Conformance Check Failure
Check ID: SEC-005
Severity: HIGH
Category: Security
Problem Description
actions/setup/js/close_entity_helpers.cjs supports cross-repository operations (references to target-repo, owner, entityRepo) but does not implement an allowlist check before acting on a target repository. Without an allowlist, a malicious or misconfigured actor could direct the handler to close issues or add comments in any accessible repository, not just the intended one.
The conformance check requires one of the following patterns to be present in any handler that supports target-repo:
allowed.*[Rr]epos (e.g., allowedRepos)validateTargetRepocheckAllowedRepo
None of these patterns currently exist in the file.
Affected Components
- Files:
actions/setup/js/close_entity_helpers.cjs
- Check Logic:
scripts/check-safe-outputs-conformance.sh — check_cross_repo() function
🔍 Current vs Expected Behavior
Current Behavior
close_entity_helpers.cjs resolves an owner/repo pair for cross-repo targets and calls callbacks.getDetails, callbacks.addComment, and callbacks.closeEntity against that resolved repository without first verifying that the resolved repository is in a permitted allowlist.
Expected Behavior
Before performing any API operation against a target repository, the handler should validate that the resolved owner/repo is present in a configured allowlist (e.g., an environment variable CLOSE_ENTITY_ALLOWED_REPOS or equivalent), rejecting the operation with a clear error if it is not.
Remediation Steps
This task can be assigned to a Copilot coding agent with the following steps:
- Define an allowlist environment variable (e.g.,
CLOSE_ENTITY_ALLOWED_REPOS) that accepts a comma-separated list of owner/repo values. Document it alongside the existing *_TARGET env-var pattern in the file's JSDoc header.
- Add a helper function named
checkAllowedRepo(owner, repo, allowedRepos) (or validateTargetRepo) that returns { success: false, error: "..." } when the resolved owner/repo is not in the allowlist, and { success: true } otherwise. When the allowlist env-var is empty or unset, the function should permit only the triggering repository (i.e., default-deny cross-repo).
- Call
checkAllowedRepo immediately after the resolveTarget step in the main processing loop (around line 316), before callbacks.getDetails is invoked.
- Emit a
core.warning and return early with { success: false } when the check fails, so callers can skip and continue.
Verification
After remediation, verify the fix by running:
bash scripts/check-safe-outputs-conformance.sh
Check SEC-005 should show [PASS] instead of [HIGH].
References
- Safe Outputs Specification:
docs/src/content/docs/reference/safe-outputs-specification.md
- Conformance Checker:
scripts/check-safe-outputs-conformance.sh
- Run ID: §24266157056
- Date: 2026-04-10
Generated by Daily Safe Outputs Conformance Checker · ● 72.5K · ◷
Conformance Check Failure
Check ID: SEC-005
Severity: HIGH
Category: Security
Problem Description
actions/setup/js/close_entity_helpers.cjssupports cross-repository operations (references totarget-repo,owner,entityRepo) but does not implement an allowlist check before acting on a target repository. Without an allowlist, a malicious or misconfigured actor could direct the handler to close issues or add comments in any accessible repository, not just the intended one.The conformance check requires one of the following patterns to be present in any handler that supports
target-repo:allowed.*[Rr]epos(e.g.,allowedRepos)validateTargetRepocheckAllowedRepoNone of these patterns currently exist in the file.
Affected Components
actions/setup/js/close_entity_helpers.cjsscripts/check-safe-outputs-conformance.sh—check_cross_repo()function🔍 Current vs Expected Behavior
Current Behavior
close_entity_helpers.cjsresolves anowner/repopair for cross-repo targets and callscallbacks.getDetails,callbacks.addComment, andcallbacks.closeEntityagainst that resolved repository without first verifying that the resolved repository is in a permitted allowlist.Expected Behavior
Before performing any API operation against a target repository, the handler should validate that the resolved
owner/repois present in a configured allowlist (e.g., an environment variableCLOSE_ENTITY_ALLOWED_REPOSor equivalent), rejecting the operation with a clear error if it is not.Remediation Steps
This task can be assigned to a Copilot coding agent with the following steps:
CLOSE_ENTITY_ALLOWED_REPOS) that accepts a comma-separated list ofowner/repovalues. Document it alongside the existing*_TARGETenv-var pattern in the file's JSDoc header.checkAllowedRepo(owner, repo, allowedRepos)(orvalidateTargetRepo) that returns{ success: false, error: "..." }when the resolvedowner/repois not in the allowlist, and{ success: true }otherwise. When the allowlist env-var is empty or unset, the function should permit only the triggering repository (i.e., default-deny cross-repo).checkAllowedRepoimmediately after theresolveTargetstep in the main processing loop (around line 316), beforecallbacks.getDetailsis invoked.core.warningand return early with{ success: false }when the check fails, so callers can skip and continue.Verification
After remediation, verify the fix by running:
Check SEC-005 should show
[PASS]instead of[HIGH].References
docs/src/content/docs/reference/safe-outputs-specification.mdscripts/check-safe-outputs-conformance.sh