corazawaf · M4tteoP · Dec 13, 2023 · Dec 15, 2023 · Dec 15, 2023 · Dec 18, 2023
@@ -5,16 +5,30 @@
 
 import (
 	"encoding/base64"
+	"strings"
 
 	stringsutil "github.com/corazawaf/coraza/v3/internal/strings"
 )
 
 // base64decode decodes a Base64-encoded string.
 func base64decode(data string) (string, bool, error) {
-	dec, err := base64.StdEncoding.DecodeString(data)
+	// RawStdEncoding.DecodeString accepts and requires an unpadded string as input
+	// https://stackoverflow.com/questions/31971614/base64-encode-decode-without-padding-on-golang-appengine
+	dataNoPadding := strings.TrimRight(data, "=")
+	dec, err := base64.RawStdEncoding.DecodeString(dataNoPadding)
 	if err != nil {
-		// Forgiving implementation, which ignores invalid characters
-		return data, false, nil
+		// If the error is of type CorruptInputError, we can get the position of the illegal character
+		// and perform a partial decoding up to that point
+		if corrErr, ok := err.(base64.CorruptInputError); ok {
+			illegalCharPos := int(corrErr)
+			// Forgiving call (no error check) to DecodeString. Decoding is performed truncating
+			// the input string to the first error index. If a new decoding error occurs,
+			// it will not be about an illegal character but a malformed encoding of the trailing
+			// character because of the truncation. The dec will still contain a best effort decoded string
+			dec, _ = base64.RawStdEncoding.DecodeString(dataNoPadding[:illegalCharPos])
+		} else {
+			return data, false, nil
+		}
 	}
 	return stringsutil.WrapUnsafe(dec), true, nil
 }
@@ -10,17 +10,86 @@ import (
 	"testing"
 )
 
-var b64DecodeTests = []string{
-	"VGVzdENhc2U=",
-	"P.HNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==",
-	"VGVzdABDYXNl",
+var b64DecodeTests = []struct {
+	name     string
+	input    string
+	expected string
+}{
+	{
+		name:     "Valid",
+		input:    "VGVzdENhc2U=",
+		expected: "TestCase",
+	},
+	{
+		name:     "Valid with \u0000",
+		input:    "VGVzdABDYXNl",
+		expected: "Test\x00Case",
+	},
+	{
+		name:     "Valid without padding",
+		input:    "VGVzdENhc2U",
+		expected: "TestCase",
+	},
+	{
+		name:     "Valid without longer padding",
+		input:    "PA==",
+		expected: "<",
+	},
+	{
+		name:     "valid <TEST>",
+		input:    "PFRFU1Q+",
+		expected: "<TEST>",
+	},
+	{
+		name:     "Malformed base64 encoding",
+		input:    "PHNjcmlwd",
+		expected: "<scrip",
+	},
+	{
+		name:     "decoded up to the space (invalid character)",
+		input:    "PFR FU1Q+",
+		expected: "<T",
+	},
+	{
+		name:     "decoded up to the dot (invalid caracter)",
+		input:    "P.HNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==",
+		expected: "", // Only the P character does not result in a printable character conversion.
+	},
+	{
+		name:     "decoded up to the dot (invalid character)",
+		input:    "PHNjcmlwd.D5hbGVydCgxKTwvc2NyaXB0Pg==",
+		expected: "<scrip",
+	},
+	{
+		name:     "decoded up to the dot (invalid character)",
+		input:    "PHNjcmlwdD.5hbGVydCgxKTwvc2NyaXB0Pg==",
+		expected: "<script",
+	},
+	{
+		name:     "decoded up to the dash (invalid character for base64.RawStdEncoding)",
+		input:    "PFRFU1Q-",
+		expected: "<TEST",
+	},
 }
 
+func TestBase64Decode(t *testing.T) {
+	for _, tt := range b64DecodeTests {
+		t.Run(tt.name, func(t *testing.T) {
+			actual, _, err := base64decode(tt.input)
+			if err != nil {
+				t.Errorf("Unexpected error: %v", err)
+			}
+			if actual != tt.expected {
+				t.Errorf("Expected %q, but got %q", tt.expected, actual)
+			}
+		})
+	}
+}
 func BenchmarkB64Decode(b *testing.B) {
 	for _, tt := range b64DecodeTests {
-		b.Run(tt, func(b *testing.B) {
+		b.Run(tt.input, func(b *testing.B) {
 			for i := 0; i < b.N; i++ {
-				_, _, err := base64decode(tt)
+				_, _, err := base64decode(tt.input)
 				if err != nil {
 					b.Error(err)
 				}
@@ -31,7 +100,7 @@ func BenchmarkB64Decode(b *testing.B) {
 
 func FuzzB64Decode(f *testing.F) {
 	for _, tc := range b64DecodeTests {
-		f.Add(tc)
+		f.Add(tc.input)
 	}
 	f.Fuzz(func(t *testing.T, tc string) {
 		data, _, err := base64decode(tc)