PM-26896: Fix Autofill ancestry

[david-livefront]

🎟️ Tracking

PM-26896

📔 Objective

This PR updates the way Autofill works in order to avoid misaddressing the username/password to the wrong web-domain which can leak user data.

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[github-actions]

Checkmarx One – Scan Summary & Details – 8771e299-e3b1-4564-b336-7403e2217ca3

Great job! No new security vulnerabilities introduced in this pull request

[codecov]

Codecov Report

❌ Patch coverage is 80.00000% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 85.06%. Comparing base (5bd15a8) to head (7e1d689).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
...twarden/data/autofill/parser/AutofillParserImpl.kt	75.00%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6014      +/-   ##
==========================================
- Coverage   85.73%   85.06%   -0.67%     
==========================================
  Files         932      936       +4     
  Lines       59454    59474      +20     
  Branches     8367     8370       +3     
==========================================
- Hits        50971    50591     -380     
- Misses       5574     5981     +407     
+ Partials     2909     2902       -7     

Flag	Coverage Δ
app-data	17.42% <80.00%> (-0.41%)	⬇️
app-ui-auth-tools	21.04% <0.00%> (-0.12%)	⬇️
app-ui-platform	15.62% <0.00%> (-0.06%)	⬇️
app-ui-vault	26.51% <0.00%> (-0.01%)	⬇️
authenticator	6.61% <0.00%> (+<0.01%)	⬆️
lib-core-network-bridge	4.28% <0.00%> (+<0.01%)	⬆️
lib-data-ui	0.93% <0.00%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[claude]

Claude finished @david-livefront's task in 2m 23s —— View job

---

Pull Request Review: PM-26896 - Fix Autofill ancestry

Summary

This PR is a security fix that prevents autofill credential misattribution across web domains. The change removes parentWebsite propagation during ViewNode tree traversal, ensuring each autofill view only uses its own webDomain as set by the Android framework.

Risk Level: Low | Change Type: Security Bugfix | Files Changed: 4 (2 source, 2 test)

---

What Changed

File	Change
ViewNodeExtensions.kt	Removed parentWebsite parameter from toAutofillView(); website now sourced exclusively from the node's own webDomain
AutofillParserImpl.kt	Removed parentWebsite from recursive traverse(); minor flatMap cleanup
AutofillParserTests.kt	Updated mock signatures to match removed parameter
ViewNodeExtensionsTest.kt	Updated test signatures; removed "external website" test that exercised the deleted propagation path

Security Analysis

Before: A parent ViewNode's webDomain propagated to all descendant nodes during traversal via parentWebsite. In multi-origin scenarios (e.g., iframes from different domains), this could cause credentials for domain A to be incorrectly attributed to input fields belonging to domain B -- a data leak vector.

After: Each ViewNode exclusively uses its own webDomain from the Android framework. The existing URL bar detection mechanism (urlBarWebsite via updateWebsiteIfNecessary) still provides a correct fallback for known browsers, but arbitrary parent-to-child domain inheritance is eliminated.

This approach is sound because:

• The Android autofill framework sets webDomain on individual virtual ViewNodes within WebViews, so each input field inherently has the correct domain
• Native app forms have null webDomain on all nodes, so behavior is unchanged
• The URL bar fallback (lines 100-102, 116 in AutofillParserImpl.kt) remains intact for known browser packages

Findings

No issues found. The change is minimal, well-targeted, and correctly addresses the described security concern. Tests are appropriately updated to reflect the new behavior.