[PM-33499] Permissive base64 decoder

[dereknance]

🎟️ Tracking

PM-33499

📔 Objective

The .NET 9 base64 decoder/validator requires all padding bits to be zero. This PR preserves .NET 8's permissive decoding behavior for compatibility with existing data so we can safely upgrade to .NET 10.

[github-actions]

Checkmarx One – Scan Summary & Details – eab255f6-4051-4f68-88e3-61ee7f62f5e1

Great job! No new security vulnerabilities introduced in this pull request

[codecov]

Codecov Report

❌ Patch coverage is 84.84848% with 5 lines in your changes missing coverage. Please review.
✅ Project coverage is 57.45%. Comparing base (fe3a8c2) to head (721ea8b).
⚠️ Report is 4 commits behind head on main.

Files with missing lines	Patch %	Lines
src/Core/Utilities/EncryptedStringAttribute.cs	84.84%	3 Missing and 2 partials ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #7207   +/-   ##
=======================================
  Coverage   57.44%   57.45%           
=======================================
  Files        2032     2032           
  Lines       89410    89441   +31     
  Branches     7951     7959    +8     
=======================================
+ Hits        51366    51391   +25     
- Misses      36201    36205    +4     
- Partials     1843     1845    +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[claude]

Claude finished @dereknance's task in 3m 23s —— View job

---

I'll analyze this and get back to you.

[claude]

Review Summary

Change: Replaces strict Base64.IsValid() with a custom IsValidBase64Permissive() in EncryptedStringAttribute to accept base64 strings with non-zero padding bits, preserving .NET 8 permissive decoding behavior ahead of the .NET 10 upgrade.

Risk: Low

Findings: No issues found.

The implementation is correct and well-structured:

• Bit masking logic is sound: The masks 0b110000 (for == / 4 padding bits) and 0b111100 (for = / 2 padding bits) correctly isolate data bits from padding bits in the last base64 data character.
• Edge cases handled properly: Empty input, non-base64 characters adjacent to padding, padding-only strings, and length-not-divisible-by-4 all correctly return false.
• Performance is good: Fast paths for the no-padding case and the already-canonical case avoid unnecessary work. stackalloc avoids heap allocation for the canonical reconstruction of the last 4-char block. Prefix validation is separated to minimize the scope of the canonical replacement.
• Security is unaffected: This is a validation attribute, not a decryption routine. Relaxing validation to accept previously-valid (under .NET 8) base64 padding bits is a backward-compatibility measure that does not weaken any cryptographic guarantees.
• Test coverage is adequate: New test cases cover non-canonical single-pad (lGD=), non-canonical double-pad (lB==), multi-piece non-canonical strings, and invalid inputs with non-canonical padding combined with other errors.

All CI checks pass.