Skip to content

[Safe Outputs Conformance] SEC-004: update_handler_factory.cjs has body field but no content sanitization #19443

New issue
New issue
Open
Open
[Safe Outputs Conformance] SEC-004: update_handler_factory.cjs has body field but no content sanitization#19443
Labels
automatedbugSomething isn't workingconformancesafe-outputs
@github-actions

Description

@github-actions
github-actions
bot
opened on Mar 3, 2026

Conformance Check Failure

Check ID: SEC-004
Severity: MEDIUM
Category: Security

Problem Description

The update_handler_factory.cjs file accepts a body field (stored internally as _rawBody) and passes it to GitHub API update calls, but it does not call any recognized content sanitization function (sanitize, stripHTML, escapeMarkdown, or cleanContent). The Safe Outputs specification requires that any handler accepting free-form body/content fields MUST sanitize the content before writing it to GitHub to prevent injection attacks via issue/PR/comment bodies.

Affected Components

  • File: actions/setup/js/update_handler_factory.cjs

Current Behavior

The factory creates update handlers that accept a body field. When _rawBody is present it is logged and then forwarded directly to executeUpdate(...) without passing through any sanitization step. The staged-mode preview path also skips sanitization.

Expected Behavior

Before forwarding the body content to the GitHub API, the handler MUST call a sanitization helper (e.g., sanitize(rawBody), escapeMarkdown(rawBody), or an equivalent cleanContent utility) to strip or escape potentially dangerous markup.

Remediation Steps

This task can be assigned to a Copilot coding agent with the following steps:

  1. Identify or create a shared sanitization utility (e.g., sanitize_content.cjs) that implements the escapeMarkdown / cleanContent logic.
  2. Import the sanitization function in actions/setup/js/update_handler_factory.cjs.
  3. Apply the sanitization function to the body value before it is passed to executeUpdate, for example: 
    const safeBody = sanitize(updateData._rawBody);
  4. Ensure the sanitized value is used consistently in both the live and staged-mode code paths.
  5. Add a brief comment explaining why sanitization is applied (safe outputs conformance).

Verification

After remediation, verify the fix by running:

bash scripts/check-safe-outputs-conformance.sh

Check SEC-004 should pass without errors.

References

  • Safe Outputs Specification: docs/src/content/docs/reference/safe-outputs-specification.md
  • Conformance Checker: scripts/check-safe-outputs-conformance.sh
  • Run ID: §22633945407
  • Date: 2026-03-03

Generated by Daily Safe Outputs Conformance Checker ·

  • expires on Mar 4, 2026, 5:07 PM UTC

Metadata

Metadata

Assignees

No one assigned

    Labels

    automatedbugSomething isn't workingconformancesafe-outputs

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions