Skip to content

fix: add SEC-004 exemption to safe_output_execution_metadata.cjs#35933

Merged
pelikhan merged 2 commits into
mainfrom
copilot/sec-004-fix-sanitization-issue
May 30, 2026
Merged

fix: add SEC-004 exemption to safe_output_execution_metadata.cjs#35933
pelikhan merged 2 commits into
mainfrom
copilot/sec-004-fix-sanitization-issue

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented May 30, 2026
edited
Loading

The daily Safe Outputs conformance checker (SEC-004) false-positively flags safe_output_execution_metadata.cjs for missing content sanitization. All body references in this file feed exclusively into hashNormalizedBody() to produce a SHA-256 hash for execution-state diffing — the raw content is never passed to any GitHub write API.

Changes

  • actions/setup/js/safe_output_execution_metadata.cjs: Add @safe-outputs-exempt SEC-004 annotation (matching the pattern used in 9+ other files) to suppress the false-positive:
// @ts-check
// @safe-outputs-exempt SEC-004 — body is only read to compute a normalized SHA-256 hash for execution-state diffing; raw body content is never written back to any GitHub API.

The conformance checker confirms [PASS] SEC-004: All handlers properly sanitize content after this change.

Copilot AI linked an issue May 30, 2026 that may be closed by this pull request
[Safe Outputs Conformance] SEC-004: safe_output_execution_metadata.cjs has body field but no sanitization (exemption needed) #35884
Closed
@pelikhan
Add SEC-004 exemption annotation to safe_output_execution_metadata.cjs
1780fc0 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix false-positive in safe_output_execution_metadata.cjs security check fix: add SEC-004 exemption to safe_output_execution_metadata.cjs May 30, 2026
Copilot AI requested a review from pelikhan May 30, 2026 14:44
@pelikhan pelikhan marked this pull request as ready for review May 30, 2026 14:47
Copilot AI review requested due to automatic review settings May 30, 2026 14:47
@pelikhan pelikhan merged commit bd3929d into main May 30, 2026
@pelikhan pelikhan deleted the copilot/sec-004-fix-sanitization-issue branch May 30, 2026 14:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pelikhan pelikhan Awaiting requested review from pelikhan

Copilot code review Copilot Awaiting requested review from Copilot

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Safe Outputs Conformance] SEC-004: safe_output_execution_metadata.cjs has body field but no sanitization (exemption needed)

2 participants

@pelikhan