[PM-31942] Handle load/save Access Intelligence reports as files (pt. 1) by lastbestdev · Pull Request #19922 · bitwarden/clients

lastbestdev · 2026-04-01T18:37:13Z

🎟️ Tracking

Part 1 of https://bitwarden.atlassian.net/browse/PM-31942

📔 Objective

Includes model updates for making requests to the updated Access Intelligence report file APIs (changes here)
Adds AccessIntelligenceApiService for calls to new APIs. Includes default implementation + tests

📸 Screenshots

N/A

…nts into dirt/api-service/pm-31942

github-actions · 2026-04-01T18:49:23Z

Checkmarx One – Scan Summary & Details – cc84d872-8afc-4997-aa4d-71a7bbd95e6b

New Issues (33)

Checkmarx found the following issues in this Pull Request

#	Issue	Source File / Package	Checkmarx Insight
1	Absolute_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 328	details Method Lambda at line 328 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows ... Attack Vector
2	Absolute_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 360	details Method Lambda at line 360 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows ... Attack Vector
3	Absolute_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 328	details Method Lambda at line 328 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows ... Attack Vector
4	Absolute_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 360	details Method Lambda at line 360 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows ... Attack Vector
5	Client_DOM_XSS	/apps/web/src/connectors/redirect.ts: 6	details The method Lambda embeds untrusted data in generated output with href, at line 16 of /apps/web/src/connectors/redirect.ts. This untrusted data is... Attack Vector
6	Relative_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 397	details Method Lambda at line 397 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows ... Attack Vector
7	Relative_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 397	details Method Lambda at line 397 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows ... Attack Vector
8	SSRF	/libs/common/src/services/api.service.ts: 1325	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1270. How... Attack Vector
9	SSRF	/libs/common/src/services/api.service.ts: 1324	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1241. How... Attack Vector
10	SSRF	/libs/common/src/services/api.service.ts: 1325	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1241. How... Attack Vector
11	SSRF	/libs/common/src/services/api.service.ts: 1327	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1270. How... Attack Vector
12	SSRF	/libs/common/src/services/api.service.ts: 1335	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1270. How... Attack Vector
13	SSRF	/libs/common/src/services/api.service.ts: 1328	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1270. How... Attack Vector
14	SSRF	/libs/common/src/services/api.service.ts: 1327	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1241. How... Attack Vector
15	SSRF	/libs/common/src/services/api.service.ts: 1335	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1241. How... Attack Vector
16	SSRF	/libs/common/src/services/api.service.ts: 1328	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1241. How... Attack Vector
17	CVE-2025-13466	Npm-body-parser-2.2.0	details Recommended version: 2.2.1 Description: body-parser in version 2.2.0 is vulnerable to Denial-of-Service (DoS) due to inefficient handling of URL-encoded bodies with very large numbers of ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
18	Client_DOM_Open_Redirect	/apps/web/src/connectors/redirect.ts: 6	details The potentially tainted value provided by href in /apps/web/src/connectors/redirect.ts at line 6 is used as a destination URL by href in /apps/web... Attack Vector
19	Client_DOM_Open_Redirect	/apps/desktop/src/auth/scripts/duo.js: 277	details The potentially tainted value provided by substring in /apps/desktop/src/auth/scripts/duo.js at line 277 is used as a destination URL by open in /... Attack Vector
20	HttpOnly_Cookie_Flag_Not_Set	/apps/desktop/src/platform/services/server-communication-config/default-server-communication-config.service.ts: 71	details The web application's getCookies method creates a cookie cookies, at line 71 of /apps/desktop/src/platform/services/server-communication-config/d... Attack Vector
21	HttpOnly_Cookie_Flag_Not_Set	/apps/web/src/connectors/sso.ts: 37	details The web application's initiateBrowserSso method creates a cookie cookie, at line 37 of /apps/web/src/connectors/sso.ts, and returns it in the resp... Attack Vector
22	Insecure_Storage_of_Sensitive_Data	/apps/cli/src/commands/get.command.ts: 403	details The application takes sensitive, personal data cipher, found at line 403 of /apps/cli/src/commands/get.command.ts, and stores it in an unprotecte... Attack Vector
23	Insecure_Storage_of_Sensitive_Data	/apps/cli/src/commands/get.command.ts: 402	details The application takes sensitive, personal data cipherService, found at line 402 of /apps/cli/src/commands/get.command.ts, and stores it in an unp... Attack Vector
24	Insecure_Storage_of_Sensitive_Data	/apps/cli/src/tools/export.command.ts: 76	details The application takes sensitive, personal data password, found at line 76 of /apps/cli/src/tools/export.command.ts, and stores it in an unprotect... Attack Vector
25	Insecure_Storage_of_Sensitive_Data	/apps/cli/src/commands/get.command.ts: 387	details The application takes sensitive, personal data cipher, found at line 387 of /apps/cli/src/commands/get.command.ts, and stores it in an unprotecte... Attack Vector
26	Insecure_Storage_of_Sensitive_Data	/apps/cli/src/tools/export.command.ts: 81	details The application takes sensitive, personal data password, found at line 81 of /apps/cli/src/tools/export.command.ts, and stores it in an unprotect... Attack Vector
27	Missing_HSTS_Header	/apps/cli/src/auth/commands/login.command.ts: 571	details The web-application does not define an HSTS header, leaving it vulnerable to attack. Attack Vector
28	SSL_Verification_Bypass	/scripts/reverse-proxy-emulator/index.ts: 219	details /scripts/reverse-proxy-emulator/index.ts relies HTTPS requests, in . The rejectUnauthorized parameter, at line 219, effectively disables verifi... Attack Vector
29	SSL_Verification_Bypass	/scripts/reverse-proxy-emulator/index.ts: 301	details /scripts/reverse-proxy-emulator/index.ts relies HTTPS requests, in Lambda. The rejectUnauthorized parameter, at line 301, effectively disables ... Attack Vector
30	Angular_Usage_of_Unsafe_DOM_Sanitizer	/libs/components/src/svg/svg.component.ts: 29	details Usage of an unsafe class bypassSecurityTrustHtml, which overrides output sanitization, was found at /libs/components/src/svg/svg.component.ts in ... Attack Vector
31	Angular_Usage_of_Unsafe_DOM_Sanitizer	/apps/desktop/src/app/components/avatar.component.ts: 96	details Usage of an unsafe class bypassSecurityTrustResourceUrl, which overrides output sanitization, was found at /apps/desktop/src/app/components/avatar... Attack Vector
32	Client_Use_Of_Iframe_Without_Sandbox	/apps/browser/src/autofill/overlay/inline-menu/pages/menu-container/autofill-inline-menu-container.ts: 107	details The application employs an HTML iframe at whose contents are not properly sandboxed Attack Vector
33	Missing_CSP_Header	/apps/cli/src/auth/commands/login.command.ts: 571	details A Content Security Policy is not explicitly defined within the web-application. Attack Vector

codecov · 2026-04-01T18:51:09Z

Codecov Report

❌ Patch coverage is 75.38462% with 16 lines in your changes missing coverage. Please review.
✅ Project coverage is 46.48%. Comparing base (7d43c72) to head (5a638c6).
⚠️ Report is 19 commits behind head on main.
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
.../access-intelligence/models/api/report-file.api.ts	20.00%	8 Missing ⚠️
...-intelligence/models/api/access-report-file.api.ts	62.50%	3 Missing and 3 partials ⚠️
...ccess-intelligence/models/api/access-report.api.ts	50.00%	0 Missing and 2 partials ⚠️

Additional details and impacted files

@@           Coverage Diff            @@
##             main   #19922    +/-   ##
========================================
  Coverage   46.47%   46.48%            
========================================
  Files        3865     3871     +6     
  Lines      115186   115374   +188     
  Branches    17535    17569    +34     
========================================
+ Hits        53533    53630    +97     
- Misses      59209    59293    +84     
- Partials     2444     2451     +7

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

sonarqubecloud · 2026-04-03T18:04:36Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
8.9% Duplication on New Code

See analysis details on SonarQube Cloud

lastbestdev added 7 commits March 30, 2026 13:35

add feature flag and abstract AccessIntelligenceApiService

aa3172a

add default implementation of AccessIntelligenceApiService

f18404b

Merge branch 'main' into dirt/api-service/pm-31942

8817b12

remove feature flag for now

c7ec428

update api service to use models

ef851f1

add tests, fix create endpoint

cad3633

remove null values from summary and appplication update endpoints

a068d8b

lastbestdev requested a review from a team as a code owner April 1, 2026 18:37

lastbestdev mentioned this pull request Apr 1, 2026

[PM-31942] Add/update Access Intelligence models for saving reports as files #19803

Closed

lastbestdev and others added 4 commits April 1, 2026 11:37

Merge branch 'main' into dirt/api-service/pm-31942

67e33f7

remove bad comment

fb7c07b

Merge branch 'dirt/api-service/pm-31942' of github.com:bitwarden/clie…

7f42f8f

…nts into dirt/api-service/pm-31942

Merge branch 'main' into dirt/api-service/pm-31942

2e32e3f

lastbestdev and others added 4 commits April 1, 2026 13:03

Merge branch 'main' into dirt/api-service/pm-31942

7e6e7ba

add methods for new endpoints

e2157ef

add tests, update reportId to use OrganizationReportId type

6446c74

update return type for renew api

2633f74

lastbestdev mentioned this pull request Apr 3, 2026

[PM-31942] Implement File persistence service (pt. 2) #19962

Draft

update renew endpoint to correct path

5a638c6

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[PM-31942] Handle load/save Access Intelligence reports as files (pt. 1)#19922

[PM-31942] Handle load/save Access Intelligence reports as files (pt. 1)#19922
lastbestdev wants to merge 16 commits intomainfrom
dirt/api-service/pm-31942

lastbestdev commented Apr 1, 2026

Uh oh!

github-actions bot commented Apr 1, 2026 •

edited

Loading

Uh oh!

codecov bot commented Apr 1, 2026 •

edited

Loading

Uh oh!

sonarqubecloud bot commented Apr 3, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

lastbestdev commented Apr 1, 2026

🎟️ Tracking

📔 Objective

📸 Screenshots

Uh oh!

github-actions bot commented Apr 1, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

codecov bot commented Apr 1, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

sonarqubecloud bot commented Apr 3, 2026

Quality Gate passed

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

github-actions bot commented Apr 1, 2026 •

edited

Loading

codecov bot commented Apr 1, 2026 •

edited

Loading