Add PM-34500-strict-cipher-decryption feature flag

[nikwithak]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-34500

📔 Objective

Adds the feature flag PM-34500-strict-cipher-decryption to enable strict decryption support in the SDK.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 46.46%. Comparing base (3751227) to head (62a75ce).
⚠️ Report is 174 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #19973   +/-   ##
=======================================
  Coverage   46.46%   46.46%           
=======================================
  Files        3866     3866           
  Lines      115255   115256    +1     
  Branches    17553    17553           
=======================================
+ Hits        53557    53558    +1     
  Misses      59257    59257           
  Partials     2441     2441           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Checkmarx One – Scan Summary & Details – 31bd8a10-5441-47ab-81c2-4c9a9cca3f03

---

New Issues (32)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		Absolute_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 328	details Method Lambda at line 328 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows ... Attack Vector
2		Absolute_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 360	details Method Lambda at line 360 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows ... Attack Vector
3		Absolute_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 328	details Method Lambda at line 328 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows ... Attack Vector
4		Absolute_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 360	details Method Lambda at line 360 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows ... Attack Vector
5		Client_DOM_XSS	/apps/web/src/connectors/redirect.ts: 6	details The method Lambda embeds untrusted data in generated output with href, at line 16 of /apps/web/src/connectors/redirect.ts. This untrusted data is... Attack Vector
6		Relative_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 397	details Method Lambda at line 397 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows ... Attack Vector
7		Relative_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 397	details Method Lambda at line 397 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows ... Attack Vector
8		SSRF	/libs/common/src/services/api.service.ts: 1325	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1270. How... Attack Vector
9		SSRF	/libs/common/src/services/api.service.ts: 1324	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1241. How... Attack Vector
10		SSRF	/libs/common/src/services/api.service.ts: 1325	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1241. How... Attack Vector
11		SSRF	/libs/common/src/services/api.service.ts: 1327	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1270. How... Attack Vector
12		SSRF	/libs/common/src/services/api.service.ts: 1335	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1270. How... Attack Vector
13		SSRF	/libs/common/src/services/api.service.ts: 1328	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1270. How... Attack Vector
14		SSRF	/libs/common/src/services/api.service.ts: 1327	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1241. How... Attack Vector
15		SSRF	/libs/common/src/services/api.service.ts: 1335	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1241. How... Attack Vector
16		SSRF	/libs/common/src/services/api.service.ts: 1328	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1241. How... Attack Vector
17		Client_DOM_Open_Redirect	/apps/web/src/connectors/redirect.ts: 6	details The potentially tainted value provided by href in /apps/web/src/connectors/redirect.ts at line 6 is used as a destination URL by href in /apps/web... Attack Vector
18		Client_DOM_Open_Redirect	/apps/desktop/src/auth/scripts/duo.js: 277	details The potentially tainted value provided by substring in /apps/desktop/src/auth/scripts/duo.js at line 277 is used as a destination URL by open in /... Attack Vector
19		HttpOnly_Cookie_Flag_Not_Set	/apps/desktop/src/platform/services/server-communication-config/default-server-communication-config.service.ts: 71	details The web application's getCookies method creates a cookie cookies, at line 71 of /apps/desktop/src/platform/services/server-communication-config/d... Attack Vector
20		HttpOnly_Cookie_Flag_Not_Set	/apps/web/src/connectors/sso.ts: 37	details The web application's initiateBrowserSso method creates a cookie cookie, at line 37 of /apps/web/src/connectors/sso.ts, and returns it in the resp... Attack Vector
21		Insecure_Storage_of_Sensitive_Data	/apps/cli/src/commands/get.command.ts: 403	details The application takes sensitive, personal data cipher, found at line 403 of /apps/cli/src/commands/get.command.ts, and stores it in an unprotecte... Attack Vector
22		Insecure_Storage_of_Sensitive_Data	/apps/cli/src/commands/get.command.ts: 402	details The application takes sensitive, personal data cipherService, found at line 402 of /apps/cli/src/commands/get.command.ts, and stores it in an unp... Attack Vector
23		Insecure_Storage_of_Sensitive_Data	/apps/cli/src/tools/export.command.ts: 76	details The application takes sensitive, personal data password, found at line 76 of /apps/cli/src/tools/export.command.ts, and stores it in an unprotect... Attack Vector
24		Insecure_Storage_of_Sensitive_Data	/apps/cli/src/commands/get.command.ts: 387	details The application takes sensitive, personal data cipher, found at line 387 of /apps/cli/src/commands/get.command.ts, and stores it in an unprotecte... Attack Vector
25		Insecure_Storage_of_Sensitive_Data	/apps/cli/src/tools/export.command.ts: 81	details The application takes sensitive, personal data password, found at line 81 of /apps/cli/src/tools/export.command.ts, and stores it in an unprotect... Attack Vector
26		Missing_HSTS_Header	/apps/cli/src/auth/commands/login.command.ts: 571	details The web-application does not define an HSTS header, leaving it vulnerable to attack. Attack Vector
27		SSL_Verification_Bypass	/scripts/reverse-proxy-emulator/index.ts: 219	details /scripts/reverse-proxy-emulator/index.ts relies HTTPS requests, in . The rejectUnauthorized parameter, at line 219, effectively disables verifi... Attack Vector
28		SSL_Verification_Bypass	/scripts/reverse-proxy-emulator/index.ts: 301	details /scripts/reverse-proxy-emulator/index.ts relies HTTPS requests, in Lambda. The rejectUnauthorized parameter, at line 301, effectively disables ... Attack Vector
29		Angular_Usage_of_Unsafe_DOM_Sanitizer	/libs/components/src/svg/svg.component.ts: 29	details Usage of an unsafe class bypassSecurityTrustHtml, which overrides output sanitization, was found at /libs/components/src/svg/svg.component.ts in ... Attack Vector
30		Angular_Usage_of_Unsafe_DOM_Sanitizer	/apps/desktop/src/app/components/avatar.component.ts: 96	details Usage of an unsafe class bypassSecurityTrustResourceUrl, which overrides output sanitization, was found at /apps/desktop/src/app/components/avatar... Attack Vector
31		Client_Use_Of_Iframe_Without_Sandbox	/apps/browser/src/autofill/overlay/inline-menu/pages/menu-container/autofill-inline-menu-container.ts: 107	details The application employs an HTML iframe at whose contents are not properly sandboxed Attack Vector
32		Missing_CSP_Header	/apps/cli/src/auth/commands/login.command.ts: 571	details A Content Security Policy is not explicitly defined within the web-application. Attack Vector