fix(media): remove <=1MB fallback and fix sanitize_slack_filename & escape

howie · claude · howie · commit b6be19465abd · 2026-05-18T16:28:53.000+08:00
Address two blocking review findings from PR #793: 1. Remove the <=1MB raw-byte fallback in download_and_encode_image. validate_image_response only sniffs magic bytes; resize_and_compress does the full decode. The fallback forwarded raw bytes under Slack's claimed MIME when resize failed on a corrupt/truncated body, reopening the same JSONL poisoning class as #776. Now always returns ProcessingFailed on resize failure. 2. Add & -> &amp; escape to sanitize_slack_filename before < and > replacements. Slack mrkdwn decodes HTML entities before markup parsing, so &lt;@here&gt; would bypass the angle-bracket replacement and render as a mention ping. Add regression tests for both fixes. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
diff --git a/src/media.rs b/src/media.rs
@@ -272,18 +272,13 @@ pub async fn download_and_encode_image(
     let (output_bytes, output_mime) = match resize_and_compress(&bytes) {
         Ok(result) => result,
         Err(e) => {
-            if bytes.len() <= 1024 * 1024 {
-                debug!(filename, error = %e, "resize failed, using validated original");
-                (bytes.to_vec(), mime.to_string())
-            } else {
-                error!(
-                    filename,
-                    error = %e,
-                    size = bytes.len(),
-                    "resize failed after successful validation"
-                );
-                return Err(MediaFetchError::ProcessingFailed(e));
-            }
+            error!(
+                filename,
+                error = %e,
+                size = bytes.len(),
+                "resize failed after successful validation"
+            );
+            return Err(MediaFetchError::ProcessingFailed(e));
         }
     };
 
@@ -756,6 +751,26 @@ mod tests {
         ));
     }
 
+    #[test]
+    fn truncated_png_body_must_not_produce_content_block() {
+        // Valid PNG magic bytes (8 bytes) + partial IHDR -- body is too short to decode.
+        // Previously: the <=1MB fallback in download_and_encode_image forwarded raw bytes
+        // after resize_and_compress failed, reproducing the #776 poisoning class.
+        // After removing the fallback, resize_and_compress failure must propagate as Err.
+        let mut truncated = vec![0x89u8, 0x50, 0x4e, 0x47, 0x0d, 0x0a, 0x1a, 0x0a];
+        truncated.extend_from_slice(&[0x00, 0x00, 0x00, 0x0d, 0x49, 0x48, 0x44, 0x52]);
+        // validate_image_response passes (magic bytes match PNG) -- the fallback was the bug.
+        assert!(
+            validate_image_response(Some("image/png"), &truncated).is_ok(),
+            "magic-byte check still passes for truncated body"
+        );
+        // resize_and_compress catches the truncated body at full-decode time.
+        assert!(
+            resize_and_compress(&truncated).is_err(),
+            "truncated PNG must fail at decode -- no raw-byte fallback allowed"
+        );
+    }
+
     #[test]
     fn media_fetch_error_display_renders() {
         let _ = MediaFetchError::NotAnImage.to_string();
diff --git a/src/slack.rs b/src/slack.rs
@@ -1236,7 +1236,7 @@ fn strip_mime_params(mimetype: &str) -> &str {
 /// Without sanitization, a user-controlled filename such as `<!here>` or
 /// `` `<@U123>` `` would be rendered as a Slack mention or @-here ping.
 pub(crate) fn sanitize_slack_filename(s: &str) -> String {
-    s.replace('`', "'").replace('<', "(").replace('>', ")")
+    s.replace('&', "&amp;").replace('`', "'").replace('<', "(").replace('>', ")")
 }
 
 /// True only when a Slack non-bot event represents a real user message
@@ -1435,6 +1435,16 @@ mod tests {
         );
     }
 
+    #[test]
+    fn sanitize_escapes_ampersand_before_angle_brackets() {
+        // Slack mrkdwn decodes HTML entities before markup parsing.
+        // "&lt;@here&gt;" would round-trip back to "<@here>" and trigger a mention
+        // ping if & is not escaped. The & must be escaped first so downstream
+        // Slack entity decoding cannot reconstruct a mrkdwn delimiter.
+        assert_eq!(sanitize_slack_filename("&lt;@here&gt;"), "&amp;lt;@here&amp;gt;");
+        assert_eq!(sanitize_slack_filename("file&name.png"), "file&amp;name.png");
+    }
+
     // --- strip_mime_params tests ---
 
     /// MIME with charset parameter strips to bare media type.
