Additional URLs potentially not found by the browser integration, if the first additional URL is deleted

[joanbm]

Expected Behavior

When one has the KeePassXC browser integration enabled, one can define, in addition to the "main" URL for an entry, multiple additional URLs in the "Browser Integration" tab when editing the entry. Those are expected to be considered when using using the browser integration to auto-complete, by matching those additional URLs with those of the website for which auto-completion is attempted.

NB: This is NOT issue #3848.

Current Behavior

I have found that in some cases, one can have additional URLs clearly defined in the user interface, but those are not considered by the browser extension. In particular, this happens if one adds two (or more) additional URLs, then one deletes the first additional URL that was added. In this case, even though the other additional URLs remain in the entry, the browser extension will ignore them.

Possible Solution

When one runs into this problem, one can workaround the issue by adding another additional URL (with whatever value, e.g. empty). This will make the auto-complete work again as expected.

Technically, it appears the cause for this is the function BrowserService::searchEntries defined in BrowserService.cpp. For reference the additional URL search loop looks like this (ADDITIONAL_URL is the string "KP2A_URL"):

            // Search for additional URL's starting with KP2A_URL
            if (entry->attributes()->keys().contains(ADDITIONAL_URL)) {
                for (const auto& key : entry->attributes()->keys()) {
                    if (key.startsWith(ADDITIONAL_URL)
                        && handleURL(entry->attributes()->value(key), url, submitUrl)) {
                        entries.append(entry);
                        continue;
                    }
                }
            }

The problem comes from the fact that as one adds, say, three additional URLs, those are added with the keys KP2A_URL, KP2A_URL_1, KP2A_URL_2, etc. If one deletes the first additional URL that was added, i.e. the one with the key KP2A_URL, the other two additional URLs with keys KP2A_URL_1, KP2A_URL_2 remain. However, the check entry->attributes()->keys().contains(ADDITIONAL_URL) fails since the first additional URL was deleted. Finally this causes the other additional URLs in the entry to be ignored.

Steps to Reproduce

1. Set up a KeePassXC environment with the browser integration enabled and fully functional in a browser, e.g. Firefox
2. Create a new entry in the database for a website, defining its title, username and password
3. Suppose that website has multiple login endpoints. Go to the "Browser Integration" tab and add two additional URLs, say, "https://www.example1.org" and "https://www.example2.org", in this order. Save the entry.
4. Try to autocomplete the credentials with the browser on both "https://www.example1.org" and "https://www.example2.org". Both cases should work.
5. Edit again the entry and delete the additional URL for "https://www.example1.org", however, leave the entry for and "https://www.example2.org". Save the entry.
6. Try to autocomplete the credentials with the browser on both "https://www.example1.org" and "https://www.example2.org". The autocompletion on "https://www.example1.org" will not work as expected, since that additional URL was deleted, however, the autocompletion will also not work on "https://www.example2.org" due to the mentioned problem.

You can find a video showing the issue here (ignore the graphics glitches, those are another problem altogether): VideoRepro.ogv.zip

Context

I was using multiple additional URLs for an account where I could login from multiple different endpoints. As that website was updated, I have modified the entry to add new additional URLs and delete the old ones. This has resulted in me running into the above issue.

Debug Info

KeePassXC - Version 2.5.1-snapshot
Build Type: Snapshot
Revision: ed0b768

Qt 5.13.2
Debugging mode is disabled.

Operating system: Arch Linux
CPU architecture: x86_64
Kernel: linux 5.4.3-arch1-1001

Enabled extensions:

• Auto-Type
• Browser Integration
• SSH Agent
• KeeShare (signed and unsigned sharing)
• YubiKey
• Secret Service Integration

Cryptographic libraries:
libgcrypt 1.8.5

[joanbm]

Just removing that if statement should be enough to fix the problem, and as far as I understand it shouldn't introduce any noticeable performance impact since entry->attributes()->keys() is just a QList<QString> instead of e.g. a hash table, so presumably contains() iterates over the entire list.

[droidmonkey]

I think the real issue is that the additional attributes should be entirely rebuilt when an item is deleted. Otherwise the numbering can get all jacked up.

[varjolintu]

Actually the numbering works just fine. If you remove the first entry, the next URL added will have the KP2A_URL attribute name. If you delete some URL from the middle, the next URL added takes the next free position.

So the if condition is to be blamed. I'll fix this today.