Summary
In the safe-outputs create_issue pipeline, the issue title is sanitized via sanitizeTitle (which calls neutralizeAllMentions), but the issue body receives no equivalent sanitization — sanitizeContent is neither imported nor called in create_issue.cjs. Agent-generated bodies containing @mentions pass verbatim to the GitHub API, producing active notifications to real users. This contradicts the documented @mention neutralization security control and the sanitize: true flag declared for the body field in validation.json. The sanitization asymmetry is confirmed by static code inspection.
Affected Area
Safe-outputs output sanitization boundary — the pipeline between agent-generated content and GitHub API writes (create_issue.cjs in actions/setup/js/).
Reproduction Outline
- Configure a gh-aw workflow with
safe-outputs: create-issue and a Claude or Copilot engine.
- Craft trigger content (e.g., an issue body) that causes the agent to include
@username in the created issue body.
- The agent calls the
create_issue MCP tool with a body containing @username.
- The safe-outputs processing job runs
create_issue.cjs, which calls sanitizeTitle on the title but does not call sanitizeContent on the body.
- The GitHub API receives the body verbatim;
@username generates an active notification.
Observed Behavior
@mentions in agent-generated issue bodies reach the GitHub API unsanitized. Under cross-prompt injection, an attacker who plants @username in trigger content can cause the agent to produce a body that notifies arbitrary users.
Expected Behavior
create_issue.cjs should apply sanitizeContent (or at minimum neutralizeAllMentions) to the body before calling githubClient.rest.issues.create(), matching the sanitization already applied to the title and matching the sanitize: true declaration in validation.json. Issue-update paths already call sanitizeContent on the body; the creation path should do the same.
Security Relevance
An attacker who can influence trigger content (e.g., via a malicious issue) can craft input that causes an agent to produce a body containing targeted @mentions, generating unwanted GitHub notifications to arbitrary users. This is a concrete XPIA (cross-prompt injection attack) impact path enabled by the sanitization gap. The sanitize: true metadata and the parallel update-path sanitization confirm the gap is unintentional rather than a design choice.
gh-aw version: v0.68.1
Original finding: https://github.com/githubnext/gh-aw-security/issues/1850
Generated by File Issue · ● 344.7K · ◷
Summary
In the safe-outputs
create_issuepipeline, the issue title is sanitized viasanitizeTitle(which callsneutralizeAllMentions), but the issue body receives no equivalent sanitization —sanitizeContentis neither imported nor called increate_issue.cjs. Agent-generated bodies containing@mentionspass verbatim to the GitHub API, producing active notifications to real users. This contradicts the documented@mentionneutralization security control and thesanitize: trueflag declared for thebodyfield invalidation.json. The sanitization asymmetry is confirmed by static code inspection.Affected Area
Safe-outputs output sanitization boundary — the pipeline between agent-generated content and GitHub API writes (
create_issue.cjsinactions/setup/js/).Reproduction Outline
safe-outputs: create-issueand a Claude or Copilot engine.@usernamein the created issue body.create_issueMCP tool with a body containing@username.create_issue.cjs, which callssanitizeTitleon the title but does not callsanitizeContenton the body.@usernamegenerates an active notification.Observed Behavior
@mentionsin agent-generated issue bodies reach the GitHub API unsanitized. Under cross-prompt injection, an attacker who plants@usernamein trigger content can cause the agent to produce a body that notifies arbitrary users.Expected Behavior
create_issue.cjsshould applysanitizeContent(or at minimumneutralizeAllMentions) to the body before callinggithubClient.rest.issues.create(), matching the sanitization already applied to the title and matching thesanitize: truedeclaration invalidation.json. Issue-update paths already callsanitizeContenton the body; the creation path should do the same.Security Relevance
An attacker who can influence trigger content (e.g., via a malicious issue) can craft input that causes an agent to produce a body containing targeted
@mentions, generating unwanted GitHub notifications to arbitrary users. This is a concrete XPIA (cross-prompt injection attack) impact path enabled by the sanitization gap. Thesanitize: truemetadata and the parallel update-path sanitization confirm the gap is unintentional rather than a design choice.gh-aw version: v0.68.1
Original finding: https://github.com/githubnext/gh-aw-security/issues/1850