Skip to content

fix: sanitize @mentions in create_issue body to close XPIA gap#26589

Merged
pelikhan merged 3 commits intomainfrom
copilot/fix-sanitization-in-issue-body
Apr 16, 2026
Merged

fix: sanitize @mentions in create_issue body to close XPIA gap#26589
pelikhan merged 3 commits intomainfrom
copilot/fix-sanitization-in-issue-body

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 16, 2026
edited
Loading

create_issue.cjs applied sanitizeTitle to the issue title but passed the AI-generated body directly to the GitHub API — allowing @mentions to produce live notifications. The update path (update_pr_description_helpers.cjs) already calls sanitizeContent on body content; the creation path did not.

Changes

  • create_issue.cjs: Import sanitizeContent from sanitize_content.cjs and apply it to processedBody after removeDuplicateTitleFromDescription but before footer/marker lines are appended — scoping sanitization to AI-generated content only.
// Before
processedBody = removeDuplicateTitleFromDescription(title, processedBody);
const bodyLines = processedBody.split("\n");

// After
processedBody = removeDuplicateTitleFromDescription(title, processedBody);
processedBody = sanitizeContent(processedBody); // neutralizes @mentions, URLs, etc.
const bodyLines = processedBody.split("\n");
  • create_issue.test.cjs: Add "body sanitization" tests asserting @mentions are backtick-escaped in the created issue body and that internal footer markers survive sanitization.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw pkg/mod/github.crev-parse ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /usr/bin/git /tmp/go-build248git -trimpath ache/go/1.25.8/x--show-toplevel git (http block)
  • https://api.github.com/orgs/test-owner/actions/secrets
    • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE 6AWy9kr/rVG28oB_-buildtags env -json 1.5.0/internal/j-ifaceassert x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv --git-dir 64/pkg/tool/linux_amd64/vet /usr/bin/infocmp tmatter-with-nesgit FSSLThW2J 64/pkg/tool/linu--show-toplevel infocmp -1 xterm-color 64/pkg/tool/linutest@example.com /usr/bin/git ortcfg .cfg 64/pkg/tool/linu--show-toplevel git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv /tmp/TestGuardPolicyMinIntegrityOnlymin-integrity_with_explicit_repo1010390315/0remote.origin.urgit (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv g_.a 9953492/b096/vet.cfg .cfg GOSUMDB er 64/bin/go ache/go/1.25.8/x64/pkg/tool/linuTest User -o 1045-32787/test-391256188/.github/workflows -trimpath ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet -p internal/oserrorrev-parse -lang=go1.25 ortcfg (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git 9594026/b163/_pkgit .cfg 64/pkg/tool/linu--show-toplevel git rev-�� it/ref/tags/v4 64/pkg/tool/linuTest User sv sole.test 9953492/b030/vetrev-parse x_amd64/compile git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linuremote.origin.url /usr/bin/git licyBlockedUsersgit /tmp/go-build215rev-parse Name,createdAt,s--show-toplevel git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /usr/bin/git ithub/workflows/git -buildtags /usr/lib/git-cor--show-toplevel git (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /usr/bin/git DefaultBranchFrogit DefaultBranchFrocommit .cfg git rev-�� --show-toplevel ache/go/1.25.8/x2 /usr/bin/git se 9953492/b226/vetrev-parse ache/go/1.25.8/x--show-toplevel git (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v9
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json 8601/parse.go x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -json gset/set.go x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv remove myorg /usr/bin/git g_.a GO111MODULE nch,headSha,disp--show-toplevel git rev-�� --show-toplevel x_amd64/vet 9953492/b457/vet.cfg l 2>&1; then \ git Kt0zQSK0W tartedAt,updated--show-toplevel git (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv 9953492/b458/_pkg_.a x_amd64/vet 9953492/b458=> g_.a n.go x_amd64/vet git rev-�� r92o/MOnXGBEYub-2Hgbqr92o x_amd64/vet /opt/hostedtoolcache/node/24.14.1/x64/bin/node jYhsBWmby GO111MODULE 64/pkg/tool/linu--show-toplevel /opt/hostedtoolcache/node/24.14.1/x64/bin/node (http block)
  • https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv /tmp/go-build2159953492/b406/console.test -importcfg ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile -s -w -buildmode=exe ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile main�� 9953492/b454/_pkg_.a --auto 9953492/b454=> --detach b/gh-aw/pkg/typerev-parse x_amd64/compile /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/link (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv v1.0.0 x_amd64/vet /usr/bin/git g_.a glpNKSOQr x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /usr/bin/git g_.a J9_2Hh5RJ 64/pkg/tool/linu--show-toplevel git (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv t0 -tests (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv user.email test@example.com /usr/bin/gh -json GO111MODULE x_amd64/asm gh work�� list --json /usr/bin/infocmp --repo owner/repo x_amd64/compile infocmp (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env plorer.md cQ7c/qW3Yktv_0Qvh00yucQ7c .cfg GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-importcfg (http block)
    • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 9594026/b234/_pkg_.a oYmy/n_pwg_VDfKQLamLkoYmy ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linutest@example.com env 9594026/b192/_pkg_.a rn9z/FXv0oohNOW0KmEF_rn9z ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/xTest User (http block)
    • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 9594026/b202/_pkg_.a eFae/0ahu769BnKYz-hV-eFae 64/pkg/tool/linux_amd64/link GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuremote.origin.url (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE 9594026/b078/ GOMODCACHE 64/pkg/tool/linux_amd64/vet env 9594026/b173/_pkg_.a GO111MODULE x_amd64/compile GOINSECURE GOMOD 9594026/b078/symuser.email x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuTest User env 766398399 QuTc/8J1aAAdvjhK6D-KwQuTc x_amd64/compile GOINSECURE fips140/mlkem GOMODCACHE x_amd64/compile (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 695860597 GO111MODULE 64/pkg/tool/linux_amd64/link GOINSECURE g/x/text/unicodeinit GOMODCACHE 64/pkg/tool/linux_amd64/link (http block)
    • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 9594026/b250/_pkg_.a zBGz/yhMlvprrXT_DfcRFzBGz ck GOINSECURE b/gh-aw/pkg/actirev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE fips140/sha256 GOMODCACHE 64/pkg/tool/linux_amd64/vet env ility-kit.md t2Bi/LbyKJAzlPTfrrG8ct2Bi x_amd64/link GOINSECURE nal/fips140tls GOMODCACHE x_amd64/link (http block)
    • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ylQP4Z8/vCNYLdc7test@example.com ortc�� 9594026/b229/_pkg_.a stmain.go 64/pkg/tool/linux_amd64/compile GOINSECURE contextprotocol/rev-parse GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name .cfg 64/pkg/tool/linu-importcfg GOINSECURE fips140/sha3 GOMODCACHE 64/pkg/tool/linu/home/REDACTED/work/gh-aw/gh-aw/pkg/timeutil/format_test.go env ility-kit.md Ldjv/q8rDzC5dO2KyVIFwLdjv ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE g/x/text/transforev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-trimpath (http block)
    • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD 9594026/b007/symuser.name 64/pkg/tool/linuTest User ache�� 2094372908 r73k/ZR15bOYtzO_sNGC5r73k ger.test GOINSECURE g/x/net/http/httrev-parse GOMODCACHE ger.test (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name .cfg 64/pkg/tool/linu-nolocalimports GOINSECURE fips140/sha512 GOMODCACHE 64/pkg/tool/linu/tmp/go-build2159953492/b450/_testmain.go env 695860597 ZDcH/WlCyhVRj9mWQyquJZDcH 64/pkg/tool/linux_amd64/compile GOINSECURE g/x/crypto/chachrev-parse GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 om/modelcontextprotocol/go-sdk@v1.5.0/internal/j-ifaceassert 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env til.go til_test.go .cfg GOINSECURE g/x/net/idna GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path -c=4 -nolocalimports -importcfg /tmp/go-build2159953492/b417/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/gitutil/gitutil.go /home/REDACTED/work/gh-aw/gh-aw/pkg/gitutil/gitutil_test.go env -json 2/compile.go x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOMOD GOMODCACHE x_amd64/vet env -json .go x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 9594026/b011/ GOMODCACHE 64/pkg/tool/linuremote2 env b/workflows GO111MODULE x_amd64/compile GOINSECURE ntio/encoding/jsrev-parse ache/go/1.25.8/x--show-toplevel x_amd64/compile (http block)
  • https://api.github.com/repos/github/gh-aw/contents/.github%2Fworkflows%2Faudit-workflows.md
    • Triggering command: /opt/hostedtoolcache/node/24.14.1/x64/bin/node /opt/hostedtoolcache/node/24.14.1/x64/bin/node --experimental-import-meta-resolve --require /home/REDACTED/.npm/_npx/69c381f8ad94b576/node_modules/vitest/suppress-warnings.cjs --conditions node --conditions development /home/REDACTED/.npm/_npx/69c381f8ad94b576/node_modules/vitest/dist/workers/forks.js origin/token-optformat-patch n-dir/git git chec�� -b merge-test-branch tnet/tools/git blob (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel -extld=gcc /usr/bin/git 9594026/b001/exegit GO111MODULE ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /usr/bin/git efaultBranchFromls efaultBranchFrom-lh .cfg git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv 9594026/b145/_pkg_.a GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE ntio/asm/keyset GOMODCACHE 64/pkg/tool/linutest@example.com (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv go GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env 581552/001 581552/002/work x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env lGitmain_branch936581552/001' lGitmain_branch936581552/001' x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/link GOINSECURE jsonrpc2 GOMODCACHE x_amd64/link env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv 9594026/b152/_pkg_.a bft1/1yO0RzBmJIVi0dFibft1 64/pkg/tool/linux_amd64/compile GOINSECURE ntio/encoding/asrev-parse GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
  • https://api.github.com/repos/nonexistent/repo/actions/runs/12345
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 9594026/b225/_pkg_.a DUdE/2oEXO76xEThYfB4YDUdE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE ce GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/owner/repo/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json age/common.go x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • https://api.github.com/repos/owner/repo/contents/file.md
    • Triggering command: /tmp/go-build2159953492/b400/cli.test /tmp/go-build2159953492/b400/cli.test -test.testlogfile=/tmp/go-build2159953492/b400/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • https://api.github.com/repos/test-owner/test-repo/actions/secrets
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -json f x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • invalid.example.invalid
    • Triggering command: /usr/lib/git-core/git-remote-https /usr/lib/git-core/git-remote-https origin https://invalid.example.invalid/nonexistent-repo.git (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI linked an issue Apr 16, 2026 that may be closed by this pull request
create_issue.cjs: issue body bypasses @mention neutralization — asymmetric sanitization relative to title path #26588
Closed
Copilot AI changed the title [WIP] Fix sanitization issue for @mentions in issue body fix: sanitize @mentions in create_issue body to close XPIA gap Apr 16, 2026
Copilot AI requested a review from szabta89 April 16, 2026 09:25
@github-actions

This comment has been minimized.

Sign in to view
1 similar comment
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 16, 2026

Hey @Copilot 👋 — great catch on the @mention sanitization gap in create_issue.cjs! Ensuring that AI-generated issue bodies don't pass raw mentions to the GitHub API is an important security hardening step.

A few things would help move this from plan to implementation:

  • Complete the implementationsanitizeContent is not yet imported or called in create_issue.cjs. The body is currently passed through with only sanitizeTitle applied to the title and sanitizeLabelContent applied to labels, leaving the body unsanitized.
  • Add testscreate_issue.test.cjs has no coverage for @mention neutralization in the body. A test verifying that @username patterns in AI-generated body content are sanitized before reaching the GitHub API would close this gap.
  • Run make agent-finish — once the fix and tests are in place, run the validation step to confirm formatting, lint, and all tests pass.

If you'd like a hand, you can assign this prompt to your coding agent:

In actions/setup/js/create_issue.cjs:

1. Import `sanitizeContent` from the appropriate sanitize module (look at how `sanitizeTitle` is imported from `sanitize_title.cjs` as a reference — find where `sanitizeContent` lives).
2. After the `removeDuplicateTitleFromDescription` transformation and before any footer/marker text is appended to `processedBody`, call `sanitizeContent(processedBody)` to neutralize `@mentions` in AI-generated content.

In actions/setup/js/create_issue.test.cjs:

3. Add a test case that passes a body containing `@username` mentions (e.g. "cc `@alice` please review") and verifies that the output body has those mentions neutralized (e.g. converted to `@alice` or similar).

Finally, run `make agent-finish` to validate formatting, lint, and tests before marking the PR ready for review.

Generated by Contribution Check · ● 2.4M ·

@github-actions github-actions bot mentioned this pull request Apr 16, 2026
Closed
@pelikhan pelikhan marked this pull request as ready for review April 16, 2026 13:33
Copilot AI review requested due to automatic review settings April 16, 2026 13:33
@pelikhan pelikhan merged commit d4e8449 into main Apr 16, 2026
63 of 64 checks passed
@pelikhan pelikhan deleted the copilot/fix-sanitization-in-issue-body branch April 16, 2026 13:33
Copilot AI reviewed Apr 16, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

This PR closes an XPIA-style gap by sanitizing AI-generated issue bodies before calling the GitHub Issues API, preventing live @mention notifications.

Changes:

  • Sanitize create_issue body content via sanitizeContent() prior to splitting/footers being appended
  • Add tests verifying @mentions are neutralized while footer markers remain intact
  • Update agent status docs and multiple workflow lock files (AWF version/container refs)
Show a summary per file
File Description
actions/setup/js/create_issue.cjs Adds sanitizeContent() to sanitize AI-generated issue bodies before creating the issue
actions/setup/js/create_issue.test.cjs Adds tests ensuring @mentions are neutralized and markers remain present
docs/src/content/docs/agent-factory-status.mdx Updates the workflows status table (new entries + CI Cleaner row change)
.github/workflows/workflow-generator.lock.yml Updates AWF version/container image references and adds a linter-ignore comment
.github/workflows/video-analyzer.lock.yml Updates AWF version/container image references and adds a linter-ignore comment
.github/workflows/test-workflow.lock.yml Updates AWF version/container image references and adds a linter-ignore comment
.github/workflows/security-compliance.lock.yml Updates AWF version/container image references and adds a linter-ignore comment
.github/workflows/pr-triage-agent.lock.yml Updates AWF version/container image references and adds a linter-ignore comment
.github/workflows/plan.lock.yml Updates AWF version/container image references and adds a linter-ignore comment
.github/workflows/metrics-collector.lock.yml Updates AWF version/container image references and adds a linter-ignore comment
.github/workflows/gpclean.lock.yml Updates AWF version/container image references and adds a linter-ignore comment
.github/workflows/github-remote-mcp-auth-test.lock.yml Updates AWF version/container image references and adds a linter-ignore comment
.github/workflows/bot-detection.lock.yml Updates AWF version/container image references and adds a linter-ignore comment
.github/workflows/ai-moderator.lock.yml Updates AWF version/container image references and adds a linter-ignore comment
.github/workflows/codex-github-remote-mcp-test.lock.yml Updates AWF version/container image references and adds a linter-ignore comment
.github/workflows/ace-editor.lock.yml Updates AWF version/container image references and adds a linter-ignore comment
.github/workflows/firewall.lock.yml Updates AWF version/container image references and adds a linter-ignore comment
.github/workflows/dev.lock.yml Updates AWF version/container image references and adds a linter-ignore comment
.github/workflows/daily-malicious-code-scan.lock.yml Updates AWF version/container image references and adds a linter-ignore comment
.github/workflows/copilot-pr-merged-report.lock.yml Updates AWF version/container image references and adds a linter-ignore comment
.github/workflows/contribution-check.lock.yml Updates AWF version/container image references and adds a linter-ignore comment
.github/workflows/example-permissions-warning.lock.yml Updates AWF version/container image references and adds a linter-ignore comment

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 62/194 changed files
  • Comments generated: 0

@github-actions github-actions bot mentioned this pull request Apr 16, 2026
Closed
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 16, 2026

🧪 Test Quality Sentinel Report

Test Quality Score: 100/100

Excellent test quality

Metric Value
New/modified tests analyzed 5
✅ Design tests (behavioral contracts) 5 (100%)
⚠️ Implementation tests (low value) 0 (0%)
Tests with error/edge cases 5 (100%)
Duplicate test clusters 0
Test inflation detected No
🚨 Coding-guideline violations None

Test Classification Details

View All Test Classifications
Test File Classification Issues Detected
should neutralize @mentions in issue body actions/setup/js/create_issue.test.cjs:672 ✅ Design None — 4 assertions covering both positive and negative regex cases
should sanitize @mentions in body but not affect footer markers actions/setup/js/create_issue.test.cjs:686 ✅ Design None — verifies sanitization doesn't over-reach into footer markers
should retry issue creation on transient rate limit error and succeed actions/setup/js/create_issue.test.cjs:709 ✅ Design None — verifies observable retry behavior with final success
should fail after exhausting retries on persistent rate limit error actions/setup/js/create_issue.test.cjs:735 ✅ Design None — verifies failure path and correct retry count
should have retry delays that never exceed maxDelayMs + jitterMs actions/setup/js/create_issue.test.cjs:753 ✅ Design None — verifies observable timing bound via vi.spyOn(globalThis, "setTimeout")

Highlights

The new tests directly close the behavioral gap described in the PR:

  1. Body sanitization tests (the core fix): Both tests assert on the output of create_issue — they inspect the actual body passed to github.rest.issues.create and verify @malicious-user becomes `@malicious-user`. The negative regex assertions (not.toMatch) are a strong signal that the author thought about bypass patterns (e.g., already-backtick-wrapped mentions). This is textbook behavioral contract testing.

  2. Retry/rate-limit tests: These verify observable retry semantics — call counts, success/failure results, and delay bounds — rather than internal implementation details. Using vi.useFakeTimers() + vi.runAllTimersAsync() is the correct vitest pattern for testing async retry logic.

  3. Mocking is appropriate: All mocks target external I/O (global.github, global.core, global.context, global.exec) — these are the GitHub Actions runtime interfaces, not internal business logic. No internal functions are stubbed.

  4. No test inflation: Test file (790 lines) and production file (818 lines) are near parity (~0.97:1 ratio), well within the 2:1 threshold.

Language Support

Tests analyzed:

  • 🟨 JavaScript (*.test.cjs): 5 tests (vitest)

Verdict

Check passed. 0% of new tests are implementation tests (threshold: 30%). All 5 new tests verify behavioral contracts and include meaningful edge-case/error-path coverage.

📖 Understanding Test Classifications

Design Tests (High Value) verify what the system does:

  • Assert on observable outputs, return values, or state changes
  • Cover error paths and boundary conditions
  • Would catch a behavioral regression if deleted
  • Remain valid even after internal refactoring

Implementation Tests (Low Value) verify how the system does it:

  • Assert on internal function calls (mocking internals)
  • Only test the happy path with typical inputs
  • Break during legitimate refactoring even when behavior is correct
  • Give false assurance: they pass even when the system is wrong

Goal: Shift toward tests that describe the system's behavioral contract — the promises it makes to its users and collaborators.

References: §24513186437

Note

🔒 Integrity filter blocked 1 item

The following item were blocked because they don't meet the GitHub integrity level.

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

🧪 Test quality analysis by Test Quality Sentinel · ● 2.3M ·

github-actions[bot]
github-actions bot approved these changes Apr 16, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Test Quality Sentinel: 100/100. Test quality is excellent — 0% of new tests are implementation tests (threshold: 30%). All 5 new tests verify behavioral contracts with meaningful edge-case and error-path coverage.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@github-actions github-actions[bot] github-actions[bot] approved these changes

@szabta89 szabta89 Awaiting requested review from szabta89

Assignees

@szabta89 szabta89

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

create_issue.cjs: issue body bypasses @mention neutralization — asymmetric sanitization relative to title path

4 participants

@szabta89 @pelikhan