fix(pydantic-ai): Fix DATA_URL_BASE64_REGEX to match complex MIME types

ericapisani · claude · ericapisani · commit 2f01be898142 · 2026-03-10T13:47:43.000-04:00
The regex used to detect and redact base64 data URLs only allowed
alphabetic characters in MIME types, causing it to fail for types like
`image/svg+xml`, `application/vnd.ms-excel`, or `font/woff2`.

When the match failed, the full raw data URL (including base64 content)
was passed through to Sentry instead of being redacted with
BLOB_DATA_SUBSTITUTE, resulting in unintended data leakage.

Expand the MIME type character class to include digits, `.`, `+`, and
`-` to match all common MIME types per RFC 2045.

Co-Authored-By: Claude &lt;noreply@anthropic.com&gt;
diff --git a/sentry_sdk/integrations/pydantic_ai/consts.py b/sentry_sdk/integrations/pydantic_ai/consts.py
@@ -5,5 +5,5 @@
 # Matches data URLs with base64-encoded content, e.g. "data:image/png;base64,iVBORw0K..."
 # Group 1: MIME type (e.g. "image/png"), Group 2: base64 data
 DATA_URL_BASE64_REGEX = re.compile(
-    r"^data:([a-zA-Z]+/[a-zA-Z]+);base64,([A-Za-z0-9+/\-_]+={0,2})$"
+    r"^data:([a-zA-Z0-9][a-zA-Z0-9.+\-]*/[a-zA-Z0-9][a-zA-Z0-9.+\-]*);base64,([A-Za-z0-9+/\-_]+={0,2})$"
 )
diff --git a/tests/integrations/pydantic_ai/test_pydantic_ai.py b/tests/integrations/pydantic_ai/test_pydantic_ai.py
@@ -2956,6 +2956,37 @@ def test_image_url_http_url_with_base64_data_in_query_param_is_not_redacted_no_m
     assert found_image, "Image content item should be found in messages data"
 
 
+def test_image_url_redacts_base64_data_url_with_complex_mime_type(
+    sentry_init, capture_events
+):
+    """Test that ImageUrl with a data URL using a complex MIME type (e.g. image/svg+xml) is redacted."""
+    sentry_init(
+        integrations=[PydanticAIIntegration()],
+        traces_sample_rate=1.0,
+        send_default_pii=True,
+    )
+
+    events = capture_events()
+
+    with sentry_sdk.start_transaction(op="test", name="test"):
+        span = sentry_sdk.start_span(op="test_span")
+        image_url = ImageUrl(
+            url="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciLz4="
+        )
+        user_part = UserPromptPart(content=["Look at this image:", image_url])
+        mock_msg = MagicMock()
+        mock_msg.parts = [user_part]
+        mock_msg.instructions = None
+
+        _set_input_messages(span, [mock_msg])
+        span.finish()
+
+    (event,) = events
+    span_data = event["spans"][0]["data"]
+    messages_data = _get_messages_from_span(span_data)
+    assert _find_image_content(messages_data, "image/svg+xml")
+
+
 @pytest.mark.asyncio
 async def test_invoke_agent_image_url_http_url_no_redaction(
     sentry_init, capture_events

Original file line number	Diff line number	Diff line change
`@@ -5,5 +5,5 @@`
`5`	`5`	`# Matches data URLs with base64-encoded content, e.g. "data:image/png;base64,iVBORw0K..."`
`6`	`6`	`# Group 1: MIME type (e.g. "image/png"), Group 2: base64 data`
`7`	`7`	`DATA_URL_BASE64_REGEX = re.compile(`
`8`		`- r"^data:([a-zA-Z]+/[a-zA-Z]+);base64,([A-Za-z0-9+/\-_]+={0,2})$"`
	`8`	`+ r"^data:([a-zA-Z0-9][a-zA-Z0-9.+\-]/[a-zA-Z0-9][a-zA-Z0-9.+\-]);base64,([A-Za-z0-9+/\-_]+={0,2})$"`
`9`	`9`	`)`