fix: add U+0405 (Ѕ→S) and U+0406 (І→I) to HOMOGLYPH_MAP in sanitize_content_core.cjs

[Copilot]

The hardenUnicodeText normalization layer handled lowercase Cyrillic dze (U+0455→s) and Ukrainian I (U+0456→i) but was missing their uppercase counterparts, allowing strings like "PENTEЅT-ЅECRET-MARKER" to pass through the sanitizer unchanged and reach downstream threat detection with obfuscated content.

Changes

• sanitize_content_core.cjs — add two missing entries to HOMOGLYPH_MAP under the Cyrillic uppercase block:

  "\u0405": "S", // Ѕ → S (Cyrillic Dze)
  "\u0406": "I", // І → I (Cyrillic Byelorussian-Ukrainian I)

• sanitize_content.test.cjs — add regression tests for both codepoints, including the exact reproduction case from the issue ("PENTE\u0405T-\u0405ECRET-MARKER" → "PENTEST-SECRET-MARKER").

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• invalid.example.invalid
  • Triggering command: /usr/lib/git-core/git-remote-https /usr/lib/git-core/git-remote-https origin https://invalid.example.invalid/nonexistent-repo.git git comm�� ental-OlTrPv Auth cleanup new commit es/.bin/git -m Initial commit tions/setup/node-u git rev-�� --count origin/auth-cleanup-success..auth-cleanup-success es/.bin/git -u origin it git (dns block)
  • Triggering command: /usr/lib/git-core/git-remote-https /usr/lib/git-core/git-remote-https origin https://invalid.example.invalid/nonexistent-repo.git git comm�� ental-82jZrk Auth cleanup new commit es/.bin/git -m Initial commit tions/setup/node-u git rev-�� --count origin/auth-cleanup-success..auth-cleanup-success es/.bin/git -u origin it git (dns block)
  • Triggering command: /usr/lib/git-core/git-remote-https /usr/lib/git-core/git-remote-https origin https://invalid.example.invalid/nonexistent-repo.git git comm�� ental-Ml9yIM Auth cleanup new commit es/.bin/git -m Initial commit tions/setup/node-u git rev-�� --count origin/auth-cleanup-success..auth-cleanup-success es/.bin/git -u origin it git (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

Pull request overview

Adds missing uppercase Cyrillic homoglyph mappings so hardenUnicodeText normalizes obfuscated strings consistently and prevents bypasses in downstream detection.

Changes:

• Add U+0405 (Ѕ) → S and U+0406 (І) → I to HOMOGLYPH_MAP.
• Add regression tests covering both uppercase codepoints, including the reported reproduction string.

Show a summary per file

File	Description
actions/setup/js/sanitize_content_core.cjs	Extends Cyrillic uppercase homoglyph normalization to include Ѕ and І.
actions/setup/js/sanitize_content.test.cjs	Adds targeted tests to prevent regressions for the new mappings.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 2/2 changed files
• Comments generated: 0