[Safe Outputs Conformance] SEC-005: resolve_transport_paths.cjs supports target-repo but lacks allowlist check

[github-actions]

Conformance Check Failure

Check ID: SEC-005
Severity: HIGH
Category: Security (Cross-Repository Validation)

Problem Description

The SEC-005 conformance check flags actions/setup/js/resolve_transport_paths.cjs as supporting a cross-repository target but lacking an allowlist validation. The check matches the regex target.*[Rr]epo against the file and finds the defaultTargetRepo parameter, then fails because it cannot find any of the expected allowlist markers (allowed.*[Rr]epos, validateTargetRepo, checkAllowedRepo).

In practice this handler is a pure path-derivation utility: given a validated branch (and optional repo) it derives local /tmp/gh-aw/aw-<sanitized-branch>.{patch,bundle} paths via getPatchPathForBranchInRepo / getBundlePathForBranch. It performs no octokit/network/cross-repository API calls — the only side effects are fs.existsSync checks. The defaultTargetRepo argument is used solely as a fallback candidate when computing candidate local file paths. The actual cross-repo write allowlist enforcement lives in the handlers that genuinely call the GitHub API with a target repo.

So this is a heuristic (false-positive-prone) match on the parameter name rather than an unguarded cross-repo write. It should be resolved by making intent explicit — either via the documented exemption annotation, or by routing the allowlist reference through this file.

Affected Components

• Files: actions/setup/js/resolve_transport_paths.cjs
• Check: scripts/check-safe-outputs-conformance.sh (check_cross_repo, lines 165-193)

Current vs Expected Behavior

Current Behavior

resolveTransportPaths(message, defaultTargetRepo) derives local patch/bundle paths from message.branch and a list of repo candidates (message.repo, defaultTargetRepo, null). Sanitization to the canonical /tmp/gh-aw/aw-<sanitized-branch> prefix is enforced by getPatchPathForBranch / getBundlePathForBranch. There is no allowed*Repos / validateTargetRepo token in the file, so SEC-005 reports HIGH.

Expected Behavior

SEC-005 requires that any handler supporting a cross-repository target either (a) validate the target repo against an allowlist, or (b) carry a documented @safe-outputs-exempt SEC-005 annotation. The conformance script already honors this exemption (lines 174-177).

Remediation Steps

This task can be assigned to a Copilot coding agent:

1. Confirm resolve_transport_paths.cjs performs no cross-repo API writes (it only does fs.existsSync + path derivation). The defaultTargetRepo value never selects a remote write target — only a local candidate path.
2. Preferred fix: add a documented exemption annotation near the top of the file, e.g. a comment containing @safe-outputs-exempt SEC-005: pure local path-derivation utility; no cross-repo API calls. Target-repo allowlist is enforced upstream in the API-calling handlers.
3. Alternative: if the intent is for this utility to be the allowlist enforcement point, import and call the shared target-repo validation helper here so the validateTargetRepo / allowedRepos reference is present.
4. Re-run the conformance checker and confirm SEC-005 passes.

Verification

After remediation, verify the fix by running:

bash scripts/check-safe-outputs-conformance.sh

The check SEC-005 should pass without errors (exit code 0 for the HIGH gate).

References

• Safe Outputs Specification: docs/src/content/docs/specs/safe-outputs-specification.md
• Conformance Checker: scripts/check-safe-outputs-conformance.sh
• Run ID: 27085521200
• Date: 2026-06-07

Generated by ✅ Daily Safe Outputs Conformance Checker · 58.2 AIC · ⌖ 12.8 AIC · ⊞ 6.7K · ◷

• expires on Jun 8, 2026, 7:04 AM UTC