fix(tracemetrics): Validate sort field names in parseSortBys

Extract SORTABLE_SAMPLE_COLUMNS to shared types module and use it in
parseSortBys to reject unknown field names from serialized query params,
falling back to default sort. Previously only the shape was validated,
allowing arbitrary field strings through to the API.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: nsdeschenes

static/app/views/explore/metrics/metricInfoTabs/metricsSamplesTableHeader.tsx

@@ -9,6 +9,7 @@ import {
   StyledSimpleTableHeaderCell,
 } from 'sentry/views/explore/metrics/metricInfoTabs/metricInfoTabStyles';
 import {
+  SORTABLE_SAMPLE_COLUMNS,
   TraceMetricKnownFieldKey,
   VirtualTableSampleColumnKey,
   type SampleTableColumnKey,
@@ -19,11 +20,6 @@ import {
   useSetQueryParamsSortBys,
 } from 'sentry/views/explore/queryParams/context';
 
-const SORTABLE_COLUMNS = new Set<SampleTableColumnKey>([
-  TraceMetricKnownFieldKey.METRIC_VALUE,
-  TraceMetricKnownFieldKey.TIMESTAMP,
-]);
-
 interface MetricsSamplesTableHeaderProps {
   columns: SampleTableColumnKey[];
   embedded?: boolean;
@@ -76,7 +72,7 @@ function FieldHeaderCellWrapper({
   const columnType = getMetricTableColumnType(field);
   const label = getFieldLabel(field);
   const hasPadding = field !== VirtualTableSampleColumnKey.EXPAND_ROW;
-  const canSort = SORTABLE_COLUMNS.has(field);
+  const canSort = SORTABLE_SAMPLE_COLUMNS.has(field);
 
   function handleSortClick() {
     const kind = sort === 'desc' ? 'asc' : 'desc';

static/app/views/explore/metrics/metricQuery.spec.tsx

@@ -155,6 +155,22 @@ describe('decodeMetricsQueryParams', () => {
     expect(result?.queryParams.sortBys).toEqual([{field: 'timestamp', kind: 'desc'}]);
   });
 
+  it('falls back to default sortBys when field is not sortable', () => {
+    const json = JSON.stringify({
+      metric: {name: 'test_metric', type: 'counter'},
+      query: '',
+      aggregateFields: [{yAxes: ['sum(value,test_metric,counter,-)']}],
+      aggregateSortBys: [],
+      sortBys: [{field: 'arbitrary_field', kind: 'desc'}],
+      mode: 'samples',
+    });
+
+    const result = decodeMetricsQueryParams(json);
+
+    expect(result).not.toBeNull();
+    expect(result?.queryParams.sortBys).toEqual([{field: 'timestamp', kind: 'desc'}]);
+  });
+
   it('falls back to default sortBys when format is invalid', () => {
     const json = JSON.stringify({
       metric: {name: 'test_metric', type: 'counter'},

static/app/views/explore/metrics/metricQuery.tsx

@@ -3,6 +3,7 @@ import type {Location} from 'history';
 import {defined} from 'sentry/utils';
 import type {Sort} from 'sentry/utils/discover/fields';
 import {Mode} from 'sentry/views/explore/contexts/pageParamsContext/mode';
+import {SORTABLE_SAMPLE_COLUMNS} from 'sentry/views/explore/metrics/types';
 import type {AggregateField} from 'sentry/views/explore/queryParams/aggregateField';
 import {validateAggregateSort} from 'sentry/views/explore/queryParams/aggregateSortBy';
 import {isGroupBy, type GroupBy} from 'sentry/views/explore/queryParams/groupBy';
@@ -234,6 +235,7 @@ function parseSortBys(value: unknown, fields: string[]): Sort[] {
       typeof v === 'object' &&
       'field' in v &&
       typeof v.field === 'string' &&
+      SORTABLE_SAMPLE_COLUMNS.has(v.field) &&
       'kind' in v &&
       (v.kind === 'asc' || v.kind === 'desc')
   );

static/app/views/explore/metrics/types.tsx

@@ -106,3 +106,8 @@ export enum VirtualTableSampleColumnKey {
 }
 
 export type SampleTableColumnKey = TraceMetricFieldKey | VirtualTableSampleColumnKey;
+
+export const SORTABLE_SAMPLE_COLUMNS = new Set<SampleTableColumnKey>([
+  TraceMetricKnownFieldKey.METRIC_VALUE,
+  TraceMetricKnownFieldKey.TIMESTAMP,
+]);