Skip to content

[Safe Outputs Conformance] SEC-004: Multiple HTTP handlers missing content sanitization #26748

Closed as not planned
Closed as not planned
[Safe Outputs Conformance] SEC-004: Multiple HTTP handlers missing content sanitization#26748
Labels
automatedconformancesafe-outputs
@github-actions

Description

@github-actions
github-actions
bot
opened on Apr 16, 2026

Conformance Check Failure

Check ID: SEC-004
Severity: MEDIUM
Category: Security

Problem Description

Three handler files contain body fields (used for HTTP request/response bodies) but do not reference any of the required sanitization functions (sanitize, stripHTML, escapeMarkdown, cleanContent). The Safe Outputs specification requires that any handler processing body/content fields must apply sanitization before producing output to prevent content injection.

Affected Components

  • actions/setup/js/mcp_cli_bridge.cjs
  • actions/setup/js/mount_mcp_as_cli.cjs
  • actions/setup/js/start_mcp_gateway.cjs
Current vs Expected Behavior

Current Behavior

Each file uses body as a variable name for HTTP POST request/response payloads, but none reference sanitization helpers such as sanitize, stripHTML, escapeMarkdown, or cleanContent. The conformance check (SEC-004) flags any file that has a body field without a corresponding sanitization call.

Expected Behavior

Per the Safe Outputs specification, handlers that process body/content fields must apply content sanitization before forwarding that content as output to GitHub (issues, comments, PRs, etc.). If a file only uses body for internal HTTP transport (not for producing safe outputs), it should either:

  1. Add a @safe-outputs-exempt SEC-004 annotation with justification, or
  2. Apply sanitization to any content that flows into safe-output tool calls.

Remediation Steps

This task can be assigned to a Copilot coding agent with the following steps:

  1. Review each file to determine if the body field is used to produce any safe output (GitHub issue body, comment, PR description, etc.) or is purely an internal HTTP transport variable.
  2. If used for safe output: Add a call to the appropriate sanitization utility (e.g., sanitize(), escapeMarkdown()) before passing content to safe-output handlers.
  3. If purely internal transport: Add a // @safe-outputs-exempt SEC-004: body is HTTP transport only, not safe-output content annotation near the body usage so the conformance check can skip the file.
  4. Re-run the conformance checker to confirm SEC-004 passes for all three files.

Verification

After remediation, verify the fix by running:

bash scripts/check-safe-outputs-conformance.sh

The check SEC-004 should pass without any MEDIUM findings.

References

  • Safe Outputs Specification: docs/src/content/docs/reference/safe-outputs-specification.md
  • Conformance Checker: scripts/check-safe-outputs-conformance.sh
  • Run ID: §24536310861
  • Date: 2026-04-16

Generated by Daily Safe Outputs Conformance Checker · ● 66.2K ·

  • expires on Apr 17, 2026, 10:06 PM UTC

Metadata

Metadata

Assignees

No one assigned

    Labels

    automatedconformancesafe-outputs

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions