fix(media): anchor sanitizeMimeType regex (#9795)

bluesky6868 · bluesky6868 · commit 7abcecdb1ff6 · 2026-04-17T10:36:36.000-07:00
diff --git a/src/media-understanding/apply.sanitize-mime.test.ts b/src/media-understanding/apply.sanitize-mime.test.ts
@@ -0,0 +1,38 @@
+import { describe, expect, it } from "vitest";
+import { sanitizeMimeType } from "./apply.js";
+
+describe("sanitizeMimeType", () => {
+  it("accepts a plain type/subtype", () => {
+    expect(sanitizeMimeType("text/plain")).toBe("text/plain");
+    expect(sanitizeMimeType("application/json")).toBe("application/json");
+  });
+
+  it("lowercases and trims the input", () => {
+    expect(sanitizeMimeType("  Text/Plain  ")).toBe("text/plain");
+    expect(sanitizeMimeType("IMAGE/PNG")).toBe("image/png");
+  });
+
+  it("strips RFC 7231 parameters while keeping the type/subtype", () => {
+    expect(sanitizeMimeType("text/plain; charset=utf-8")).toBe("text/plain");
+    expect(sanitizeMimeType("application/json;charset=utf-8")).toBe("application/json");
+    expect(sanitizeMimeType("text/plain  ;  boundary=abc")).toBe("text/plain");
+  });
+
+  it("rejects inputs with invalid characters after the subtype (regression for #9795)", () => {
+    expect(sanitizeMimeType("text/plain<script>alert(1)</script>")).toBeUndefined();
+    expect(sanitizeMimeType("text/plain garbage")).toBeUndefined();
+    expect(sanitizeMimeType("text/plain\nContent-Type: text/html")).toBeUndefined();
+  });
+
+  it("rejects inputs missing a type or subtype", () => {
+    expect(sanitizeMimeType("textplain")).toBeUndefined();
+    expect(sanitizeMimeType("/plain")).toBeUndefined();
+    expect(sanitizeMimeType("text/")).toBeUndefined();
+  });
+
+  it("returns undefined for blank or missing input", () => {
+    expect(sanitizeMimeType(undefined)).toBeUndefined();
+    expect(sanitizeMimeType("")).toBeUndefined();
+    expect(sanitizeMimeType("   ")).toBeUndefined();
+  });
+});
diff --git a/src/media-understanding/apply.ts b/src/media-understanding/apply.ts
@@ -74,12 +74,18 @@ const TEXT_EXT_MIME = new Map<string, string>([
   [".xml", "application/xml"],
 ]);
 
-function sanitizeMimeType(value?: string): string | undefined {
+// Exported for direct testing; kept narrow since this is the single MIME
+// validator for media-understanding inputs.
+export function sanitizeMimeType(value?: string): string | undefined {
   const trimmed = normalizeOptionalLowercaseString(value);
   if (!trimmed) {
     return undefined;
   }
-  const match = trimmed.match(/^([a-z0-9!#$&^_.+-]+\/[a-z0-9!#$&^_.+-]+)/);
+  // Anchor both ends; allow optional RFC 7231 parameters after the type/subtype.
+  // Trailing garbage (e.g. `text/plain<script>` or `text/plain\ngarbage`) is
+  // rejected outright instead of silently truncated. Input is already
+  // lowercased by normalizeOptionalLowercaseString.
+  const match = trimmed.match(/^([a-z0-9!#$&^_.+-]+\/[a-z0-9!#$&^_.+-]+)(?:\s*;.*)?$/);
   return match?.[1];
 }
 
