Skip to content

Fix incomplete multi-character sanitization in source files (pkg/workflow/js)#7581

Merged
pelikhan merged 2 commits intomain-b6f614096c32b91ffrom
copilot/sub-pr-7574
Dec 25, 2025
Merged

Fix incomplete multi-character sanitization in source files (pkg/workflow/js)#7581
pelikhan merged 2 commits intomain-b6f614096c32b91ffrom
copilot/sub-pr-7574

Conversation

Copy link
Contributor

Copilot AI commented Dec 25, 2025
edited
Loading

The security fix for CodeQL alerts #85, #86, #87 was applied to compiled files in actions/setup/js/ instead of source files in pkg/workflow/js/. This meant the vulnerability would reappear on next compilation.

Changes

  • Applied iterative sanitization to source files:

    • pkg/workflow/js/sanitize_content_core.cjs - removeXmlComments()
    • pkg/workflow/js/runtime_import.cjs - removeXMLComments()

  • Recompiled all workflow lock files (124 files) to propagate the fix

Implementation

Both functions now use do-while loops to repeatedly apply replacements until no more HTML comment patterns exist:

function removeXMLComments(content) {
  // Remove XML/HTML comments: <!-- ... -->
  // Apply repeatedly to handle nested/overlapping patterns
  let previous;
  do {
    previous = content;
    content = content.replace(/<!--[\s\S]*?-->/g, "");
  } while (content !== previous);
  return content;
}

This prevents bypass via nested patterns like <!--<!--comment-->--> which would leave <!----> after a single pass.

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI mentioned this pull request Dec 25, 2025
Merged
@pelikhan
Fix source files in pkg/workflow/js with iterative sanitization
3c466af 
Applied the incomplete multi-character sanitization fix to the source files:
- pkg/workflow/js/sanitize_content_core.cjs: removeXmlComments()
- pkg/workflow/js/runtime_import.cjs: removeXMLComments()

Both functions now use iterative replacement to handle nested/overlapping
HTML comment patterns that could reintroduce comment markers after a single pass.

Ran make recompile to update all compiled workflow lock files.
All JavaScript tests pass (2238 passed, 5 skipped).

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix incomplete multi-character sanitization in HTML comment removal Fix incomplete multi-character sanitization in source files (pkg/workflow/js) Dec 25, 2025
Copilot AI requested a review from pelikhan December 25, 2025 01:09
@pelikhan pelikhan marked this pull request as ready for review December 25, 2025 01:15
@pelikhan pelikhan merged commit e286d8f into main-b6f614096c32b91f Dec 25, 2025
@pelikhan pelikhan deleted the copilot/sub-pr-7574 branch December 25, 2025 01:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pelikhan