PM-26896: Fix Autofill ancestry

[david-livefront]

🎟️ Tracking

PM-26896

📔 Objective

This PR updates the way Autofill works in order to avoid misaddressing the username/password to the wrong web-domain which can leak user data.

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[github-actions]

Checkmarx One – Scan Summary & Details – 8771e299-e3b1-4564-b336-7403e2217ca3

Great job! No new security vulnerabilities introduced in this pull request

[codecov]

Codecov Report

❌ Patch coverage is 80.00000% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 85.58%. Comparing base (83a9d35) to head (b523817).

Files with missing lines	Patch %	Lines
...twarden/data/autofill/parser/AutofillParserImpl.kt	75.00%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6014      +/-   ##
==========================================
- Coverage   86.37%   85.58%   -0.79%     
==========================================
  Files         864      893      +29     
  Lines       62618    63758    +1140     
  Branches     9104     9115      +11     
==========================================
+ Hits        54085    54568     +483     
- Misses       5404     6060     +656     
- Partials     3129     3130       +1     

Flag	Coverage Δ
app-data	16.80% <80.00%> (-0.37%)	⬇️
app-ui-auth-tools	19.35% <0.00%> (+<0.01%)	⬆️
app-ui-platform	15.91% <0.00%> (+0.38%)	⬆️
app-ui-vault	28.23% <0.00%> (+<0.01%)	⬆️
authenticator	6.30% <0.00%> (-0.02%)	⬇️
lib-core-network-bridge	4.10% <0.00%> (-0.01%)	⬇️
lib-data-ui	1.12% <0.00%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[claude]

Claude finished @david-livefront's task in 2m 23s —— View job

---

Pull Request Review: PM-26896 - Fix Autofill ancestry

Summary

This PR is a security fix that prevents autofill credential misattribution across web domains. The change removes parentWebsite propagation during ViewNode tree traversal, ensuring each autofill view only uses its own webDomain as set by the Android framework.

Risk Level: Low | Change Type: Security Bugfix | Files Changed: 4 (2 source, 2 test)

---

What Changed

File	Change
ViewNodeExtensions.kt	Removed parentWebsite parameter from toAutofillView(); website now sourced exclusively from the node's own webDomain
AutofillParserImpl.kt	Removed parentWebsite from recursive traverse(); minor flatMap cleanup
AutofillParserTests.kt	Updated mock signatures to match removed parameter
ViewNodeExtensionsTest.kt	Updated test signatures; removed "external website" test that exercised the deleted propagation path

Security Analysis

Before: A parent ViewNode's webDomain propagated to all descendant nodes during traversal via parentWebsite. In multi-origin scenarios (e.g., iframes from different domains), this could cause credentials for domain A to be incorrectly attributed to input fields belonging to domain B -- a data leak vector.

After: Each ViewNode exclusively uses its own webDomain from the Android framework. The existing URL bar detection mechanism (urlBarWebsite via updateWebsiteIfNecessary) still provides a correct fallback for known browsers, but arbitrary parent-to-child domain inheritance is eliminated.

This approach is sound because:

• The Android autofill framework sets webDomain on individual virtual ViewNodes within WebViews, so each input field inherently has the correct domain
• Native app forms have null webDomain on all nodes, so behavior is unchanged
• The URL bar fallback (lines 100-102, 116 in AutofillParserImpl.kt) remains intact for known browser packages

Findings

No issues found. The change is minimal, well-targeted, and correctly addresses the described security concern. Tests are appropriately updated to reflect the new behavior.

[github-actions]

🤖 Bitwarden Claude Code Review

Overall Assessment: APPROVE

This PR removes parent-to-child website propagation during AssistStructure.ViewNode traversal in the autofill parser, ensuring each AutofillView derives its website strictly from its own webDomain. The change addresses a data-leak risk where credentials could be addressed to the wrong web-domain when a child node inherited an ancestor's website in mixed-origin view hierarchies. The URL-bar based fallback in parseInternal.updateWebsiteIfNecessary remains intact, preserving correct domain attribution for the focused form. Tests were mechanically updated to match the new toAutofillView() signature and the now-removed parentWebsite override test was appropriately deleted.

Code Review Details

No findings.

The security intent (eliminate ambiguous parent-website inheritance) is correctly implemented, no execution paths were found where a removed fallback would regress legitimate autofill behavior, and the test suite is consistent with the API change.