[Safe Outputs Conformance] SEC-003: Max limit enforcement missing in add_comment.cjs

[github-actions]

Conformance Check Failure

Check ID: SEC-003
Severity: MEDIUM
Category: Security - Resource Limits

Problem Description

The add_comment.cjs handler does not enforce maximum limits on comment body size or other parameters. Per the Safe Outputs specification, all handlers must enforce max limits to prevent resource exhaustion attacks and ensure system stability.

Without max limit enforcement:

• Attackers could submit extremely large comment bodies
• This could cause memory exhaustion or API rate limit issues
• System performance could degrade for all users

Affected Components

File: actions/setup/js/add_comment.cjs

Current Behavior

The handler accepts comment body input without checking:

• Maximum body length
• Maximum number of mentions
• Maximum number of links
• Other resource-consuming parameters

Expected Behavior

Per the Safe Outputs specification:

• All handlers MUST enforce reasonable maximum limits
• Limits should be documented in handler configuration
• Exceeding limits should return clear error messages with error codes

Remediation Steps

1. Define maximum limits for comment parameters:

   • Body length: 65,536 characters (GitHub's max)
   • Mentions: 10 mentions per comment
   • Links: 50 links per comment

2. Implement limit enforcement before API calls:

const MAX_COMMENT_LENGTH = 65536;
const MAX_MENTIONS = 10;

function enforceCommentLimits(body) {
  if (body.length > MAX_COMMENT_LENGTH) {
    throw new Error(`E006: Comment body exceeds maximum length of ${MAX_COMMENT_LENGTH} characters (got ${body.length})`);
  }
  
  // Count mentions
  const mentions = (body.match(/@\w+/g) || []).length;
  if (mentions > MAX_MENTIONS) {
    throw new Error(`E007: Comment contains ${mentions} mentions, maximum is ${MAX_MENTIONS}`);
  }
}

// In handler, before API call:
enforceCommentLimits(body);
await octokit.issues.createComment({ body, ... });

3. Add tests to verify:

   • Comments within limits are accepted
   • Comments exceeding limits are rejected
   • Error messages are clear and include error codes

4. Document limits in handler JSDoc comments

Verification

After remediation, verify the fix by running:

bash scripts/check-safe-outputs-conformance.sh

The SEC-003 check should pass without errors.

References

• Safe Outputs Specification: docs/src/content/docs/reference/safe-outputs-specification.md (Max Limit Enforcement section)
• Conformance Checker: scripts/check-safe-outputs-conformance.sh:105-125
• Run ID: §22022248558
• Date: 2026-02-14

Generated by Daily Safe Outputs Conformance Checker

• expires on Feb 15, 2026, 6:37 PM UTC