@juspay/neurolink 8.20.0 → 8.20.1

package/CHANGELOG.md

@@ -1,3 +1,9 @@
+## [8.20.1](https://github.com/juspay/neurolink/compare/v8.20.0...v8.20.1) (2025-12-22)
+
+### Bug Fixes
+
+- **(Validation):** implement secure base64 validation with fail-fast checks ([f1b9b9c](https://github.com/juspay/neurolink/commit/f1b9b9c105db38ce439a5e69ff343b77b12be174)), closes [#277](https://github.com/juspay/neurolink/issues/277)
+
 ## [8.20.0](https://github.com/juspay/neurolink/compare/v8.19.1...v8.20.0) (2025-12-22)
 
 ### Features

package/dist/lib/utils/imageProcessor.d.ts

@@ -157,6 +157,7 @@ export declare const imageUtils: {
     createDataUri: (base64: string, mimeType?: string) => string;
     /**
      * Validate base64 string format
+     * Validates format BEFORE buffer allocation to prevent memory exhaustion
      */
     isValidBase64: (str: string) => boolean;
     /**

package/dist/lib/utils/imageProcessor.js

@@ -622,12 +622,40 @@ export const imageUtils = {
     },
     /**
      * Validate base64 string format
+     * Validates format BEFORE buffer allocation to prevent memory exhaustion
      */
     isValidBase64: (str) => {
         try {
             // Remove data URI prefix if present
             const cleanBase64 = str.includes(",") ? str.split(",")[1] : str;
-            // Check if it's valid base64
+            // Empty string check
+            if (!cleanBase64 || cleanBase64.length === 0) {
+                return false;
+            }
+            // 1. Validate character set FIRST (A-Z, a-z, 0-9, +, /, =)
+            // This prevents memory allocation for invalid input like "hello world"
+            const base64Regex = /^[A-Za-z0-9+/]*={0,2}$/;
+            if (!base64Regex.test(cleanBase64)) {
+                return false;
+            }
+            // 2. Check length is multiple of 4
+            if (cleanBase64.length % 4 !== 0) {
+                return false;
+            }
+            // 3. Validate padding position (max 2 equals at end only)
+            const paddingIndex = cleanBase64.indexOf("=");
+            if (paddingIndex !== -1) {
+                // Padding must be at the end
+                if (paddingIndex < cleanBase64.length - 2) {
+                    return false;
+                }
+                // No characters after padding
+                const afterPadding = cleanBase64.slice(paddingIndex);
+                if (!/^=+$/.test(afterPadding)) {
+                    return false;
+                }
+            }
+            // 4. ONLY NOW decode if format is valid
             const decoded = Buffer.from(cleanBase64, "base64");
             const reencoded = decoded.toString("base64");
             // Remove padding for comparison (base64 can have different padding)

package/dist/utils/imageProcessor.d.ts

@@ -157,6 +157,7 @@ export declare const imageUtils: {
     createDataUri: (base64: string, mimeType?: string) => string;
     /**
      * Validate base64 string format
+     * Validates format BEFORE buffer allocation to prevent memory exhaustion
      */
     isValidBase64: (str: string) => boolean;
     /**

package/dist/utils/imageProcessor.js

@@ -622,12 +622,40 @@ export const imageUtils = {
     },
     /**
      * Validate base64 string format
+     * Validates format BEFORE buffer allocation to prevent memory exhaustion
      */
     isValidBase64: (str) => {
         try {
             // Remove data URI prefix if present
             const cleanBase64 = str.includes(",") ? str.split(",")[1] : str;
-            // Check if it's valid base64
+            // Empty string check
+            if (!cleanBase64 || cleanBase64.length === 0) {
+                return false;
+            }
+            // 1. Validate character set FIRST (A-Z, a-z, 0-9, +, /, =)
+            // This prevents memory allocation for invalid input like "hello world"
+            const base64Regex = /^[A-Za-z0-9+/]*={0,2}$/;
+            if (!base64Regex.test(cleanBase64)) {
+                return false;
+            }
+            // 2. Check length is multiple of 4
+            if (cleanBase64.length % 4 !== 0) {
+                return false;
+            }
+            // 3. Validate padding position (max 2 equals at end only)
+            const paddingIndex = cleanBase64.indexOf("=");
+            if (paddingIndex !== -1) {
+                // Padding must be at the end
+                if (paddingIndex < cleanBase64.length - 2) {
+                    return false;
+                }
+                // No characters after padding
+                const afterPadding = cleanBase64.slice(paddingIndex);
+                if (!/^=+$/.test(afterPadding)) {
+                    return false;
+                }
+            }
+            // 4. ONLY NOW decode if format is valid
             const decoded = Buffer.from(cleanBase64, "base64");
             const reencoded = decoded.toString("base64");
             // Remove padding for comparison (base64 can have different padding)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@juspay/neurolink",
-  "version": "8.20.0",
+  "version": "8.20.1",
   "description": "Universal AI Development Platform with working MCP integration, multi-provider support, and professional CLI. Built-in tools operational, 58+ external MCP servers discoverable. Connect to filesystem, GitHub, database operations, and more. Build, test, and deploy AI applications with 9 major providers: OpenAI, Anthropic, Google AI, AWS Bedrock, Azure, Hugging Face, Ollama, and Mistral AI.",
   "author": {
     "name": "Juspay Technologies",