[Safe Outputs Conformance] SEC-004: Handlers with body fields missing content sanitization #16159
Description
Conformance Check Failure
Check ID: SEC-004
Severity: MEDIUM
Category: Security
Affected Components: 6 handler files
Problem Description
The Safe Outputs Specification requires that all handlers processing body or content fields MUST sanitize the content to prevent injection attacks and ensure safe rendering. The conformance checker detected 6 handlers that have body fields but show no evidence of sanitization.
The checker looks for sanitization patterns like:
sanitizefunction callsstripHTMLfunction callsescapeMarkdownfunction callscleanContentfunction calls
Current Behavior
Handlers accept and process body content without sanitization, potentially allowing:
- Cross-site scripting (XSS) through malicious HTML
- Markdown injection attacks
- Unwanted formatting or code execution
- Content that breaks rendering
Expected Behavior
According to the Safe Outputs Specification:
- All body/content fields MUST be sanitized before storage or display
- Sanitization MUST remove or escape potentially dangerous HTML
- Markdown content MUST be validated and cleaned
- Output MUST be safe for rendering in GitHub's UI
Affected Components
-
actions/setup/js/demo_enhanced_errors.cjs -
actions/setup/js/expired_entity_cleanup_helpers.cjs -
actions/setup/js/expired_entity_search_helpers.cjs -
actions/setup/js/mcp_enhanced_errors.cjs -
actions/setup/js/temporary_id.cjs -
actions/setup/js/update_release.cjs
Remediation Steps
This task can be assigned to a Copilot agent with the following steps:
-
Review each affected handler:
- Examine how the
bodyfield is used - Determine if it processes user-provided content
- Check if sanitization is already present but not detected by the checker
- Examine how the
-
For handlers genuinely missing sanitization:
- Import sanitization utilities from
actions/setup/js/sanitize_content.cjsorsanitize_output.cjs - Apply sanitization to all body/content fields before processing
- Ensure sanitization happens BEFORE any API calls or storage operations
- Import sanitization utilities from
-
Example pattern to follow:
const { sanitizeContent } = require('./sanitize_content.cjs'); async function handler(params) { // Sanitize user-provided content const sanitizedBody = sanitizeContent(params.body); // Use sanitized content in API calls await octokit.rest.issues.create({ body: sanitizedBody, // ... other params }); }
-
Verify each handler:
- Confirm sanitization is applied to all user-controlled text
- Test with potentially malicious inputs
- Ensure no functionality is broken by sanitization
Investigation Notes
Some of these handlers may be:
- Demo/test handlers (
demo_enhanced_errors.cjs) - may not need production-grade sanitization - Helper functions (
expired_entity_*_helpers.cjs,temporary_id.cjs) - may not directly process user input - Release handlers (
update_release.cjs) - definitely needs sanitization for release body text
Priority: Focus first on update_release.cjs as it directly processes user-provided content.
Verification
After remediation, verify the fix by running:
bash scripts/check-safe-outputs-conformance.shThe SEC-004 check should pass for all affected handlers.
References:
- Safe Outputs Specification:
docs/src/content/docs/reference/safe-outputs-specification.md - Sanitization utilities:
actions/setup/js/sanitize_content.cjs,actions/setup/js/sanitize_output.cjs - Conformance Checker:
scripts/check-safe-outputs-conformance.sh - Workflow Run: §22071409611
Generated by Daily Safe Outputs Conformance Checker
- expires on Feb 17, 2026, 5:06 PM UTC