Skip to content

[Safe Outputs Conformance] Conformance script exits prematurely due to arithmetic expansion bug with set -euo pipefail #17757

@github-actions

Description

@github-actions

Conformance Check Failure

Check ID: Script Infrastructure Bug
Severity: HIGH
Category: Implementation

Problem Description

The conformance checker script scripts/check-safe-outputs-conformance.sh uses set -euo pipefail alongside ((VAR++)) arithmetic expressions in its logging functions. In bash, ((VAR++)) evaluates to the old value of VAR as its exit code. When VAR is 0, ((VAR++)) evaluates to 0 (falsy), causing set -e to terminate the entire script immediately after the first counter increment.

This means the script halts after the first failure is logged — before completing SEC-004, SEC-005, USE-001 through USE-003, REQ-001 through REQ-003, IMP-001 through IMP-003 — and exits with code 1 (indicating HIGH failures) even when no HIGH failures exist, purely due to the arithmetic exit code.

Secondary issues in the same script:

  • IMP-002 check searches for computePermissionsForSafeOutputs (camelCase) but the actual exported Go function is ComputePermissionsForSafeOutputs (PascalCase), causing a permanent false positive.
  • SEC-003 check applies the max-limit pattern to all *.cjs files (including fuzz harnesses, utility files, and test helpers) rather than scoping to safe-output handlers only. Additionally, the actual limit enforcement functions (enforceArrayLimit, tryEnforceArrayLimit) in limit_enforcement_helpers.cjs are not matched by the check pattern, creating false positives for any file that imports and delegates to that module.

Affected Components

  • Files: scripts/check-safe-outputs-conformance.sh (lines 22–40: logging functions; line 92: check_validation_ordering; line 115: check_max_limits; line 344: check_permission_computation)

Current Behavior

# These logging functions exit the script when the counter is 0:
log_medium() {
    echo -e "\$\{YELLOW}[MEDIUM]\$\{NC} $1"
    ((MEDIUM_FAILURES++))   # exits 1 when MEDIUM_FAILURES was 0
}

When log_medium is first called, ((MEDIUM_FAILURES++)) returns exit code 1 (the old value 0 is falsy), and set -e terminates the script. All subsequent checks are skipped, and HIGH/CRITICAL failures go undetected.

Expected Behavior

All 13 conformance checks (SEC-001 through IMP-003) should run to completion. Counter increments should not cause early termination.

Remediation Steps

This task can be assigned to a Copilot coding agent with the following steps:

  1. Replace all ((VAR++)) arithmetic expressions in logging functions with VAR=$((VAR+1)) (POSIX-safe increment that always returns exit 0):
    • ((CRITICAL_FAILURES++))CRITICAL_FAILURES=$((CRITICAL_FAILURES+1))
    • ((HIGH_FAILURES++))HIGH_FAILURES=$((HIGH_FAILURES+1))
    • ((MEDIUM_FAILURES++))MEDIUM_FAILURES=$((MEDIUM_FAILURES+1))
    • ((LOW_FAILURES++))LOW_FAILURES=$((LOW_FAILURES+1))
    • ((sections_found++))sections_found=$((sections_found+1))
  2. Fix the IMP-002 check (line ~345) to use the correct PascalCase function name: change computePermissionsForSafeOutputs to ComputePermissionsForSafeOutputs.
  3. Fix the SEC-003 check to exclude non-handler files. Add filter patterns for fuzz harnesses, test files, and utilities (e.g., fuzz_, _helpers, constants, error_, messages, sanitize_), or maintain an explicit allowlist of files that require max limit enforcement.
  4. Update the SEC-003 check pattern to also recognize enforceArrayLimit\|tryEnforceArrayLimit (the actual functions exported from limit_enforcement_helpers.cjs).

Verification

After remediation, verify by running:

bash scripts/check-safe-outputs-conformance.sh

The script should run all 13 checks to completion, exit with the correct code, and not false-positive on IMP-002 or the utility files in SEC-003.

References

  • Conformance Checker: scripts/check-safe-outputs-conformance.sh
  • Limit enforcement module: actions/setup/js/limit_enforcement_helpers.cjs
  • Permission computation: pkg/workflow/safe_outputs_permissions.go (function: ComputePermissionsForSafeOutputs)
  • Run ID: §22281286232
  • Date: 2026-02-22

Generated by Daily Safe Outputs Conformance Checker

  • expires on Feb 23, 2026, 5:01 PM UTC

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions