Conformance Check Failure
Check ID: SEC-004
Severity: MEDIUM
Category: Security (Content Sanitization Required)
Problem Description
The Safe Outputs conformance checker (scripts/check-safe-outputs-conformance.sh) reports:
[MEDIUM] SEC-004: actions/setup/js/allowed_issue_fields.cjs has body field but no sanitization
SEC-004 requires that any handler which writes a body/content field to the GitHub API sanitizes that content first. The checker's heuristic greps each .cjs file for "body" or body: and, if found, requires a sanitize/stripHTML/escapeMarkdown/cleanContent reference.
In this case the match is a false positive. actions/setup/js/allowed_issue_fields.cjs is a validation-only utility: it validates issue field names against a configured allow-list. The literal string "body" appears only as an element of the BUILTIN_ISSUE_FIELD_NAMES set (line 11), which enumerates reserved field names — it is not user-supplied content being sent to any GitHub API. The file performs no API writes and has no content to sanitize.
The checker already supports a documented escape hatch for exactly this situation: a @safe-outputs-exempt SEC-004 annotation causes the file to be skipped (see scripts/check-safe-outputs-conformance.sh, lines 145-148).
Affected Components
- Files:
actions/setup/js/allowed_issue_fields.cjs
- Handlers: none (validation-only utility; no API body writes)
- Checker:
scripts/check-safe-outputs-conformance.sh (SEC-004, check_sanitization)
🔍 Current vs Expected Behavior
Current Behavior
allowed_issue_fields.cjs contains const BUILTIN_ISSUE_FIELD_NAMES = new Set(["title", "body", "state", "labels", "assignees", "milestone"]);. The SEC-004 grep matches the "body" token and, finding no sanitization helper referenced in the file, emits a MEDIUM finding on every run.
Expected Behavior
SEC-004 should apply only to handlers that actually write user-controlled body content to the GitHub API. A validation-only utility that merely names body as a reserved field should be exempt, and the check should PASS ("All handlers properly sanitize content").
Remediation Steps
This task can be assigned to a Copilot coding agent. Preferred (lowest-risk) fix:
- Add a documented exemption annotation to
actions/setup/js/allowed_issue_fields.cjs, e.g. a comment near the top explaining the file is validation-only and contains no sanitizable body content, including the marker @safe-outputs-exempt SEC-004.
- Optionally, harden the SEC-004 heuristic in
scripts/check-safe-outputs-conformance.sh so a bare "body" token inside a field-name allow-list set does not trigger the check (e.g. require a body:-style assignment or an API-call context rather than any occurrence of the literal "body"), reducing future false positives.
- Re-run the checker and confirm SEC-004 passes.
Verification
After remediation, verify the fix by running:
bash scripts/check-safe-outputs-conformance.sh
The SEC-004 check should report [PASS] SEC-004: All handlers properly sanitize content and the Medium failure count should drop to 0.
References
- Safe Outputs Specification:
docs/src/content/docs/specs/safe-outputs-specification.md
- Conformance Checker:
scripts/check-safe-outputs-conformance.sh
- Run ID: 28999821366
- Date: 2026-07-09
Generated by ✅ Daily Safe Outputs Conformance Checker · 41.3 AIC · ⌖ 12.4 AIC · ⊞ 6.6K · ◷
Conformance Check Failure
Check ID: SEC-004
Severity: MEDIUM
Category: Security (Content Sanitization Required)
Problem Description
The Safe Outputs conformance checker (
scripts/check-safe-outputs-conformance.sh) reports:SEC-004 requires that any handler which writes a
body/content field to the GitHub API sanitizes that content first. The checker's heuristic greps each.cjsfile for"body"orbody:and, if found, requires asanitize/stripHTML/escapeMarkdown/cleanContentreference.In this case the match is a false positive.
actions/setup/js/allowed_issue_fields.cjsis a validation-only utility: it validates issue field names against a configured allow-list. The literal string"body"appears only as an element of theBUILTIN_ISSUE_FIELD_NAMESset (line 11), which enumerates reserved field names — it is not user-supplied content being sent to any GitHub API. The file performs no API writes and has no content to sanitize.The checker already supports a documented escape hatch for exactly this situation: a
@safe-outputs-exempt SEC-004annotation causes the file to be skipped (seescripts/check-safe-outputs-conformance.sh, lines 145-148).Affected Components
actions/setup/js/allowed_issue_fields.cjsscripts/check-safe-outputs-conformance.sh(SEC-004,check_sanitization)🔍 Current vs Expected Behavior
Current Behavior
allowed_issue_fields.cjscontainsconst BUILTIN_ISSUE_FIELD_NAMES = new Set(["title", "body", "state", "labels", "assignees", "milestone"]);. The SEC-004 grep matches the"body"token and, finding no sanitization helper referenced in the file, emits a MEDIUM finding on every run.Expected Behavior
SEC-004 should apply only to handlers that actually write user-controlled body content to the GitHub API. A validation-only utility that merely names
bodyas a reserved field should be exempt, and the check should PASS ("All handlers properly sanitize content").Remediation Steps
This task can be assigned to a Copilot coding agent. Preferred (lowest-risk) fix:
actions/setup/js/allowed_issue_fields.cjs, e.g. a comment near the top explaining the file is validation-only and contains no sanitizable body content, including the marker@safe-outputs-exempt SEC-004.scripts/check-safe-outputs-conformance.shso a bare"body"token inside a field-name allow-list set does not trigger the check (e.g. require abody:-style assignment or an API-call context rather than any occurrence of the literal"body"), reducing future false positives.Verification
After remediation, verify the fix by running:
The SEC-004 check should report
[PASS] SEC-004: All handlers properly sanitize contentand the Medium failure count should drop to 0.References
docs/src/content/docs/specs/safe-outputs-specification.mdscripts/check-safe-outputs-conformance.sh