Skip to content

Verify Input Sanitizer Safety for #service Payloads #354

New issue
New issue
Open
Open
Verify Input Sanitizer Safety for #service Payloads#354
Assignees
nuwangeek
@nuwangeek

Description

@nuwangeek
nuwangeek
opened on Mar 18, 2026

Priority: P0 — Blocker; must be confirmed before any code changes
File: src/utils/input_sanitizer.py
Type: Investigation + unit test
The Pydantic model validator on OrchestrationRequest.message runs sanitize_message() at HTTP request parse time — before any handler code runs. If the sanitizer alters the #service, /POST/... string (e.g. collapses whitespace after the comma, or strips the #), the prefix detection logic in Task-03 will never match.
Work:

  1. Read strip_html_tags() implementation and confirm #, ,, / are not affected.
  2. Add a unit test: assert InputSanitizer.sanitize_message("#service, /POST/services/active/foo") == "#service, /POST/services/active/foo".
  3. If the sanitizer does alter it, add a passthrough rule for the #service prefix before stripping HTML.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

LLM-Module

Status

PR Raised

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions