fix(mem): simplify

Author: bgagent

agent/src/sanitization.py

@@ -28,6 +28,19 @@
 _MISPLACED_BOM = re.compile(r"(?!^)\ufeff")
 
 
+def _strip_until_stable(s: str, pattern: re.Pattern[str]) -> str:
+    """Apply *pattern* repeatedly until the string stops changing.
+
+    A single pass can be bypassed by nesting fragments
+    (e.g. "<scrip<script></script>t>" reassembles after inner tag removal).
+    """
+    while True:
+        prev = s
+        s = pattern.sub("", s)
+        if s == prev:
+            return s
+
+
 def sanitize_external_content(text: str | None) -> str:
     """Sanitize external content before it enters the agent's context.
 
@@ -37,8 +50,8 @@ def sanitize_external_content(text: str | None) -> str:
     """
     if not text:
         return text or ""
-    s = _DANGEROUS_TAGS.sub("", text)
-    s = _HTML_TAGS.sub("", s)
+    s = _strip_until_stable(text, _DANGEROUS_TAGS)
+    s = _strip_until_stable(s, _HTML_TAGS)
     s = _INSTRUCTION_PREFIXES.sub(r"[SANITIZED_PREFIX] \1:", s)
     s = _INJECTION_PHRASES.sub("[SANITIZED_INSTRUCTION]", s)
     s = _CONTROL_CHARS.sub("", s)

agent/tests/test_prompts.py

@@ -144,6 +144,17 @@ def test_self_closing_dangerous_tags(self):
         assert sanitize_memory_content("a<script/>b") == "ab"
         assert sanitize_memory_content("a<iframe/>b") == "ab"
 
+    def test_nested_fragment_bypass(self):
+        # Fragments that reassemble into a dangerous tag after inner tag removal
+        assert sanitize_memory_content("<scrip<script></script>t>alert(1)</script>") == ""
+        assert sanitize_memory_content("<ifra<iframe></iframe>me src=x>") == ""
+        # Double-nested — outermost <sc prefix survives (not a valid tag)
+        assert sanitize_memory_content("<sc<scr<script></script>ipt>ript>xss</script>") == "<sc"
+
+    def test_nested_fragment_bypass_html_tags(self):
+        # Regex greedily matches <di<b> as one tag, so <div> never reassembles
+        assert sanitize_memory_content("<di<b></b>v>text</div>") == "v>text"
+
     def test_preserves_tabs_and_newlines(self):
         result = sanitize_memory_content("hello\tworld\nfoo")
         assert result == "hello\tworld\nfoo"

cdk/src/handlers/shared/sanitization.ts

@@ -40,6 +40,21 @@ const CONTROL_CHARS = /[\x00-\x08\x0B\x0C\x0E-\x1F]/g;
 const BIDI_CHARS = /[\u200E\u200F\u202A-\u202E\u2066-\u2069]/g;
 const MISPLACED_BOM = /(?!^)\uFEFF/g;
 
+/**
+ * Apply a regex replacement repeatedly until the string stops changing.
+ *
+ * A single pass can be bypassed by nesting fragments
+ * (e.g. "<scrip<script></script>t>" reassembles after inner tag removal).
+ */
+function stripUntilStable(s: string, pattern: RegExp): string {
+  let prev;
+  do {
+    prev = s;
+    s = s.replace(pattern, '');
+  } while (s !== prev);
+  return s;
+}
+
 /**
  * Sanitize external content before it enters the agent's context.
  *
@@ -53,13 +68,11 @@ const MISPLACED_BOM = /(?!^)\uFEFF/g;
 export function sanitizeExternalContent(text: string): string {
   if (!text) return text || '';
 
-  let sanitized = text;
-
   // 1. Strip dangerous HTML tags with their content
-  sanitized = sanitized.replace(DANGEROUS_TAGS, '');
+  let sanitized = stripUntilStable(text, DANGEROUS_TAGS);
 
   // 2. Strip remaining HTML tags (preserve inner text)
-  sanitized = sanitized.replace(HTML_TAGS, '');
+  sanitized = stripUntilStable(sanitized, HTML_TAGS);
 
   // 3. Neutralize embedded instruction patterns
   sanitized = sanitized.replace(INSTRUCTION_PREFIXES, '[SANITIZED_PREFIX] $1:');

cdk/test/handlers/shared/sanitization.test.ts

@@ -52,6 +52,19 @@ describe('sanitizeExternalContent', () => {
     expect(result).toContain('safe');
   });
 
+  test('strips nested fragment bypass (CodeQL incomplete multi-char sanitization)', () => {
+    // Fragments that reassemble into a dangerous tag after inner tag removal
+    expect(sanitizeExternalContent('<scrip<script></script>t>alert(1)</script>')).toBe('');
+    expect(sanitizeExternalContent('<ifra<iframe></iframe>me src=x>')).toBe('');
+    // Double-nested — outermost <sc prefix survives (not a valid tag)
+    expect(sanitizeExternalContent('<sc<scr<script></script>ipt>ript>xss</script>')).toBe('<sc');
+  });
+
+  test('strips nested fragment bypass for HTML tags', () => {
+    // Regex greedily matches <di<b> as one tag, so <div> never reassembles
+    expect(sanitizeExternalContent('<di<b></b>v>text</div>')).toBe('v>text');
+  });
+
   test('strips unclosed dangerous tags', () => {
     const input = 'before<script>alert("xss")after';
     const result = sanitizeExternalContent(input);