Skip to content

[Safe Outputs Conformance] SEC-004: Content sanitization missing in 6 handlers with body fields #16403

New issue
New issue
Closed
#16454
Closed
[Safe Outputs Conformance] SEC-004: Content sanitization missing in 6 handlers with body fields#16403
#16454
Assignees
pelikhancopilot-swe-agent
Labels
automatedconformancemedium-prioritysafe-outputssecurity
@github-actions

Description

@github-actions
github-actions
bot
opened on Feb 17, 2026

Conformance Check Failure

Check ID: SEC-004
Severity: MEDIUM
Category: Security - Content Sanitization
Run: §22107933843

Problem Description

Six handlers that process body or content fields lack proper sanitization functions. Per the Safe Outputs specification (SEC-004), all handlers that accept body/content must sanitize input to prevent XSS, injection attacks, and malicious content.

Affected Components

  • actions/setup/js/demo_enhanced_errors.cjs
  • actions/setup/js/expired_entity_cleanup_helpers.cjs
  • actions/setup/js/expired_entity_search_helpers.cjs
  • actions/setup/js/mcp_enhanced_errors.cjs
  • actions/setup/js/temporary_id.cjs
  • actions/setup/js/update_release.cjs

Current Behavior

These handlers reference or use body fields but do not call sanitization functions matching patterns:

  • sanitize()
  • stripHTML()
  • escapeMarkdown()
  • cleanContent()

Expected Behavior

Per SEC-004, handlers with body/content fields MUST:

  1. Sanitize all user-provided content before use
  2. Strip or escape dangerous HTML/script tags
  3. Validate markdown syntax
  4. Prevent injection attacks

Remediation Steps

For each affected handler:

  1. Read the handler to understand how body content is used
  2. Identify sanitization points - where content enters the system
  3. Import sanitization utilities: 
    const { sanitizeContent } = require('./sanitize_content.cjs');
const { sanitizeIncomingText } = require('./sanitize_incoming_text.cjs');
  4. Apply sanitization before:
    • Storing content
    • Passing to API calls
    • Writing to GitHub (issues, PRs, discussions)
  5. Add tests for sanitization edge cases

Example Fix Pattern

// Before
const body = inputs.body;
await octokit.issues.create({ body });

// After
const sanitizedBody = sanitizeContent(inputs.body);
await octokit.issues.create({ body: sanitizedBody });

Verification

After remediation, verify by running:

bash scripts/check-safe-outputs-conformance.sh | grep "SEC-004"

Should show: [PASS] SEC-004: All handlers properly sanitize content

References

  • Safe Outputs Specification: docs/src/content/docs/reference/safe-outputs-specification.md
  • Conformance Checker: scripts/check-safe-outputs-conformance.sh:127-150
  • Sanitization utilities: actions/setup/js/sanitize_content.cjs, actions/setup/js/sanitize_incoming_text.cjs

Generated by Daily Safe Outputs Conformance Checker

  • expires on Feb 18, 2026, 5:11 PM UTC

Metadata

Metadata

Assignees

Labels

automatedconformancemedium-prioritysafe-outputssecurity

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions