tighten transcript image redaction boundary

joshavant · joshavant · commit 8734194d23ea · 2026-06-08T20:24:30.000-05:00
diff --git a/packages/media-core/src/inline-image-data-url.test.ts b/packages/media-core/src/inline-image-data-url.test.ts
@@ -1,9 +1,22 @@
 // Media Core tests cover inline image data url behavior.
 import { describe, expect, it } from "vitest";
-import { sanitizeInlineImageDataUrl, sniffInlineImageMime } from "./inline-image-data-url.js";
+import {
+  sanitizeInlineImageBase64,
+  sanitizeInlineImageDataUrl,
+  sanitizeInlineImageDataUrlForStorage,
+  sniffInlineImageMime,
+} from "./inline-image-data-url.js";
 
 const PNG_1X1 =
   "iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR4nGNgYAAAAAMAASsJTYQAAAAASUVORK5CYII=";
+const BMP_HEADER = Buffer.from("BMfixture", "ascii").toString("base64");
+const HEIC_HEADER = Buffer.from([
+  0x00, 0x00, 0x00, 0x18, 0x66, 0x74, 0x79, 0x70, 0x68, 0x65, 0x69, 0x63, 0x00, 0x00, 0x00, 0x00,
+  0x6d, 0x69, 0x66, 0x31,
+]).toString("base64");
+const HEIF_HEADER = Buffer.from([
+  0x00, 0x00, 0x00, 0x18, 0x66, 0x74, 0x79, 0x70, 0x6d, 0x69, 0x66, 0x31, 0x00, 0x00, 0x00, 0x00,
+]).toString("base64");
 
 describe("inline image data URL sanitizer", () => {
   it("keeps non-data image references unchanged", () => {
@@ -26,6 +39,46 @@ describe("inline image data URL sanitizer", () => {
     );
   });
 
+  it("rejects image data URLs for formats that require conversion before provider transport", () => {
+    expect(sanitizeInlineImageDataUrl(`data:image/bmp;base64,${BMP_HEADER}`)).toBeUndefined();
+    expect(sanitizeInlineImageDataUrl(`data:image/heic;base64,${HEIC_HEADER}`)).toBeUndefined();
+    expect(sanitizeInlineImageDataUrl(`data:image/heif;base64,${HEIF_HEADER}`)).toBeUndefined();
+  });
+
+  it("canonicalizes valid image data URLs for storage without transport allowlist filtering", () => {
+    expect(sanitizeInlineImageDataUrlForStorage(`data:image/bmp;base64,${BMP_HEADER}`)).toBe(
+      `data:image/bmp;base64,${BMP_HEADER}`,
+    );
+    expect(sanitizeInlineImageDataUrlForStorage(`data:image/heic;base64,${HEIC_HEADER}`)).toBe(
+      `data:image/heic;base64,${HEIC_HEADER}`,
+    );
+  });
+
+  it("canonicalizes valid image base64 with sniffed MIME type", () => {
+    expect(sanitizeInlineImageBase64({ mimeType: "image/jpeg", base64: `\n${PNG_1X1}` })).toEqual({
+      mimeType: "image/png",
+      base64: PNG_1X1,
+    });
+    expect(
+      sanitizeInlineImageBase64({ mimeType: "image/png", base64: "SGVsbG8=" }),
+    ).toBeUndefined();
+  });
+
+  it("accepts supported non-browser image signatures", () => {
+    expect(sanitizeInlineImageBase64({ mimeType: "image/bmp", base64: BMP_HEADER })).toEqual({
+      mimeType: "image/bmp",
+      base64: BMP_HEADER,
+    });
+    expect(sanitizeInlineImageBase64({ mimeType: "image/heic", base64: HEIC_HEADER })).toEqual({
+      mimeType: "image/heic",
+      base64: HEIC_HEADER,
+    });
+    expect(sanitizeInlineImageBase64({ mimeType: "image/heif", base64: HEIF_HEADER })).toEqual({
+      mimeType: "image/heif",
+      base64: HEIF_HEADER,
+    });
+  });
+
   it("sniffs supported inline image signatures", () => {
     expect(sniffInlineImageMime(Buffer.from("GIF89a", "ascii"))).toBe("image/gif");
     expect(sniffInlineImageMime(Buffer.from([0xff, 0xd8, 0xff]))).toBe("image/jpeg");
diff --git a/packages/media-core/src/inline-image-data-url.ts b/packages/media-core/src/inline-image-data-url.ts
@@ -40,18 +40,80 @@ const IMAGE_SIGNATURES: Array<{
       (buffer.subarray(0, 6).toString("ascii") === "GIF87a" ||
         buffer.subarray(0, 6).toString("ascii") === "GIF89a"),
   },
+  {
+    mime: "image/bmp",
+    matches: (buffer) => buffer.length >= 2 && buffer[0] === 0x42 && buffer[1] === 0x4d,
+  },
 ];
 
+const HEIC_BRANDS = new Set(["heic", "heix", "hevc", "hevx", "heis", "heim", "hevm", "hevs"]);
+const HEIF_BRANDS = new Set(["mif1", "msf1"]);
+const IMAGE_SIGNATURE_PREFIX_BASE64_CHARS = 128;
+const INLINE_IMAGE_DATA_URL_MIMES = new Set(["image/png", "image/jpeg", "image/webp", "image/gif"]);
+
 function startsWithDataUrl(value: string): boolean {
   return (
     value.slice(0, INLINE_IMAGE_DATA_URL_PREFIX.length).toLowerCase() ===
     INLINE_IMAGE_DATA_URL_PREFIX
   );
 }
 
+function sniffIsoBmffImageMime(buffer: Buffer): string | undefined {
+  if (buffer.length < 12 || buffer.subarray(4, 8).toString("ascii") !== "ftyp") {
+    return undefined;
+  }
+  const brands = [buffer.subarray(8, 12).toString("ascii")];
+  for (let offset = 16; offset + 4 <= buffer.length; offset += 4) {
+    brands.push(buffer.subarray(offset, offset + 4).toString("ascii"));
+  }
+  if (brands.some((brand) => HEIC_BRANDS.has(brand))) {
+    return "image/heic";
+  }
+  if (brands.some((brand) => HEIF_BRANDS.has(brand))) {
+    return "image/heif";
+  }
+  return undefined;
+}
+
 /** Sniffs supported inline image formats from decoded bytes. */
 export function sniffInlineImageMime(buffer: Buffer): string | undefined {
-  return IMAGE_SIGNATURES.find((signature) => signature.matches(buffer))?.mime;
+  return (
+    IMAGE_SIGNATURES.find((signature) => signature.matches(buffer))?.mime ??
+    sniffIsoBmffImageMime(buffer)
+  );
+}
+
+function isImageMimeType(value: string): boolean {
+  return value.trim().toLowerCase().startsWith("image/");
+}
+
+export type SanitizedInlineImageBase64 = {
+  mimeType: string;
+  base64: string;
+};
+
+/** Canonicalizes trusted inline image base64 and rejects malformed or non-image payloads. */
+export function sanitizeInlineImageBase64(params: {
+  mimeType: string;
+  base64: string;
+}): SanitizedInlineImageBase64 | undefined {
+  if (!isImageMimeType(params.mimeType)) {
+    return undefined;
+  }
+  const canonicalPayload = canonicalizeBase64(params.base64);
+  if (!canonicalPayload) {
+    return undefined;
+  }
+  const sniffedMimeType = sniffInlineImageMime(
+    Buffer.from(canonicalPayload.slice(0, IMAGE_SIGNATURE_PREFIX_BASE64_CHARS), "base64"),
+  );
+  if (!sniffedMimeType) {
+    return undefined;
+  }
+  return {
+    mimeType: sniffedMimeType,
+    base64: canonicalPayload,
+  };
 }
 
 function parseInlineImageDataUrl(value: string):
@@ -78,12 +140,17 @@ function parseInlineImageDataUrl(value: string):
 
 function metadataAllowsImageBase64(metadata: string[]): boolean {
   const [mimeType, ...options] = metadata;
-  const isImageMimeType = mimeType !== undefined && mimeType.toLowerCase().startsWith("image/");
-  return isImageMimeType && options.some((part) => part.toLowerCase() === "base64");
+  return (
+    mimeType !== undefined &&
+    isImageMimeType(mimeType) &&
+    options.some((part) => part.toLowerCase() === "base64")
+  );
 }
 
-/** Canonicalizes trusted inline image data URLs and rejects malformed or non-image payloads. */
-export function sanitizeInlineImageDataUrl(imageUrl: string): string | undefined {
+function sanitizeInlineImageDataUrlWithAllowedMimes(
+  imageUrl: string,
+  allowedMimes?: Set<string>,
+): string | undefined {
   const parsed = parseInlineImageDataUrl(imageUrl);
   if (!parsed) {
     return undefined;
@@ -95,14 +162,30 @@ export function sanitizeInlineImageDataUrl(imageUrl: string): string | undefined
     return undefined;
   }
 
-  const canonicalPayload = canonicalizeBase64(parsed.payload);
-  if (!canonicalPayload) {
+  const [mimeType] = parsed.metadata;
+  const sanitized = sanitizeInlineImageBase64({
+    mimeType: mimeType ?? "",
+    base64: parsed.payload,
+  });
+  if (!sanitized) {
     return undefined;
   }
-  const sniffedMimeType = sniffInlineImageMime(Buffer.from(canonicalPayload, "base64"));
-  if (!sniffedMimeType) {
+  if (allowedMimes && !allowedMimes.has(sanitized.mimeType)) {
     return undefined;
   }
   // Trust the byte signature over caller-supplied metadata before reinlining.
-  return `data:${sniffedMimeType};base64,${canonicalPayload}`;
+  return `data:${sanitized.mimeType};base64,${sanitized.base64}`;
+}
+
+/**
+ * Canonicalizes trusted inline image data URLs for persistence.
+ * Accepts every image signature supported by `sanitizeInlineImageBase64`.
+ */
+export function sanitizeInlineImageDataUrlForStorage(imageUrl: string): string | undefined {
+  return sanitizeInlineImageDataUrlWithAllowedMimes(imageUrl);
+}
+
+/** Canonicalizes provider-safe inline image data URLs and rejects unsupported formats. */
+export function sanitizeInlineImageDataUrl(imageUrl: string): string | undefined {
+  return sanitizeInlineImageDataUrlWithAllowedMimes(imageUrl, INLINE_IMAGE_DATA_URL_MIMES);
 }
diff --git a/src/agents/responses-image-payload-sanitizer.test.ts b/src/agents/responses-image-payload-sanitizer.test.ts
@@ -5,6 +5,9 @@ import { sanitizeResponsesImagePayload } from "./responses-image-payload-sanitiz
 const PNG_1X1 =
   // Valid JPEG-labeled data is sniffed as PNG and normalized to the real MIME type.
   "iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR4nGNgYAAAAAMAASsJTYQAAAAASUVORK5CYII=";
+const HEIC_HEADER = Buffer.from([
+  0x00, 0x00, 0x00, 0x18, 0x66, 0x74, 0x79, 0x70, 0x68, 0x65, 0x69, 0x63, 0x00, 0x00, 0x00, 0x00,
+]).toString("base64");
 
 describe("Responses image payload sanitizer", () => {
   it("replaces malformed input_image data URLs before sending Responses payloads", () => {
@@ -57,4 +60,29 @@ describe("Responses image payload sanitizer", () => {
       },
     ]);
   });
+
+  it("replaces HEIC inline image data URLs before Responses transport", () => {
+    const sanitized = sanitizeResponsesImagePayload({
+      input: [
+        {
+          type: "message",
+          role: "user",
+          content: [{ type: "input_image", image_url: `data:image/heic;base64,${HEIC_HEADER}` }],
+        },
+      ],
+    });
+
+    expect(sanitized.input).toEqual([
+      {
+        type: "message",
+        role: "user",
+        content: [
+          {
+            type: "input_text",
+            text: "[omitted image payload: invalid inline image data]",
+          },
+        ],
+      },
+    ]);
+  });
 });
diff --git a/src/agents/session-file-repair.test.ts b/src/agents/session-file-repair.test.ts
@@ -56,6 +56,10 @@ function requireFirstLogMessage(log: ReturnType<typeof vi.fn>): string {
   return message;
 }
 
+const PNG_1X1 =
+  "iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR4nGNgYAAAAAMAASsJTYQAAAAASUVORK5CYII=";
+const BMP_HEADER = Buffer.from("BMfixture", "ascii").toString("base64");
+
 afterEach(async () => {
   vi.restoreAllMocks();
   await Promise.all(tempDirs.splice(0).map((dir) => fs.rm(dir, { recursive: true, force: true })));
@@ -290,7 +294,7 @@ describe("repairSessionFileIfNeeded", () => {
         role: "user",
         content: [
           { type: "text", text: "   " },
-          { type: "image", data: "AA==", mimeType: "image/png" },
+          { type: "image", data: PNG_1X1, mimeType: "image/png" },
         ],
       },
     };
@@ -304,7 +308,7 @@ describe("repairSessionFileIfNeeded", () => {
     const repaired = await fs.readFile(file, "utf-8");
     const repairedEntry = JSON.parse(repaired.trim().split("\n")[1] ?? "{}");
     expect(repairedEntry.message.content).toEqual([
-      { type: "image", data: "AA==", mimeType: "image/png" },
+      { type: "image", data: PNG_1X1, mimeType: "image/png" },
     ]);
   });
 
@@ -353,7 +357,7 @@ describe("repairSessionFileIfNeeded", () => {
         role: "user",
         content: [
           { type: "text", text: "inspect this" },
-          { type: "image", data: "AA==", mimeType: "image/png" },
+          { type: "image", data: PNG_1X1, mimeType: "image/png" },
         ],
       },
     };
@@ -367,6 +371,63 @@ describe("repairSessionFileIfNeeded", () => {
     expect(repaired).toBe(original);
   });
 
+  it("preserves valid non-browser image blocks during repair", async () => {
+    const { file } = await createTempSessionPath();
+    const { header } = buildSessionHeaderAndMessage();
+    const validUserEntry = {
+      type: "message",
+      id: "msg-valid-bmp",
+      parentId: null,
+      timestamp: new Date().toISOString(),
+      message: {
+        role: "user",
+        content: [
+          { type: "text", text: "inspect this" },
+          { type: "image", data: BMP_HEADER, mimeType: "image/bmp" },
+        ],
+      },
+    };
+    const original = `${JSON.stringify(header)}\n${JSON.stringify(validUserEntry)}\n`;
+    await fs.writeFile(file, original, "utf-8");
+
+    const result = await repairSessionFileIfNeeded({ sessionFile: file });
+
+    expect(result.repaired).toBe(false);
+    const repaired = await fs.readFile(file, "utf-8");
+    expect(repaired).toBe(original);
+  });
+
+  it("rewrites syntactically valid base64 that is not image bytes", async () => {
+    const { file } = await createTempSessionPath();
+    const { header } = buildSessionHeaderAndMessage();
+    const fakeImageUserEntry = {
+      type: "message",
+      id: "msg-fake-image",
+      parentId: null,
+      timestamp: new Date().toISOString(),
+      message: {
+        role: "user",
+        content: [
+          { type: "text", text: "inspect this" },
+          { type: "image", data: "SGVsbG8=", mimeType: "image/png" },
+        ],
+      },
+    };
+    const original = `${JSON.stringify(header)}\n${JSON.stringify(fakeImageUserEntry)}\n`;
+    await fs.writeFile(file, original, "utf-8");
+
+    const result = await repairSessionFileIfNeeded({ sessionFile: file });
+
+    expect(result.repaired).toBe(true);
+    expect(result.removedCorruptedImageBlocks).toBe(1);
+    const repaired = await fs.readFile(file, "utf-8");
+    const repairedEntry = JSON.parse(repaired.trim().split("\n")[1] ?? "{}");
+    expect(repairedEntry.message.content).toEqual([
+      { type: "text", text: "inspect this" },
+      { type: "text", text: CORRUPTED_IMAGE_FALLBACK_TEXT },
+    ]);
+  });
+
   it("reports both drops and rewrites in the debug message when both occur", async () => {
     const { file } = await createTempSessionPath();
     const { header } = buildSessionHeaderAndMessage();
diff --git a/src/agents/session-file-repair.ts b/src/agents/session-file-repair.ts
@@ -6,7 +6,7 @@
 import { randomUUID } from "node:crypto";
 import fs from "node:fs/promises";
 import path from "node:path";
-import { canonicalizeBase64 } from "@openclaw/media-core/base64";
+import { sanitizeInlineImageBase64 } from "@openclaw/media-core/inline-image-data-url";
 import { replaceFileAtomic } from "../infra/replace-file.js";
 import type { AgentMessage } from "./runtime/index.js";
 import { makeMissingToolResult } from "./session-transcript-repair.js";
@@ -127,14 +127,19 @@ function isCorruptedImageContentBlock(block: unknown): boolean {
     data?: unknown;
     mimeType?: unknown;
     mediaType?: unknown;
+    media_type?: unknown;
   };
   if (record.type !== "image" || typeof record.data !== "string") {
     return false;
   }
-  if (!isImageMimeType(record.mimeType) && !isImageMimeType(record.mediaType)) {
+  const mimeType = [record.mimeType, record.mediaType, record.media_type].find(isImageMimeType);
+  if (!mimeType) {
     return false;
   }
-  return containsNonAscii(record.data) || canonicalizeBase64(record.data) === undefined;
+  return (
+    containsNonAscii(record.data) ||
+    sanitizeInlineImageBase64({ base64: record.data, mimeType }) === undefined
+  );
 }
 
 function repairEntryWithCorruptedImageBlocks(entry: SessionMessageEntry): {
diff --git a/src/agents/transcript-redact.test.ts b/src/agents/transcript-redact.test.ts
diff --git a/src/agents/transcript-redact.ts b/src/agents/transcript-redact.ts
