Add max limit enforcement to add_comment handler (SEC-003)

[Copilot]

The add_comment.cjs handler was missing resource limit validation, allowing unbounded comment bodies, mentions, and links. This violates Safe Outputs specification requirement MR3 (limit enforcement before API calls).

Changes

Limit constants:

• MAX_COMMENT_LENGTH = 65536 (GitHub API limit)
• MAX_MENTIONS = 10
• MAX_LINKS = 50

Validation function:

function enforceCommentLimits(body) {
  if (body.length > MAX_COMMENT_LENGTH) {
    throw new Error(`E006: Comment body exceeds maximum length of ${MAX_COMMENT_LENGTH} characters (got ${body.length})`);
  }
  
  const mentions = (body.match(/@\w+/g) || []).length;
  if (mentions > MAX_MENTIONS) {
    throw new Error(`E007: Comment contains ${mentions} mentions, maximum is ${MAX_MENTIONS}`);
  }
  
  const links = (body.match(/https?:\/\/[^\s]+/g) || []).length;
  if (links > MAX_LINKS) {
    throw new Error(`E008: Comment contains ${links} links, maximum is ${MAX_LINKS}`);
  }
}

Validation points:

• After temp ID replacement (validates user content)
• After footer addition (validates final body)

Tests:

• 24 new test cases covering limit enforcement
• Boundary values, edge cases, error message format
• All 42 tests pass

Result:

• SEC-003 conformance check now passes for add_comment.cjs
• Uses standard error codes (E006/E007/E008) per Safe Outputs spec

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/repos/github/gh-aw/contents/.github%2Fworkflows%2Faudit-workflows.md
  • Triggering command: /opt/hostedtoolcache/node/24.13.0/x64/bin/node /opt/hostedtoolcache/node/24.13.0/x64/bin/node --conditions node --conditions development --experimental-import-meta-resolve --require /home/REDACTED/work/gh-aw/gh-aw/actions/setup/js/node_modules/vitest/suppress-warnings.cjs /home/REDACTED/work/gh-aw/gh-aw/actions/setup/js/node_modules/vitest/dist/workers/forks.js /mark_pull_requecommit bin/bash grep -A elism /safe_inputs_config_loader.cjs /usr/bin/grep 20 ^\s*agent: /usr/bin/grep grep (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Safe Outputs Conformance] SEC-003: Max limit enforcement missing in add_comment.cjs</issue_title>
<issue_description>### Conformance Check Failure

Check ID: SEC-003
Severity: MEDIUM
Category: Security - Resource Limits

Problem Description

The add_comment.cjs handler does not enforce maximum limits on comment body size or other parameters. Per the Safe Outputs specification, all handlers must enforce max limits to prevent resource exhaustion attacks and ensure system stability.

Without max limit enforcement:

• Attackers could submit extremely large comment bodies
• This could cause memory exhaustion or API rate limit issues
• System performance could degrade for all users

Affected Components

File: actions/setup/js/add_comment.cjs

Current Behavior

The handler accepts comment body input without checking:

• Maximum body length
• Maximum number of mentions
• Maximum number of links
• Other resource-consuming parameters

Expected Behavior

Per the Safe Outputs specification:

• All handlers MUST enforce reasonable maximum limits
• Limits should be documented in handler configuration
• Exceeding limits should return clear error messages with error codes

Remediation Steps

1. Define maximum limits for comment parameters:

   • Body length: 65,536 characters (GitHub's max)
   • Mentions: 10 mentions per comment
   • Links: 50 links per comment

2. Implement limit enforcement before API calls:

const MAX_COMMENT_LENGTH = 65536;
const MAX_MENTIONS = 10;

function enforceCommentLimits(body) {
  if (body.length > MAX_COMMENT_LENGTH) {
    throw new Error(`E006: Comment body exceeds maximum length of ${MAX_COMMENT_LENGTH} characters (got ${body.length})`);
  }
  
  // Count mentions
  const mentions = (body.match(/@\w+/g) || []).length;
  if (mentions > MAX_MENTIONS) {
    throw new Error(`E007: Comment contains ${mentions} mentions, maximum is ${MAX_MENTIONS}`);
  }
}

// In handler, before API call:
enforceCommentLimits(body);
await octokit.issues.createComment({ body, ... });

3. Add tests to verify:

   • Comments within limits are accepted
   • Comments exceeding limits are rejected
   • Error messages are clear and include error codes

4. Document limits in handler JSDoc comments

Verification

After remediation, verify the fix by running:

bash scripts/check-safe-outputs-conformance.sh

The SEC-003 check should pass without errors.

References

• Safe Outputs Specification: docs/src/content/docs/reference/safe-outputs-specification.md (Max Limit Enforcement section)
• Conformance Checker: scripts/check-safe-outputs-conformance.sh:105-125
• Run ID: §22022248558
• Date: 2026-02-14

Generated by Daily Safe Outputs Conformance Checker

• expires on Feb 15, 2026, 6:37 PM UTC

Comments on the Issue (you are @copilot in this section)

• Fixes [Safe Outputs Conformance] SEC-003: Max limit enforcement missing in add_comment.cjs #15741

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[pelikhan]

@copilot use mentions parser from the mentions sanitizer

[Copilot]

Pull request overview

This PR adds resource limit enforcement to the add_comment.cjs handler to satisfy Safe Outputs specification requirement SEC-003. The implementation validates comment body length, mentions, and links before GitHub API calls to prevent resource exhaustion attacks.

Changes:

• Implements enforceCommentLimits() function with validation for comment length (65,536 chars), mentions (10), and links (50)
• Adds double validation: once after temp ID replacement (user content) and once after adding footer/metadata (final output)
• Exports constants and validation function for testing
• Adds comprehensive test suite with 24 test cases covering boundary conditions, error messages, and edge cases

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
actions/setup/js/add_comment.cjs	Adds MAX_* constants, enforceCommentLimits() function with "max limit exceeded" comments, and dual validation checkpoints before API calls
actions/setup/js/add_comment.test.cjs	Adds 24 test cases covering limit enforcement, boundary values, error messages, and edge cases using eval() pattern

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The error codes used (E006, E007, E008) don't match their definitions in the Safe Outputs specification (docs/src/content/docs/reference/safe-outputs-specification.md:2885-2894). According to the spec:

• E006 is defined as INVALID_LABEL
• E007 is defined as API_ERROR
• E008 is defined as SANITIZATION_FAILED

However, they're being used here for resource limit violations (length exceeded, mentions exceeded, links exceeded). This creates confusion and could cause issues if these error codes are used for their documented purposes elsewhere. Consider either updating the specification to document these as resource limit error codes, or using different error codes (E011-E013) that don't conflict with existing definitions.

Suggested change

	throw new Error(`E006: Comment body exceeds maximum length of ${MAX_COMMENT_LENGTH} characters (got ${body.length})`);
	}
	// Count mentions (@username pattern) - max limit exceeded check
	const mentions = (body.match(/@\w+/g) || []).length;
	if (mentions > MAX_MENTIONS) {
	throw new Error(`E007: Comment contains ${mentions} mentions, maximum is ${MAX_MENTIONS}`);
	}
	// Count links (http:// and https:// URLs) - max limit exceeded check
	const links = (body.match(/https?:\/\/[^\s]+/g) || []).length;
	if (links > MAX_LINKS) {
	throw new Error(`E008: Comment contains ${links} links, maximum is ${MAX_LINKS}`);
	throw new Error(`E011: Comment body exceeds maximum length of ${MAX_COMMENT_LENGTH} characters (got ${body.length})`);
	}
	// Count mentions (@username pattern) - max limit exceeded check
	const mentions = (body.match(/@\w+/g) || []).length;
	if (mentions > MAX_MENTIONS) {
	throw new Error(`E012: Comment contains ${mentions} mentions, maximum is ${MAX_MENTIONS}`);
	}
	// Count links (http:// and https:// URLs) - max limit exceeded check
	const links = (body.match(/https?:\/\/[^\s]+/g) || []).length;
	if (links > MAX_LINKS) {
	throw new Error(`E013: Comment contains ${links} links, maximum is ${MAX_LINKS}`);

[Copilot]

The mention regex /@\w+/g doesn't match GitHub's actual username requirements. It will:

1. Match all-numeric patterns like @123 (which aren't valid GitHub usernames and conflict with issue numbers)
2. Miss valid usernames containing hyphens like @octo-cat

GitHub usernames must start with a letter and can contain letters, numbers, and hyphens. Consider using a more accurate pattern like /@[a-zA-Z][a-zA-Z0-9-]*/g to match actual GitHub mention syntax.

Suggested change

	const mentions = (body.match(/@\w+/g) || []).length;
	const mentions = (body.match(/@[a-zA-Z][a-zA-Z0-9-]*/g) || []).length;