Today, I have more data to submit this as a bug report.
• Tested this in both Chrome 124.0.6367.118 (Official Build) (64-bit) and Firefox 115.8.0esr (64-bit)
• Reviewing my JSON export for other passwords, I have one other password that contains quotation marks separated far apart from each other, and each of them are prefixed with a \ symbol, while the original/correct password in the vault does not have them.
• It seems there's a problem with handling the export of passwords that contains quotation marks.

Operating System

Linux

Operating System Version

Debian GNU/Linux

Web Browser

Chrome

Browser Version

124.0.6367.118

Build Version

(Official Build) (64-bit)

Issue Tracking Info

• I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

[Krychaz]

Hi there,

Thank you for your report!

I was able to reproduce this issue, and I have flagged this to our engineering team.

If you wish to add any further information/screenshots/recordings etc., please feel free to do so at any time - our engineering team will be happy to review these.

Thanks once again!

[ev4x]

I just want to add to this issue it also regarding the export from the web vault so not only the browser plugins and it does not happen with every password which contains " in it.

[keteague]

Which characters have you found to be a problem. I may be incorrect, but I suspect the issue is related to BitWarden encasing the password, in full, within quotes. As such, if the password contains quotes, it has to escape them so it doesn't end the password string prematurely. Programmatically, that can be done using an extra quote or a backslash.

…

On Wed, May 29, 2024, 6:40 PM ev4x ***@***.***> wrote: I just want to add to this issue it also regarding the export from the web vault so not only the browser plugins and it does not happen with every password which contains " in it. — Reply to this email directly, view it on GitHub <#9124 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AFRPVMISGRXXPYJTBT46X4TZEZRQRAVCNFSM6AAAAABHQSBW5SVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMZYGQZDEMJZGI> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[ev4x]

I found it in one which contained q"+ in the json it was q"\+ but the \ is not in every password which has the the " character even if Bitwarden interpret it right i think this makes issues with compatibility and readability.

[keteague]

If I may respectfully suggest, review your reply. I'm not sure if what is in that reply makes sense (to me). I had a problem submitting this issue because github's message parser was butchering my password making my comparison look the same

…

On Thu, May 30, 2024, 7:48 AM ev4x ***@***.***> wrote: I found it in one which contained q"+ in the json it was q"+ but the \ is not in every password which has the the " character even if Bitwarden interpret it right i think this makes issues with compatibility and readability. — Reply to this email directly, view it on GitHub <#9124 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AFRPVMJVPTTQ5HEBNLTY5NLZE4N23AVCNFSM6AAAAABHQSBW5SVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMZZGQ4DKNZSHA> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[keteague]

I exported my vault in CSV format using the BitWarden app from the Apple App Store and it doesn't contain any additional characters in the two examples that I posted previously. The exported passwords appear to be exactly the same as what is currently in my vault.

App version: 2024.5.0 (24604)