Conformance Check Failure
Check ID: SEC-004
Severity: MEDIUM
Category: Security
Problem Description
The send_otlp_span.cjs handler constructs an HTTP request body with JSON.stringify(payload) but applies no content sanitization before sending. The Safe Outputs specification (SEC-004) requires that any handler with a body field sanitize its content to prevent injection of unvalidated data into outbound requests.
Although this handler sends OTLP telemetry (not GitHub content), the payload may contain span attributes derived from workflow inputs, environment variables, or user-controlled strings. Unsanitized telemetry payloads can leak sensitive values or be used to inject malformed data into the OTLP collector.
Affected Components
- File:
actions/setup/js/send_otlp_span.cjs (line 247)
🔍 Current vs Expected Behavior
Current Behavior
body: JSON.stringify(payload),
The payload is serialized and sent as-is with no sanitization, validation, or scrubbing of sensitive fields.
Expected Behavior
The payload should be sanitized before serialization. At minimum:
- Sensitive attribute keys (tokens, secrets, passwords) should be redacted
- String values should be bounded in length to prevent oversized requests
- The sanitization should be applied consistently before
JSON.stringify
Remediation Steps
This task can be assigned to a Copilot coding agent with the following steps:
- Identify which span attribute fields in
payload may carry user-controlled or sensitive values (e.g. attributes map inside the OTLP span object).
- Add a
sanitizeOTLPPayload(payload) helper that:
- Redacts values whose keys match common secret patterns (
token, secret, password, key, auth, etc.)
- Truncates excessively long string values (e.g. >1024 chars)
- Apply the sanitizer before
JSON.stringify:
body: JSON.stringify(sanitizeOTLPPayload(payload)),
- Add a unit test covering the redaction of a sensitive attribute key.
Verification
After remediation, verify the fix by running:
bash scripts/check-safe-outputs-conformance.sh
Check SEC-004 should pass without errors.
References
- Safe Outputs Specification:
docs/src/content/docs/reference/safe-outputs-specification.md
- Conformance Checker:
scripts/check-safe-outputs-conformance.sh
- Run ID: §24011346099
- Date: 2026-04-05
Generated by Daily Safe Outputs Conformance Checker · ● 58.6K · ◷
Conformance Check Failure
Check ID: SEC-004
Severity: MEDIUM
Category: Security
Problem Description
The
send_otlp_span.cjshandler constructs an HTTP request body withJSON.stringify(payload)but applies no content sanitization before sending. The Safe Outputs specification (SEC-004) requires that any handler with abodyfield sanitize its content to prevent injection of unvalidated data into outbound requests.Although this handler sends OTLP telemetry (not GitHub content), the payload may contain span attributes derived from workflow inputs, environment variables, or user-controlled strings. Unsanitized telemetry payloads can leak sensitive values or be used to inject malformed data into the OTLP collector.
Affected Components
actions/setup/js/send_otlp_span.cjs(line 247)🔍 Current vs Expected Behavior
Current Behavior
The payload is serialized and sent as-is with no sanitization, validation, or scrubbing of sensitive fields.
Expected Behavior
The payload should be sanitized before serialization. At minimum:
JSON.stringifyRemediation Steps
This task can be assigned to a Copilot coding agent with the following steps:
payloadmay carry user-controlled or sensitive values (e.g.attributesmap inside the OTLP span object).sanitizeOTLPPayload(payload)helper that:token,secret,password,key,auth, etc.)JSON.stringify:Verification
After remediation, verify the fix by running:
Check SEC-004 should pass without errors.
References
docs/src/content/docs/reference/safe-outputs-specification.mdscripts/check-safe-outputs-conformance.sh