PM-25012: Cipher versioning data types

[nikwithak]

🎟️ Tracking

PM-25012

📔 Objective

Moves the deserialization of the data object into the SDK - as part of running cipher migrations, the CipherType objects will be extracted instead of being passed in from the client.

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation
  team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed
  issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[github-actions]

Checkmarx One – Scan Summary & Details – 27a69f41-25ca-4a7e-aa5f-e09a91eacf0f

New Issues (4)

Checkmarx found the following issues in this Pull Request

Severity	Issue	Source File / Package	Checkmarx Insight
	CVE-2025-7783	Npm-axios-1.9.0	details Recommended version: 1.11.0 Description: Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program... Attack Vector: NETWORK Attack Complexity: HIGH ID: xrUREEvyjvGvD6pKfH1T3B5LnXUz6JzUsz14TisVKNs%3D Vulnerable Package
	CVE-2025-7783	Npm-form-data-4.0.3	details Recommended version: 4.0.4 Description: Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program... Attack Vector: NETWORK Attack Complexity: HIGH ID: %2BxWcQnBS9X4Xok5ZwVX22K3TBoMdgVWw7G7X8zTMiaI%3D Vulnerable Package
	CVE-2025-54798	Npm-tmp-0.0.33	details Recommended version: 0.2.4 Description: tmp is a temporary file and directory creator for node.js. In versions prior to 0.2.4, tmp is vulnerable to an arbitrary temporary file "/" directo... Attack Vector: LOCAL Attack Complexity: HIGH ID: bhZ4%2FcSXS9FK4OiNvfMXf0G18EmOPXZddRTebiFzFjU%3D Vulnerable Package
	Parameter_Tampering	/crates/bitwarden-uniffi/kotlin/app/src/main/java/com/bitwarden/myapplication/MainActivity.kt: 399	details Method decryptVault at line 399 of /crates/bitwarden-uniffi/kotlin/app/src/main/java/com/bitwarden/myapplication/MainActivity.kt gets user input ... ID: yimmui1dZB4vMXJbg6D%2FzeEmYZ4%3D Attack Vector

[nikwithak]

Are there any concerns / issues with allowing (and ignoring) unknown fields during deserialization? Removing this attribute from all the CipherType types drastically simplifies the extraction process.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (vault/cipher-versioning-with-data@3127888). Learn more about missing BASE report.

Additional details and impacted files

@@                         Coverage Diff                          @@
##             vault/cipher-versioning-with-data     #433   +/-   ##
====================================================================
  Coverage                                     ?   74.78%           
====================================================================
  Files                                        ?      256           
  Lines                                        ?    22400           
  Branches                                     ?        0           
====================================================================
  Hits                                         ?    16752           
  Misses                                       ?     5648           
  Partials                                     ?        0           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.5% Duplication on New Code

See analysis details on SonarQube Cloud