github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-09 04:57:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): reject oversized base64 before decode

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-14 15:45:04 +01:00
parent 4f043991e0
commit 31791233d6
6 changed files with 74 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
src/media/input-files.ts
View File

@@ -1,6 +1,7 @@
import type { SsrFPolicy } from "../infra/net/ssrf.js";
import { fetchWithSsrFGuard } from "../infra/net/fetch-guard.js";
import { logWarn } from "../logger.js";
import { estimateBase64DecodedBytes } from "./base64.js";
type CanvasModule = typeof import("@napi-rs/canvas");
type PdfJsModule = typeof import("pdfjs-dist/legacy/build/pdf.mjs");
@@ -110,16 +111,6 @@ export const DEFAULT_INPUT_PDF_MAX_PAGES = 4;
export const DEFAULT_INPUT_PDF_MAX_PIXELS = 4_000_000;
export const DEFAULT_INPUT_PDF_MIN_TEXT_CHARS = 200;
function estimateBase64DecodedBytes(base64: string): number {
const cleaned = base64.trim().replace(/\s+/g, "");
if (!cleaned) {
return 0;
}
const padding = cleaned.endsWith("==") ? 2 : cleaned.endsWith("=") ? 1 : 0;
const estimated = Math.floor((cleaned.length * 3) / 4) - padding;
return Math.max(0, estimated);
}
function rejectOversizedBase64Payload(params: {
data: string;
maxBytes: number;