Skip to content

[Safe Outputs Conformance] SEC-004: allowed_issue_fields.cjs flagged for missing content sanitization (false-positive; add exemption annotation) #44522

Description

@github-actions

Conformance Check Failure

Check ID: SEC-004
Severity: MEDIUM
Category: Security (Content Sanitization Required)

Problem Description

The Safe Outputs conformance checker (scripts/check-safe-outputs-conformance.sh) reports:

[MEDIUM] SEC-004: actions/setup/js/allowed_issue_fields.cjs has body field but no sanitization

SEC-004 requires that any handler which writes a body/content field to the GitHub API sanitizes that content first. The checker's heuristic greps each .cjs file for "body" or body: and, if found, requires a sanitize/stripHTML/escapeMarkdown/cleanContent reference.

In this case the match is a false positive. actions/setup/js/allowed_issue_fields.cjs is a validation-only utility: it validates issue field names against a configured allow-list. The literal string "body" appears only as an element of the BUILTIN_ISSUE_FIELD_NAMES set (line 11), which enumerates reserved field names — it is not user-supplied content being sent to any GitHub API. The file performs no API writes and has no content to sanitize.

The checker already supports a documented escape hatch for exactly this situation: a @safe-outputs-exempt SEC-004 annotation causes the file to be skipped (see scripts/check-safe-outputs-conformance.sh, lines 145-148).

Affected Components

  • Files: actions/setup/js/allowed_issue_fields.cjs
  • Handlers: none (validation-only utility; no API body writes)
  • Checker: scripts/check-safe-outputs-conformance.sh (SEC-004, check_sanitization)
🔍 Current vs Expected Behavior

Current Behavior

allowed_issue_fields.cjs contains const BUILTIN_ISSUE_FIELD_NAMES = new Set(["title", "body", "state", "labels", "assignees", "milestone"]);. The SEC-004 grep matches the "body" token and, finding no sanitization helper referenced in the file, emits a MEDIUM finding on every run.

Expected Behavior

SEC-004 should apply only to handlers that actually write user-controlled body content to the GitHub API. A validation-only utility that merely names body as a reserved field should be exempt, and the check should PASS ("All handlers properly sanitize content").

Remediation Steps

This task can be assigned to a Copilot coding agent. Preferred (lowest-risk) fix:

  1. Add a documented exemption annotation to actions/setup/js/allowed_issue_fields.cjs, e.g. a comment near the top explaining the file is validation-only and contains no sanitizable body content, including the marker @safe-outputs-exempt SEC-004.
  2. Optionally, harden the SEC-004 heuristic in scripts/check-safe-outputs-conformance.sh so a bare "body" token inside a field-name allow-list set does not trigger the check (e.g. require a body:-style assignment or an API-call context rather than any occurrence of the literal "body"), reducing future false positives.
  3. Re-run the checker and confirm SEC-004 passes.

Verification

After remediation, verify the fix by running:

bash scripts/check-safe-outputs-conformance.sh

The SEC-004 check should report [PASS] SEC-004: All handlers properly sanitize content and the Medium failure count should drop to 0.

References

  • Safe Outputs Specification: docs/src/content/docs/specs/safe-outputs-specification.md
  • Conformance Checker: scripts/check-safe-outputs-conformance.sh
  • Run ID: 28999821366
  • Date: 2026-07-09

Generated by ✅ Daily Safe Outputs Conformance Checker · 41.3 AIC · ⌖ 12.4 AIC · ⊞ 6.6K ·

  • expires on Jul 9, 2026, 11:00 PM UTC-08:00

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions