fix: improve redaction of base64 encoded strings

Only using regex to find and replace potential base64 strings (without actually trying to decode them), redacted strings that looked like base64, but was not actually base64. E.g. 'echo "yes" | foo' got redacted, even though 'yes' is not a base64 encoded string.
Realiserad · Aug 21, 2024 · 5cd0d6e · 5cd0d6e
1 parent d19ba2d
commit 5cd0d6e
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 6 deletions.
diff --git a/pyproject.toml b/pyproject.toml
@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "fish_ai"
-version = "0.9.4"
+version = "0.9.5"
 authors = [{ name = "Bastian Fredriksson", email = "realiserad@gmail.com" }]
 description = "Provides core functionality for fish-ai, an AI plugin for the fish shell."
 readme = "README.md"

diff --git a/src/fish_ai/redact.py b/src/fish_ai/redact.py
@@ -1,6 +1,7 @@
 # -*- coding: utf-8 -*-
 
 import re
+import base64
 
 
 def redact(messages):
@@ -62,8 +63,13 @@ def redact_pem_encoded_private_key_block(content):
 
 def redact_base64_data(content):
     pattern = r'["\']([A-Za-z0-9+\\/=]+={0,2})["\']'
-    replace_with = r'"<REDACTED>"'
-    return re.sub(
-        pattern,
-        replace_with,
-        content)
+
+    def redact_match(match):
+        encoded_string = match.group(1)
+        try:
+            base64.b64decode(encoded_string)
+            return r'"<REDACTED>"'
+        except base64.binascii.Error:
+            return match.group(0)
+
+    return re.sub(pattern, redact_match, content)