fix: data transformer should handle more edge cases with more tests

Author: MmagdyHafezZ

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": null,
     "lines": null
   },
-  "generated_at": "2025-10-28T23:54:36Z",
+  "generated_at": "2025-10-30T18:42:05Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -245,21 +245,21 @@
       {
         "hashed_secret": "6eff76dbb551ea7769517f3a7188862f85a7354e",
         "is_verified": false,
-        "line_number": 69,
+        "line_number": 79,
         "type": "Base64 High Entropy String",
         "verified_result": null
       },
       {
         "hashed_secret": "4f043b03a11e8b760986f07490ee76f48c6c7342",
         "is_verified": false,
-        "line_number": 71,
+        "line_number": 81,
         "type": "Base64 High Entropy String",
         "verified_result": null
       },
       {
         "hashed_secret": "618eb19f52dfe817f292f54554346cad3e3a88b3",
         "is_verified": false,
-        "line_number": 71,
+        "line_number": 81,
         "type": "Base64 High Entropy String",
         "verified_result": null
       }
@@ -268,7 +268,116 @@
       {
         "hashed_secret": "6eff76dbb551ea7769517f3a7188862f85a7354e",
         "is_verified": false,
-        "line_number": 236,
+        "line_number": 234,
+        "type": "Base64 High Entropy String",
+        "verified_result": null
+      }
+    ],
+    "apps/web/app/Helpers/data-transformer.edge-cases.test.ts": [
+      {
+        "hashed_secret": "9716c4510d038dc8f853fc40dc96f8a2a87bb51c",
+        "is_verified": false,
+        "line_number": 162,
+        "type": "Base64 High Entropy String",
+        "verified_result": null
+      },
+      {
+        "hashed_secret": "4f043b03a11e8b760986f07490ee76f48c6c7342",
+        "is_verified": false,
+        "line_number": 165,
+        "type": "Base64 High Entropy String",
+        "verified_result": null
+      },
+      {
+        "hashed_secret": "9aa7cde469abc42954177388692fa3c14663338d",
+        "is_verified": false,
+        "line_number": 166,
+        "type": "Base64 High Entropy String",
+        "verified_result": null
+      }
+    ],
+    "apps/web/app/Helpers/data-transformer.realworld.test.ts": [
+      {
+        "hashed_secret": "c5b49f145071d1dfaa7b852fbac2cc2d452c033d",
+        "is_verified": false,
+        "line_number": 15,
+        "type": "Base64 High Entropy String",
+        "verified_result": null
+      },
+      {
+        "hashed_secret": "565d3a24396607e26491162b13a69050b37c7be7",
+        "is_verified": false,
+        "line_number": 17,
+        "type": "Base64 High Entropy String",
+        "verified_result": null
+      },
+      {
+        "hashed_secret": "9690ab4554c9150bb66f9019049b7ed18998d6ab",
+        "is_verified": false,
+        "line_number": 22,
+        "type": "Base64 High Entropy String",
+        "verified_result": null
+      },
+      {
+        "hashed_secret": "4f043b03a11e8b760986f07490ee76f48c6c7342",
+        "is_verified": false,
+        "line_number": 25,
+        "type": "Base64 High Entropy String",
+        "verified_result": null
+      },
+      {
+        "hashed_secret": "9aa7cde469abc42954177388692fa3c14663338d",
+        "is_verified": false,
+        "line_number": 26,
+        "type": "Base64 High Entropy String",
+        "verified_result": null
+      },
+      {
+        "hashed_secret": "b7e41a1408b0de53b6a18b0383983df52151bffd",
+        "is_verified": false,
+        "line_number": 60,
+        "type": "Base64 High Entropy String",
+        "verified_result": null
+      },
+      {
+        "hashed_secret": "7f8a4c8efb7a9d741a4131e6382406d04920a55c",
+        "is_verified": false,
+        "line_number": 75,
+        "type": "Base64 High Entropy String",
+        "verified_result": null
+      },
+      {
+        "hashed_secret": "ef584f952dbcdb807b1f2a5b688a6b2ac7beaf76",
+        "is_verified": false,
+        "line_number": 158,
+        "type": "Base64 High Entropy String",
+        "verified_result": null
+      },
+      {
+        "hashed_secret": "fca9f0a000cc0d99a6b89eff22b280d43b3dc23a",
+        "is_verified": false,
+        "line_number": 168,
+        "type": "Base64 High Entropy String",
+        "verified_result": null
+      },
+      {
+        "hashed_secret": "ad5a4eb98aace66b683002aa7038bb800f8b0a65",
+        "is_verified": false,
+        "line_number": 174,
+        "type": "Base64 High Entropy String",
+        "verified_result": null
+      },
+      {
+        "hashed_secret": "28681ff8a70bc722645c0ebe5c21fbd8a2ee904a",
+        "is_verified": false,
+        "line_number": 183,
+        "type": "Base64 High Entropy String",
+        "verified_result": null
+      },
+      {
+        "hashed_secret": "dd65cdacb216bbeca512abfb1ecd15d1c53ac7bd",
+        "is_verified": false,
+        "line_number": 431,
         "type": "Base64 High Entropy String",
         "verified_result": null
       }

apps/api/src/common/interceptors/data-transform.interceptor.ts

@@ -17,12 +17,10 @@ export interface TransformOptions {
   deep?: boolean;
 }
 
-function padBase64(value: string): string {
-  const remainder = value.length % 4;
-  if (remainder === 0) return value;
-  return value + "=".repeat(4 - remainder);
-}
-
+/**
+ * Check if a string contains mostly printable text
+ * Used to validate that decoded base64 produces readable content
+ */
 function isPrintableText(value: string): boolean {
   if (!value) return true;
 
@@ -43,14 +41,33 @@ function isPrintableText(value: string): boolean {
   return printableCount / value.length >= 0.85;
 }
 
-function decodeBase64String(value: string): string | null {
+/**
+ * Strictly validate and decode a base64 string
+ * Returns decoded string only if:
+ * 1. Input is valid base64 format
+ * 2. Decoded content is printable text
+ * 3. Re-encoding produces the same result (round-trip validation)
+ */
+function tryDecodeBase64(value: string): string | null {
+  if (!value || typeof value !== "string") return null;
+
+  const trimmed = value.trim();
+
+  if (trimmed.length < 4) return null;
+
+  if (!BASE64_REGEX.test(trimmed)) return null;
+
+  const paddingNeeded = (4 - (trimmed.length % 4)) % 4;
+  const padded = trimmed + "=".repeat(paddingNeeded);
+
   try {
-    const decoded = Buffer.from(value, "base64").toString("utf8");
+    const decoded = Buffer.from(padded, "base64").toString("utf8");
+
     if (!isPrintableText(decoded)) {
       return null;
     }
 
-    const normalizedInput = value.replaceAll(/=+$/g, "");
+    const normalizedInput = trimmed.replaceAll(/=+$/g, "");
     const reencoded = Buffer.from(decoded, "utf8")
       .toString("base64")
       .replaceAll(/=+$/g, "");
@@ -61,46 +78,22 @@ function decodeBase64String(value: string): string | null {
   }
 }
 
-function findBase64Payload(rawValue: string): Base64Payload | null {
-  if (!rawValue) return null;
-
-  const trimmed = rawValue.trim();
-  if (!trimmed) return null;
-
-  const primaryCandidate =
-    trimmed.length >= 8 &&
-    BASE64_FULL_REGEX.test(trimmed) &&
-    decodeBase64String(trimmed);
-
-  if (typeof primaryCandidate === "string") {
-    return { candidate: trimmed, decoded: primaryCandidate };
-  }
-
-  const matches = trimmed.match(BASE64_SEGMENT_REGEX);
-  if (!matches) return null;
-
-  for (const match of matches) {
-    if (!match) continue;
-    const padded = padBase64(match);
-    const decoded = decodeBase64String(padded);
-    if (decoded !== null) {
-      return { candidate: padded, decoded };
-    }
-  }
-
-  return null;
-}
-
+/**
+ * Decode multiple layers of base64 encoding
+ * Handles cases where data was encoded multiple times
+ */
 function decodeBase64Layers(value: string): string {
+  if (!value || typeof value !== "string") return value;
+
   let current = value;
   let depth = 0;
 
   while (depth < MAX_BASE64_DEPTH) {
-    const payload = findBase64Payload(current);
-    if (!payload) break;
+    const decoded = tryDecodeBase64(current);
 
-    const decoded = payload.decoded;
-    if (decoded === current) break;
+    if (decoded === null || decoded === current) {
+      break;
+    }
 
     current = decoded;
     depth += 1;
@@ -146,16 +139,9 @@ function matchesConfiguredField(
 
 export const TRANSFORM_METADATA_KEY = "data-transform";
 
-const HTML_TAG_REGEX = /<\/?[a-z][\S\s]*>/i;
-const BASE64_FULL_REGEX = /^[\d+/A-Za-z]+={0,2}$/;
-const BASE64_SEGMENT_REGEX = /[\d+/=A-Za-z]{4,}/g;
+const BASE64_REGEX = /^[\d+/A-Za-z]+=*$/;
 const MAX_BASE64_DEPTH = 5;
 
-interface Base64Payload {
-  candidate: string;
-  decoded: string;
-}
-
 /**
  * Decorator to configure data transformation for endpoints
  */
@@ -326,7 +312,6 @@ export class DataTransformInterceptor implements NestInterceptor {
     fieldPath: string,
     operation: "encode" | "decode",
   ): boolean {
-    // Only transform explicitly configured fields
     if (!fields || fields.length === 0) {
       return false;
     }
@@ -336,7 +321,6 @@ export class DataTransformInterceptor implements NestInterceptor {
       return false;
     }
 
-    // Skip encoding short numeric strings (like "45", "2027")
     if (typeof value === "string") {
       const trimmedValue = value.trim();
       if (
@@ -366,10 +350,9 @@ export class DataTransformInterceptor implements NestInterceptor {
   private decodeValue(value: unknown): unknown {
     if (typeof value !== "string") return value;
 
-    // Handle compressed data with 'comp:' prefix
     if (value.startsWith("comp:")) {
       try {
-        const base64Data = value.slice(5); // Remove 'comp:' prefix
+        const base64Data = value.slice(5);
         const decoded = Buffer.from(base64Data, "base64").toString("utf8");
         const fullyDecoded = decodeBase64Layers(decoded);
         try {