Skip to content

output_sanitizer: data-URI regex misses payloads with an extra MIME parameter #2

Description

@DearGitLab

The data-URI detector in src/agentrelay/security/output_sanitizer.py:46 only matches when base64 is the first parameter after the media type:

re.compile(r"data:(?:text|application)/[^;]+;base64,", re.IGNORECASE),  # data URIs

The [^;]+;base64, part means there can be exactly one ;-delimited segment between the MIME type and base64. A perfectly valid data URI is allowed to carry other parameters first, e.g. a charset:

data:text/html;charset=utf-8;base64,PHNjcmlwdD4...

That string is a legitimate, browser-honored data URI, but the regex never matches it because of the extra ;charset=utf-8 segment — so scan_output does not flag it under url_injection.

It will sometimes still get caught by _has_suspicious_base64 if the decoded body contains one of the hard-coded keywords (<script, exec, etc.), but that's a different, content-dependent path — the URL-shape detector itself is bypassable by simply prepending a parameter.

Expected: any data: URI with a base64 payload should be flagged regardless of how many parameters precede base64,.

Suggested tweak — allow zero or more parameter segments:

re.compile(r"data:(?:text|application)/[^;,]+(?:;[^;,]+)*;base64,", re.IGNORECASE)

Severity: Medium — it's a sanitizer gap, not a crash, but the whole point of this module is to be hard to slip past.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions