The data-URI detector in src/agentrelay/security/output_sanitizer.py:46 only matches when base64 is the first parameter after the media type:
re.compile(r"data:(?:text|application)/[^;]+;base64,", re.IGNORECASE), # data URIs
The [^;]+;base64, part means there can be exactly one ;-delimited segment between the MIME type and base64. A perfectly valid data URI is allowed to carry other parameters first, e.g. a charset:
data:text/html;charset=utf-8;base64,PHNjcmlwdD4...
That string is a legitimate, browser-honored data URI, but the regex never matches it because of the extra ;charset=utf-8 segment — so scan_output does not flag it under url_injection.
It will sometimes still get caught by _has_suspicious_base64 if the decoded body contains one of the hard-coded keywords (<script, exec, etc.), but that's a different, content-dependent path — the URL-shape detector itself is bypassable by simply prepending a parameter.
Expected: any data: URI with a base64 payload should be flagged regardless of how many parameters precede base64,.
Suggested tweak — allow zero or more parameter segments:
re.compile(r"data:(?:text|application)/[^;,]+(?:;[^;,]+)*;base64,", re.IGNORECASE)
Severity: Medium — it's a sanitizer gap, not a crash, but the whole point of this module is to be hard to slip past.
The data-URI detector in
src/agentrelay/security/output_sanitizer.py:46only matches whenbase64is the first parameter after the media type:The
[^;]+;base64,part means there can be exactly one;-delimited segment between the MIME type andbase64. A perfectly valid data URI is allowed to carry other parameters first, e.g. a charset:That string is a legitimate, browser-honored data URI, but the regex never matches it because of the extra
;charset=utf-8segment — soscan_outputdoes not flag it underurl_injection.It will sometimes still get caught by
_has_suspicious_base64if the decoded body contains one of the hard-coded keywords (<script,exec, etc.), but that's a different, content-dependent path — the URL-shape detector itself is bypassable by simply prepending a parameter.Expected: any
data:URI with abase64payload should be flagged regardless of how many parameters precedebase64,.Suggested tweak — allow zero or more parameter segments:
Severity: Medium — it's a sanitizer gap, not a crash, but the whole point of this module is to be hard to slip past.