fix: close XPIA steganographic channel in allowedAliases sanitization path

[Copilot]

Markdown link titles ([text](url "PAYLOAD")) are invisible in GitHub's rendered UI but delivered verbatim to AI model context, creating a persistent cross-prompt injection channel. neutralizeMarkdownLinkTitles was present in sanitizeContentCore but absent from the parallel allowedAliases pipeline in sanitize_content.cjs — meaning any call with allowedAliases (all safe-output write paths) bypassed this control entirely.

Changes

• sanitize_content.cjs: Import neutralizeMarkdownLinkTitles from core and add applyToNonCodeRegions(sanitized, neutralizeMarkdownLinkTitles) to the allowedAliases pipeline, ordered after removeXmlComments and before neutralizeMentions — matching sanitizeContentCore.
• sanitize_content.test.cjs: Three regression tests for the allowedAliases path covering inline titles, reference-style definitions, and @mention-bearing titles.

Before (allowedAliases path):

sanitizeContent('[Result](https://github.com "XPIA: inject")', { allowedAliases: ["author"] })
// → '[Result](https://github.com "XPIA: inject")'  — title preserved, hidden payload persists

After:

sanitizeContent('[Result](https://github.com "XPIA: inject")', { allowedAliases: ["author"] })
// → '[Result (XPIA: inject)](https://github.com)'  — title moved to visible text, no longer steganographic

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• invalid.example.invalid
  • Triggering command: /usr/lib/git-core/git-remote-https /usr/lib/git-core/git-remote-https origin https://invalid.example.invalid/nonexistent-repo.git git conf�� user.name lure tions/setup/js/node_modules/.bin/git -M main tnet/tools/git git init�� --bare --initial-branch=main k/gh-aw/gh-aw/actions/setup/js/node_modules/.bin/git user.name Test User ndor/bin/git git (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

Pull request overview

Closes a cross-prompt injection channel where Markdown link titles ([text](url "TITLE")) were not being neutralized when allowedAliases is used, allowing hidden payloads to persist in otherwise “safe output” sanitization paths.

Changes:

• Add neutralizeMarkdownLinkTitles into the allowedAliases sanitization pipeline in sanitize_content.cjs, matching sanitizeContentCore ordering.
• Add regression tests covering inline link titles, reference-style definitions, and titles containing @mentions under the allowedAliases path.

Show a summary per file

File	Description
actions/setup/js/sanitize_content.cjs	Adds markdown link-title neutralization to the allowedAliases branch before mention filtering.
actions/setup/js/sanitize_content.test.cjs	Adds regression tests ensuring link-title neutralization occurs when allowedAliases is specified.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 2/2 changed files
• Comments generated: 1

[Copilot]

The comment says "Remove markdown link titles", but neutralizeMarkdownLinkTitles does not always remove them (inline-link titles are moved into the visible link text, while reference-style titles are stripped). Consider updating the wording to match the function’s behavior (and the more detailed comment in sanitize_content_core.cjs).

Suggested change

	// Remove markdown link titles — a steganographic injection channel analogous to HTML comments.
	// Must run before mention neutralization for the same ordering reason as removeXmlComments.
	// Neutralize markdown link titles as a hidden/steganographic injection channel analogous to
	// HTML comments: inline-link titles are made visible in link text, while reference-style
	// titles are stripped. Must run before mention neutralization for the same ordering reason
	// as removeXmlComments.

[github-actions]

🧪 Test Quality Sentinel Report

Test Quality Score: 80/100

✅ Excellent

Metric	Value
New/modified tests analyzed	3
✅ Design tests (behavioral contracts)	3 (100%)
⚠️ Implementation tests (low value)	0 (0%)
Tests with error/edge cases	3 (100%)
Duplicate test clusters	0
Test inflation detected	⚠️ Yes (25 test lines / 5 production lines = 5:1)
🚨 Coding-guideline violations	None

---

Test Classification Details

View all 3 tests

Test	File	Classification	Issues Detected
should neutralize markdown link titles when allowedAliases is specified (XPIA regression)	sanitize_content.test.cjs	✅ Design	None — explicit regression guard with behavioral assertion
should strip reference-style link titles when allowedAliases is specified	sanitize_content.test.cjs	✅ Design	None — asserts both negative containment and exact output
should neutralize link title @mentions via allowedAliases path without exposing the title steganographically	sanitize_content.test.cjs	✅ Design	None — verifies allowed-alias preservation in visible text

---

Flagged Tests — Requires Review

No tests flagged. All new tests are behavioral contract tests.

Note on test inflation: The test file grew 5× the production file (25 lines vs 5 lines). This is expected and acceptable for security regression tests — they document a vulnerability and require explicit before/after assertions to prevent regressions. The inflation penalty (−10 pts) was applied per rubric, but no manual review is needed.

---

Language Support

Tests analyzed:

• 🟨 JavaScript (*.test.cjs): 3 tests (vitest)

---

Verdict

✅ Check passed. 0% of new tests are implementation tests (threshold: 30%). All 3 new tests are behavioral regression guards that directly assert observable output of sanitizeContent() under the allowedAliases branch — the exact path that previously leaked the XPIA steganographic channel.

References: §24835090389

🧪 Test quality analysis by Test Quality Sentinel · ● 321.5K · ◷

[github-actions]

✅ Test Quality Sentinel: 80/100. Test quality is excellent — 0% of new tests are implementation tests (threshold: 30%). All 3 new tests are behavioral regression guards with direct output assertions.

[pelikhan]

@copilot review all comments

[Copilot]

@copilot review all comments

Updated the comment wording in 1e0f7bd to accurately reflect that inline-link titles are moved into visible link text (not removed), while reference-style titles are stripped — matching the suggestion from the review.

[pelikhan]

@copilot merge main and recompile

[Copilot]

@copilot merge main and recompile

Done in d6ff358. Merged main (resolved a comment-only conflict in sanitize_content.cjs), rebuilt the binary, and recompiled workflows. All 369 tests pass.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw -embedcfg /tmp/go-build1494851885/b349/embedcfg -pack (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)