Skip to content

[PM-38190] Improve sanitization of storybook args helper#21362

Draft
vleague2 wants to merge 1 commit into
mainfrom
uif/pm-38190/storybook-args
Draft

[PM-38190] Improve sanitization of storybook args helper#21362
vleague2 wants to merge 1 commit into
mainfrom
uif/pm-38190/storybook-args

Conversation

@vleague2

@vleague2 vleague2 commented Jun 18, 2026
edited by atlassian Bot
Loading

Copy link
Copy Markdown
Contributor

🎟️ Tracking

PM-38190

📔 Objective

This PR adds sanitization to the storybook args helper, which was previously possible to send XSS attacks through due to the way Storybook allows you to post messages that add story args. See linked vuln ticket for a more detailed writeup.

@vleague2 vleague2 requested review from a team and willmartian June 18, 2026 13:52
@vleague2 vleague2 added the ai-review Request a Claude code review label Jun 18, 2026
@github-actions

github-actions Bot commented Jun 18, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

🤖 Bitwarden Claude Code Review

Overall Assessment: APPROVE

Reviewed the sanitization hardening of the Storybook formatArgsForCodeSnippet helper (PM-38190), which renders attacker-influenceable story args into a compiled Angular template. Verified the three new defenses — HTML-attribute escaping, the isSafeArgKey key filter, and array-element quote/backslash escaping — against attribute-breakout, key-injection, and expression-breakout attack paths. Confirmed function args still correctly bypass the key filter via argsToTemplate, that no legitimate non-function args are over-rejected by the on* filter, and that the jest/tsconfig wiring brings the new spec into the test run.

Code Review Details

No findings. The escaping order (backslash before single-quote, then HTML-entity escaping of the assembled expression) is correct, primitive boolean/number paths are trusted by type, and the accompanying spec covers normal args, value-breakout XSS, key-injection XSS, and the unchanged function-arg path.

@sonarqubecloud

sonarqubecloud Bot commented Jun 18, 2026

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@codecov

codecov Bot commented Jun 18, 2026
edited
Loading

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 49.20%. Comparing base (427c146) to head (204fb23).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main   #21362   +/-   ##
=======================================
  Coverage   49.20%   49.20%           
=======================================
  Files        4071     4071           
  Lines      127744   127744           
  Branches    19551    19551           
=======================================
  Hits        62856    62856           
  Misses      60234    60234           
  Partials     4654     4654

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@willmartian willmartian Awaiting requested review from willmartian willmartian is a code owner automatically assigned from bitwarden/team-ui-foundation

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

ai-review Request a Claude code review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vleague2