Send Folder - drag and drop files and folders

[mzieniukbw]

🎟️ Tracking

Requires bitwarden/sdk-internal#881 and bitwarden/server#7307.
Baseline change #19887.

📔 Objective

Drag and drop any amount of files or folders into the Bitwarden app to create new send.
If Bitwarden desktop app is locked, user will be prompted to unlock first, to create Send.
Works in Web, Browser extension and Desktop.
Can drag folders and files (or a mix of both).

Entire app is a drag-drop-able.
Can also drag-drop into already opened Create File or Folder Send page.

Behind innovation-sprint-2026-send-folder feature flag.

CI expected to fail until SDK PR is merged.

Notes:

• Drag and drop into browser extension only works when popped out in separate window. (limitation)

📸 Screenshots

Web

On the entire app:

Screen.Recording.2026-04-03.at.16.58.17.mov

Within Create file / folder send:

Screen.Recording.2026-04-03.at.17.45.56.mov

When locked:

Browser extension

Screen.Recording.2026-04-03.at.17.50.24.mov

Desktop

Screen.Recording.2026-04-03.at.17.54.23.mov

[github-actions]

Checkmarx One – Scan Summary & Details – 4a303168-1561-4741-902f-54b6b185045a

---

New Issues (32)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		Absolute_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 329	details Method Lambda at line 329 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows ... Attack Vector
2		Absolute_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 361	details Method Lambda at line 361 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows ... Attack Vector
3		Absolute_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 329	details Method Lambda at line 329 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows ... Attack Vector
4		Absolute_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 361	details Method Lambda at line 361 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows ... Attack Vector
5		Client_DOM_XSS	/apps/web/src/connectors/redirect.ts: 6	details The method Lambda embeds untrusted data in generated output with href, at line 16 of /apps/web/src/connectors/redirect.ts. This untrusted data is... Attack Vector
6		Relative_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 398	details Method Lambda at line 398 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows ... Attack Vector
7		Relative_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 398	details Method Lambda at line 398 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows ... Attack Vector
8		SSRF	/libs/common/src/services/api.service.ts: 1325	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1270. How... Attack Vector
9		SSRF	/libs/common/src/services/api.service.ts: 1324	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1241. How... Attack Vector
10		SSRF	/libs/common/src/services/api.service.ts: 1325	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1241. How... Attack Vector
11		SSRF	/libs/common/src/services/api.service.ts: 1327	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1270. How... Attack Vector
12		SSRF	/libs/common/src/services/api.service.ts: 1335	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1270. How... Attack Vector
13		SSRF	/libs/common/src/services/api.service.ts: 1328	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1270. How... Attack Vector
14		SSRF	/libs/common/src/services/api.service.ts: 1327	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1241. How... Attack Vector
15		SSRF	/libs/common/src/services/api.service.ts: 1335	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1241. How... Attack Vector
16		SSRF	/libs/common/src/services/api.service.ts: 1328	details The application sends a request to a remote server, for some resource, using createRequest in /libs/common/src/services/api.service.ts:1241. How... Attack Vector
17		Client_DOM_Open_Redirect	/apps/web/src/connectors/redirect.ts: 6	details The potentially tainted value provided by href in /apps/web/src/connectors/redirect.ts at line 6 is used as a destination URL by href in /apps/web... Attack Vector
18		Client_DOM_Open_Redirect	/apps/desktop/src/auth/scripts/duo.js: 277	details The potentially tainted value provided by substring in /apps/desktop/src/auth/scripts/duo.js at line 277 is used as a destination URL by open in /... Attack Vector
19		HttpOnly_Cookie_Flag_Not_Set	/apps/desktop/src/platform/services/server-communication-config/default-server-communication-config.service.ts: 71	details The web application's getCookies method creates a cookie cookies, at line 71 of /apps/desktop/src/platform/services/server-communication-config/d... Attack Vector
20		HttpOnly_Cookie_Flag_Not_Set	/apps/web/src/connectors/sso.ts: 37	details The web application's initiateBrowserSso method creates a cookie cookie, at line 37 of /apps/web/src/connectors/sso.ts, and returns it in the resp... Attack Vector
21		Insecure_Storage_of_Sensitive_Data	/apps/cli/src/commands/get.command.ts: 403	details The application takes sensitive, personal data cipher, found at line 403 of /apps/cli/src/commands/get.command.ts, and stores it in an unprotecte... Attack Vector
22		Insecure_Storage_of_Sensitive_Data	/apps/cli/src/commands/get.command.ts: 402	details The application takes sensitive, personal data cipherService, found at line 402 of /apps/cli/src/commands/get.command.ts, and stores it in an unp... Attack Vector
23		Insecure_Storage_of_Sensitive_Data	/apps/cli/src/tools/export.command.ts: 76	details The application takes sensitive, personal data password, found at line 76 of /apps/cli/src/tools/export.command.ts, and stores it in an unprotect... Attack Vector
24		Insecure_Storage_of_Sensitive_Data	/apps/cli/src/commands/get.command.ts: 387	details The application takes sensitive, personal data cipher, found at line 387 of /apps/cli/src/commands/get.command.ts, and stores it in an unprotecte... Attack Vector
25		Insecure_Storage_of_Sensitive_Data	/apps/cli/src/tools/export.command.ts: 81	details The application takes sensitive, personal data password, found at line 81 of /apps/cli/src/tools/export.command.ts, and stores it in an unprotect... Attack Vector
26		Missing_HSTS_Header	/apps/cli/src/auth/commands/login.command.ts: 571	details The web-application does not define an HSTS header, leaving it vulnerable to attack. Attack Vector
27		SSL_Verification_Bypass	/scripts/reverse-proxy-emulator/index.ts: 219	details /scripts/reverse-proxy-emulator/index.ts relies HTTPS requests, in . The rejectUnauthorized parameter, at line 219, effectively disables verifi... Attack Vector
28		SSL_Verification_Bypass	/scripts/reverse-proxy-emulator/index.ts: 301	details /scripts/reverse-proxy-emulator/index.ts relies HTTPS requests, in Lambda. The rejectUnauthorized parameter, at line 301, effectively disables ... Attack Vector
29		Angular_Usage_of_Unsafe_DOM_Sanitizer	/libs/components/src/svg/svg.component.ts: 29	details Usage of an unsafe class bypassSecurityTrustHtml, which overrides output sanitization, was found at /libs/components/src/svg/svg.component.ts in ... Attack Vector
30		Angular_Usage_of_Unsafe_DOM_Sanitizer	/apps/desktop/src/app/components/avatar.component.ts: 96	details Usage of an unsafe class bypassSecurityTrustResourceUrl, which overrides output sanitization, was found at /apps/desktop/src/app/components/avatar... Attack Vector
31		Client_Use_Of_Iframe_Without_Sandbox	/apps/browser/src/autofill/overlay/inline-menu/pages/menu-container/autofill-inline-menu-container.ts: 107	details The application employs an HTML iframe at whose contents are not properly sandboxed Attack Vector
32		Missing_CSP_Header	/apps/cli/src/auth/commands/login.command.ts: 571	details A Content Security Policy is not explicitly defined within the web-application. Attack Vector

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud