Skip to content

[Safe Outputs Conformance] SEC-004: assign_to_agent.cjs missing content sanitization for body field #22466

New issue
New issue
Closed
#22619
Closed
[Safe Outputs Conformance] SEC-004: assign_to_agent.cjs missing content sanitization for body field#22466
#22619
Assignees
pelikhancopilot-swe-agent
Labels
automatedconformancecookieIssue Monster Loves Cookies!safe-outputs
@github-actions

Description

@github-actions
github-actions
bot
opened on Mar 23, 2026

Conformance Check Failure

Check ID: SEC-004
Severity: MEDIUM
Category: Security

Problem Description

The handler actions/setup/js/assign_to_agent.cjs contains a body field that is written to GitHub outputs but lacks the required content sanitization. According to the Safe Outputs specification, any field that may contain user-controlled or external content must be sanitized before being passed through safe output channels to prevent injection attacks or unintended content leakage.

Affected Components

  • Files: actions/setup/js/assign_to_agent.cjs
🔍 Current vs Expected Behavior

Current Behavior

The handler constructs and outputs a body field without running it through the sanitization utility. Raw content from external sources (issue bodies, PR descriptions, comments) may pass through unfiltered.

Expected Behavior

Per SEC-004 of the Safe Outputs specification, all handlers that output a body field MUST sanitize the content using the standard sanitization helper before writing to safe outputs. This typically involves stripping or escaping characters that could interfere with downstream processing.

Remediation Steps

This task can be assigned to a Copilot coding agent with the following steps:

  1. Open actions/setup/js/assign_to_agent.cjs and locate where the body field is constructed or passed to the safe output.
  2. Import or require the sanitization helper (e.g., from safe_output_helpers.cjs) if not already present.
  3. Wrap the body value with the sanitize function before it is written to the output (e.g., sanitize(body) or equivalent).
  4. Add a unit test or inline comment confirming that sanitization is applied.
  5. Run the conformance checker to verify the fix.

Verification

After remediation, verify the fix by running:

bash scripts/check-safe-outputs-conformance.sh

The check SEC-004 should pass without errors.

References

  • Safe Outputs Specification: docs/src/content/docs/reference/safe-outputs-specification.md
  • Conformance Checker: scripts/check-safe-outputs-conformance.sh
  • Run ID: §23449847592
  • Date: 2026-03-23

Generated by Daily Safe Outputs Conformance Checker ·

  • expires on Mar 24, 2026, 5:07 PM UTC

Metadata

Metadata

Assignees

Labels

automatedconformancecookieIssue Monster Loves Cookies!safe-outputs

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions