[Safe Outputs Conformance] SEC-004: run_validate_workflows.cjs writes untrusted command output to issue body without sanitization

[github-actions]

Conformance Check Failure

Check ID: SEC-004
Severity: MEDIUM
Category: Security — Content Sanitization Required

Problem Description

actions/setup/js/run_validate_workflows.cjs constructs GitHub issue/comment bodies that embed combinedOutput — the raw stdout+stderr of an external process (gh aw compile --validate ...) — without applying any sanitization function. While the output is enclosed in a triple-backtick block, malformed tool output or injected content could still escape the fence or embed unexpected Markdown/HTML that renders in the GitHub UI.

The Safe Outputs specification (SEC-004) requires that any handler writing a body field to a GitHub API call must sanitize the content before submission.

Affected Components

• File: actions/setup/js/run_validate_workflows.cjs
• Lines: ~114 (body: commentBody) and ~181 (body: issueBody)
• Content source: combinedOutput = (stderr + "\n" + stdout).trim() — raw subprocess output

🔍 Current vs Expected Behavior

Current Behavior

const truncatedOutput = combinedOutput.substring(0, 50000) + ...;
// truncatedOutput is inserted directly into commentBody / issueBody
// with no sanitization call
await github.rest.issues.createComment({ ..., body: commentBody });
await github.rest.issues.create({ ..., body: issueBody });

Expected Behavior

The body content should be sanitized before use, e.g. via a shared sanitization helper that strips or escapes sequences that could break out of code fences, or by replacing backtick sequences that would close the fence prematurely:

const sanitizedOutput = sanitizeBody(truncatedOutput);
// then use sanitizedOutput in commentBody / issueBody

Other handlers in this codebase call a sanitization helper before writing body. This file is missing that step.

Remediation Steps

This task can be assigned to a Copilot coding agent with the following steps:

1. Locate the shared sanitization helper used by other handlers (search for sanitize in actions/setup/js/).
2. Import and apply that helper to truncatedOutput before it is embedded in commentBody and issueBody in run_validate_workflows.cjs.
3. At minimum, escape backtick sequences (```) that could close the code fence prematurely — replace with a visually equivalent but non-closing sequence.
4. If no shared helper exists, create one in a utility module (e.g. sanitize_helpers.cjs) and use it consistently.

Verification

After remediation, verify the fix by running:

bash scripts/check-safe-outputs-conformance.sh

Check SEC-004 should pass without errors.

References

• Safe Outputs Specification: docs/src/content/docs/reference/safe-outputs-specification.md
• Conformance Checker: scripts/check-safe-outputs-conformance.sh
• Run ID: §24317377277
• Date: 2026-04-12

Generated by Daily Safe Outputs Conformance Checker · ● 74.2K · ◷

• expires on Apr 13, 2026, 10:02 PM UTC