From 4769a281cc97b70d07fbe46b3a494bc77ebb93d9 Mon Sep 17 00:00:00 2001
From: Otto <otto@agpt.co>
Date: Wed, 4 Feb 2026 22:58:59 +0000
Subject: [PATCH] fix: Use strict base64 validation to prevent corrupted saves

Addresses CodeRabbit review feedback:
- Add padding normalization before decoding
- Use validate=True to reject invalid characters instead of silently discarding

This prevents corrupted data from being saved to workspace.
---
 .../api/features/chat/tools/binary_output_processor.py        | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/autogpt_platform/backend/backend/api/features/chat/tools/binary_output_processor.py b/autogpt_platform/backend/backend/api/features/chat/tools/binary_output_processor.py
index 4b7a315bf4..a549338766 100644
--- a/autogpt_platform/backend/backend/api/features/chat/tools/binary_output_processor.py
+++ b/autogpt_platform/backend/backend/api/features/chat/tools/binary_output_processor.py
@@ -114,6 +114,8 @@ def _decode_base64(value: str) -> bytes | None:
     try:
         if value.startswith("data:"):
             value = value.split(",", 1)[1] if "," in value else value
-        return base64.b64decode(value)
+        # Normalize padding and use strict validation to prevent corrupted data
+        padded = value + "=" * (-len(value) % 4)
+        return base64.b64decode(padded, validate=True)
     except (binascii.Error, ValueError):
         return None