Skip to content

fix: strip Unicode Tag Characters (U+E0020–U+E007F) in hardenUnicodeText#28059

Merged
pelikhan merged 3 commits intomainfrom
copilot/fix-harden-unicode-text
Apr 23, 2026
Merged

fix: strip Unicode Tag Characters (U+E0020–U+E007F) in hardenUnicodeText#28059
pelikhan merged 3 commits intomainfrom
copilot/fix-harden-unicode-text

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 23, 2026
edited by github-actions Bot
Loading

hardenUnicodeText() in sanitize_content_core.cjs omitted the entire Unicode Tag Characters block (U+E0000–U+E007F, Plane 14). These 128 Cf-category codepoints map 1:1 to ASCII (e.g. U+E0041 = TAG LATIN CAPITAL LETTER A), are completely invisible in all standard renderers including GitHub Markdown, and survive both NFKC normalization and the existing allowedAliases branch — allowing a prompt-injected agent to write an invisible-but-fully-decodable payload through the safe-outputs write path.

Changes

  • sanitize_content_core.cjshardenUnicodeText() Step 3b: strip the full Tag Characters block using its JavaScript surrogate-pair range:

    // Plane-14 Tag Characters (U+E0000–U+E007F) — invisible ASCII equivalents
result = result.replace(/\uDB40[\uDC00-\uDC7F]/g, "");

  • sanitize_content.test.cjs: 7 regression tests covering boundary codepoints (U+E0001, U+E0041, U+E007F), a full ASCII-payload encoded entirely in Tag Characters, mixed text, adjacent sequences, and the @mention-bypass vector via Tag Character insertion.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh gh repo view --json owner,name --jq .owner.login + "/" + .name 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD 5116244/b006/sym--git-dir 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh repo view owner/repo env 649585351 r73k/ZR15bOYtzO_sNGC5r73k 64/pkg/tool/linux_amd64/link GOINSECURE t/internal/strinrev-parse GOMODCACHE 64/pkg/tool/linux_amd64/link (http block)
    • Triggering command: /usr/bin/gh gh repo view owner/repo env 649585351 k-ff/hcoMcb4nJlDk1Ubnk-ff .cfg GOINSECURE b/gh-aw/pkg/giturev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/orgs/test-owner/actions/secrets
    • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv --get-regexp ^remote\..*\.gh-resolved$ /usr/bin/git 5116244/b048/_pkgit .cfg 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linutest@example.com /usr/bin/git 1243539010 3NxN/fOrMapTM_St/opt/hostedtoolcache/node/24.14.1/x64/bin/npm k git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet --show-toplevel l /usr/bin/git /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet -ato�� -bool -buildtags /usr/bin/git -errorsas -ifaceassert -nilfunc git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv 9814076/b472/scripts.test x_amd64/compile 9814076/b472/importcfg.link -json GO111MODULE x_amd64/link 7D8RXanEmFBss/sX9FX53sm1OTZ6jdpoJ_/CWrYu2czG7Ca7ylQP4Z8/vCNYLdc7D8RXanEmFBss /tmp�� ry=1 x_amd64/link 9814076/b472/_pkg_.a -json GO111MODULE x_amd64/vet git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv --show-toplevel go ache/node/24.14.1/x64/bin/node ath ../../../.prgit GO111MODULE 64/bin/go ache/node/24.14.1/x64/bin/node 3748�� ts.result go ache/node/24.14.1/x64/bin/node re GO111MODULE 64/bin/go ache/node/24.14.1/x64/bin/node (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv --show-toplevel node /usr/bin/git licyTrustedUsersgit --check /opt/hostedtoolc--show-toplevel git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /usr/bin/git -bool -buildtags /usr/bin/infocmp--show-toplevel git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv 5116244/b216/importcfg -trimpath ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet -I /tmp/go-build138diff -I ache/go/1.25.8/x--name-only -o st-2200824397/.github/workflows -trimpath 64/pkg/tool/linux_amd64/link -p mime/quotedprintrev-parse -lang=go1.25 64/pkg/tool/linux_amd64/link (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel /tmp/gh-aw-merge-1564517066/new.md /usr/bin/git se 9814076/b050/vet\n .cfg git rev-�� --show-toplevel ache/go/1.25.8/x^remote\..*\.gh-resolved$ /usr/bin/git se 9814076/b228/vetrev-parse ache/go/1.25.8/x--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel git-upload-pack /usr/bin/git -stringintconv l ache/node/24.14.--show-toplevel git 1/x6�� --show-toplevel git /usr/bin/git bility_SameInputgit rev-parse /usr/bin/git git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv ithub/workflows/archie.md x_amd64/compile /usr/bin/git -json GO111MODULE x_amd64/compile git -C /tmp/gh-aw-test-runs/20260423-122533-46856/test--s config /usr/bin/git remote.origin.urgit GO111MODULE x_amd64/vet git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv g/cli show /usr/bin/git -json GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv --show-toplevel go /usr/bin/git '/tmp/TestParseDgit '/tmp/TestParseDrev-parse /home/REDACTED/.ca--show-toplevel git rev-�� --show-toplevel sh /usr/bin/git licyMinIntegritygit GOPROXY /bin/sh git (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel ache/go/1.25.8/xconfig /usr/bin/git /tmp/go-build138git -trimpath es git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linuremote.origin.url /usr/bin/git -bool -buildtags 9814076/b310/vet--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git --show-toplevel go /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git user.email test@example.comrev-parse /usr/bin/git git (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v9
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv xec.js (or misc/wasm/ for Go <1.24)" GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -c=4 -nolocalimports -importcfg /tmp/go-build3349814076/b437/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/semverutil/semverutil.go /home/REDACTED/work/gh-aw/gh-aw/pkg/semverutil/semverutil_test.go env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel 64/pkg/tool/linux_amd64/vet /opt/hostedtoolcache/node/24.14.1/x64/bin/node ortcfg .cfg x_amd64/compile /opt/hostedtoolcache/node/24.14.1/x64/bin/node /tmp�� Actor: ${{ github.actor }}, Repo: ${{ github.repository }} x_amd64/compile /usr/bin/git ortcfg .cfg 64/pkg/tool/linu--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git /home/REDACTED/worgit rev-parse e/git git rev-�� --show-toplevel e/git /usr/bin/gh --get remote.origin.urrev-parse /usr/bin/git gh (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv /tmp/TestGuardPolicyMinIntegrityOnlymin-integrity_only_defaults_repo725538150/001 (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --get remote.origin.url /usr/bin/gh ortcfg .cfg 64/pkg/tool/linu--show-toplevel gh run list --json /usr/bin/git --workflow nonexistent-workrev-parse --limit git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv -bool -buildtags /opt/hostedtoolcache/node/24.14.1/x64/bin/node -errorsas -ifaceassert -nilfunc node /tmp�� /tmp/TestHashStability_SameInputSameOutput3015555502/001/stability-test.md -tests /usr/bin/git -json GO111MODULE modules/@npmcli/--show-toplevel git (http block)
  • https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv ithub/workflows/agentic-observability-kit.md -dwarf=false 9814076/b444/_pkg_.a 2528227489/001' 2528227489/001' -nolocalimports git rev-�� --show-toplevel l /usr/bin/git -json o x_amd64/compile git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv k/gh-aw/gh-aw go /bin/sh -json GO111MODULE 64/bin/go /bin/sh -c git-upload-pack '/tmp/TestParseDefaultBranchFromLsRemoteWithRealGitcustom_branch2698691450/001' git-upload-pack '/tmp/TestParseDefaultBranchFromLsRemoteWithRealGitcustom_branch2698691450/001' /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv etup-node/git/ref/tags/v4 ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet bject.type] | @tsv -json GO111MODULE ache/node/24.14.--show-toplevel /usr/bin/git conf�� --get-regexp ^remote\..*\.gh-resolved$ 64/pkg/tool/linux_amd64/vet bility_SameInputgit GOPROXY 4700776/b446/vet--show-toplevel 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv /home/REDACTED/work/gh-aw/gh-aw/.github/workflows/agent-performance-analyzer.md 64/pkg/tool/linutest@example.com /opt/hostedtoolcache/node/24.14.1/x64/bin/node ortcfg .cfg 64/pkg/tool/linu--show-toplevel /opt/hostedtoolcache/node/24.14.1/x64/bin/node /tmp�� github.event.issue.number 64/pkg/tool/linuInitial commit /usr/bin/git ortcfg .cfg 64/pkg/tool/linu--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv -1989109323/base.md -1989109323/new.md /usr/bin/git ithub-script/gitgit go bject.type] | @t--show-toplevel git rev-�� --show-toplevel git /usr/bin/git GOMODCACHE go /opt/hostedtoolc--show-toplevel git (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv bility_SameInputSameOutput3493543238/001/stabilitest-logs/run-12346 remote /usr/bin/git -json /color.go x_amd64/compile git -C /tmp/gh-aw-test-runs/20260423-122533-46856/test-649585351 config /usr/bin/git remote.origin.urgit GO111MODULE x_amd64/cgo git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv k/gh-aw/gh-aw/.github/workflows/ace-editor.md -buildtags /usr/lib/git-core/git -errorsas -ifaceassert -nilfunc /usr/lib/git-cor^remote\..*\.gh-resolved$ main�� run --auto /usr/bin/git --detach GO111MODULE 64/bin/go git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv --show-toplevel e/git /usr/bin/git ithub/workflows/git GO111MODULE ache/node/24.14.--show-toplevel git rev-�� --show-toplevel node /usr/bin/git bility_SameInputgit --check /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv 9814076/b456/timeutil.test rev-parse 9814076/b456/importcfg.link go1.25.8 -c=4 -nolocalimports R_3VA1bELNvSY/sg3YSHTzqdvJXL5t-fhz/8-8vmLiYCmHH9owner/repo -C ry=1 remote ache/node/24.14.1/x64/bin/node 1 GO111MODULE x_amd64/asm git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv -bool -buildtags /usr/lib/git-core/git -errorsas -ifaceassert -nilfunc /usr/lib/git-core/git rev-�� --objects --stdin /opt/hostedtoolcache/node/24.14.1/x64/bin/node --exclude-hiddeninfocmp --all --quiet node (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv --get-regexp ^remote\..*\.gh-resolved$ /usr/bin/git -json GO111MODULE /opt/hostedtoolc--show-toplevel git rev-�� --show-toplevel node /usr/bin/git runs/20260423-12git --check /opt/hostedtoolc--show-toplevel git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE light 5116244/b021/sym-c 64/pkg/tool/linux_amd64/vet env 434444001/.github/workflows 28ie/dWadUuI3oiBsYAOo28ie ache/go/1.25.8/x64/pkg/tool/linu-test.short=true GOINSECURE b/gh-aw/pkg/filerev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linurev-parse (http block)
    • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 .cfg 64/pkg/tool/linu-test.short=true GOINSECURE ntio/encoding/isrev-parse GOMODCACHE 64/pkg/tool/linu/tmp/go-build3349814076/b452/_testmain.go env 5116244/b002/_pkg_.a GO111MODULE eutil.test GOINSECURE b/gh-aw/pkg/parsrev-parse GOMODCACHE eutil.test (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name '/tmp/TestParseDefaultBranchFromLsRemoteWithRealGitcustom_branch2698691450/001' /usr/sbin/sh GOINSECURE GOMOD GOMODCACHE sh -c "prettier" --check '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.pret-- GOPROXY /usr/bin/git GOSUMDB GOWORK 64/bin/go git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name vce9/Iw7fHw9tzQV_56Gjvce9 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 5116244/b234/_pkg_.a taK6/ikh7gQ1RReQdq87ptaK6 .cfg GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linuconfig (http block)
    • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linutest@example.com env 649585351 fWCy/na03iXLzDBM34i--fWCy ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name GO111MODULE /usr/sbin/sh GOINSECURE GOMOD GOMODCACHE sh -c runs/20260423-122711-63133/test-694147708/.github/workflows GOPROXY (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 753242798 3zY_/HcUWNrRjpCKdAR9m3zY_ ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linurev-parse (http block)
    • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 rg/x/mod@v0.35.0/semver/semver.go 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuTest User env 649585351 k-ff/hcoMcb4nJlDk1Ubnk-ff .cfg GOINSECURE b/gh-aw/pkg/giturev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name GO111MODULE /usr/bin/sh GOINSECURE GOMOD GOMODCACHE sh -c runs/20260423-122711-63133/test-694147708/.github/workflows GOPROXY ache/node/24.14.1/x64/bin/node GOSUMDB GOWORK 64/bin/go node (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE (http block)
    • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 .cfg 64/pkg/tool/linu-nilfunc GOINSECURE ntio/asm/ascii GOMODCACHE 64/pkg/tool/linu/tmp/go-build3349814076/b111/vet.cfg env 5116244/b001/exe/a.out GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE EX0lOR4JG-BD6/murev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name GO111MODULE At,event,headBranch,headSha,displayTitle GOINSECURE GOMOD GOMODCACHE prettier --ch�� licyMinIntegrityOnlymin-integrity_with_repos=public_4050605546/001 **/*.ts 4700776/b474/vet.cfg l ../../../.pretti-1 -d git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD 5116244/b015/sym-unreachable=false 64/pkg/tool/linu/tmp/go-build3349814076/b113/vet.cfg env 434444001/.github/workflows BHdz/-6z_QJDvZKLbBouUBHdz ache/go/1.25.8/x64/pkg/tool/linu-lang=go1.25 GOINSECURE t/internal/catmsrev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linuremote (http block)
    • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE ntio/asm/cpu/x86rev-parse 5116244/b036/sym--show-toplevel 64/pkg/tool/linux_amd64/vet env 5116244/b131/_pkg_.a GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE contextprotocol/rev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-trimpath (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name GO111MODULE /home/REDACTED/work/gh-aw/gh-aw/actions/setup/js/node_modules/.bin/node GOINSECURE set GOMODCACHE node /hom�� licyMinIntegrityOnlymin-integrity_with_repos=public_4050605546/001 **/*.cjs 1/x64/bin/node **/*.json --ignore-path ../../../.pretti--show-toplevel 1/x64/bin/node (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD 5116244/b015/symuser.name 64/pkg/tool/linuTest User env 5116244/b247/_pkg_.a cYAj/2RoSUfAH8dMcuiX4cYAj ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE t/internal GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu--jq (http block)
    • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE 5116244/b029/emprev-parse ache/go/1.25.8/x--git-dir 64/pkg/tool/linux_amd64/vet env 5116244/b140/_pkg_.a 7gve/JS7DQw3o9RuNG8R67gve ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE contextprotocol/rev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu--jq (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name GO111MODULE ache/node/24.14.1/x64/bin/node GOINSECURE GOMOD GOMODCACHE node t-15�� bility_SameInputSameOutput3015555502/001/stability-test.md **/*.cjs (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE fips140/bigmod ache/go/1.25.8/x64/src/internal//tmp/TestHashConsistency_GoAndJavaScript1325038835/001/test-empty-frontmatter.md 64/pkg/tool/linux_amd64/vet env 434444001 c9ZF/KtTFKQuDD_Pbt7zDc9ZF ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE t/internal/numbeinit GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linushow (http block)
    • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 .cfg 64/pkg/tool/linu-importcfg GOINSECURE 5116244/b007/abirev-parse ache/go/1.25.8/x--git-dir 64/pkg/tool/linu/home/REDACTED/work/gh-aw/gh-aw/pkg/timeutil/format_test.go env 2213415528/custom/workflows aqNl/Sak5XWYSYfQ9xL6IaqNl ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name GO111MODULE 1/x64/bin/node GOINSECURE GOMOD GOMODCACHE XBz0G8NWjs9bL/2_Ttb1cB6xjaznJfjxVh/BPzyOR0koec3OMk-MwuA/HwPnQvGXrev-parse t-ha�� ithub/workflows/archie.md **/*.cjs che/go-build/63/6323a569f336e25b9e749a958c96309b756c2213de6296db2bf8f667a9bb734a-d **/*.json --ignore-path ../../../.pretti-v /bin/sh (http block)
  • https://api.github.com/repos/github/gh-aw/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path 128558023/001' 128558023/001' -importcfg /tmp/go-build3349814076/b419/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/fileutil.go /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/tar.go env -json nal.go x_amd64/compile GOINSECURE GOMOD bytealg/equal_wa/tmp/go-build3349814076/b423/_pkg_.a x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 5116244/b210/_pkg_.a QuTc/8J1aAAdvjhK6D-KwQuTc x_amd64/compile GOINSECURE g/x/crypto/interremote GOMODCACHE x_amd64/compile (http block)
  • https://api.github.com/repos/github/gh-aw/contents/.github/workflows/shared/reporting.md
    • Triggering command: /tmp/go-build3349814076/b404/cli.test /tmp/go-build3349814076/b404/cli.test -test.testlogfile=/tmp/go-build3349814076/b404/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /tmp/go-build1894700776/b404/cli.test /tmp/go-build1894700776/b404/cli.test -test.testlogfile=/tmp/go-build1894700776/b404/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel ache/go/1.25.8/x64/pkg/tool/linuTest User /usr/bin/git 5116244/b227/impgit -trimpath ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.8/xconfig /usr/bin/git /tmp/go-build138ls -trimpath 64/pkg/tool/linu/tmp/gh-aw/aw-feature-branch.patch git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git .github/workflowgit go /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git user.name Test User /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv se 9814076/b023/vet.cfg x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile 5116�� /tmp/go-build1385116244/b198/_pk-p pkg/mod/github.com/modelcontextpmain .cfg -p container/list -lang=go1.25 ache/go/1.25.8/x12345 (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env 698691450/001 698691450/002/work 64/bin/go GOINSECURE GOMOD GOMODCACHE lled. Run 'make rev-parse (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv --show-toplevel go /usr/bin/git 059659/001 GO111MODULE x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env g_.a GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go 8457�� -json GO111MODULE sh GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env g_.a GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env lGitmain_branch3128558023/001' lGitmain_branch3128558023/001' x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env g_.a GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv g_.a 9814076/b022/vet.cfg .cfg GOINSECURE ole GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet ranc�� 35/001/test-frontmatter-with-env-template-expressions.md 9814076/b165/vet.cfg ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet -I /tmp/go-build138pull -I ortcfg (http block)
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv --show-toplevel go /usr/bin/git 059659/001 GO111MODULE x_amd64/vet git rev-�� --show-toplevel x_amd64/vet clusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle -json GO111MODULE 64/bin/go git (http block)
  • https://api.github.com/repos/nonexistent/repo/actions/runs/12345
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE boring/bbig GOMODCACHE ntdrain.test 3498�� se 9814076/b024/vet.cfg ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion **/*.json --ignore-path ../../../.pretti--show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/link -V=f�� /usr/local/sbin/-json go /usr/lib/git-core/git-receive-pack -json GO111MODULE 64/bin/go git-receive-pack^remote\..*\.gh-resolved$ (http block)
  • https://api.github.com/repos/owner/repo/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json g.go x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json @v6.0.2/kind/kind.go x_amd64/compile GOINSECURE GOMOD runtime/atomic/auser.name x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh workflow list --repo owner/repo --json name,path,state ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linurev-parse (http block)
  • https://api.github.com/repos/test-owner/test-repo/actions/secrets
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name INVALID,NEW -j DROP GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD cpu/cpu.s x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/test/repo
    • Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch D3ub/0rq7wfyhTvls2xI9D3ub GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE Vgol9MA/jtMHmSR1PwQ4sKWnT8ry 5116�� /tmp/go-build1385116244/b041/_pk-s pkg/mod/github.com/segmentio/asm-w .cfg -p unicode/utf8 -lang=go1.25 ache/go/1.25.8/x2 (http block)
    • Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch --show-toplevel (http block)
  • invalid.example.invalid
    • Triggering command: /usr/lib/git-core/git-remote-https /usr/lib/git-core/git-remote-https origin https://invalid.example.invalid/nonexistent-repo.git git rev-�� --count origin/auth-cleanup-success..auth-cleanup-success ndor/bin/git /tmp/git-patch-o/usr/lib/git-core/git git tions/setup/js/nfor-each-ref git conf�� user.email lure test commit ndor/bin/git user.email test@example.comadd -branch git (dns block)
    • Triggering command: /usr/lib/git-core/git-remote-https /usr/lib/git-core/git-remote-https origin https://invalid.example.invalid/nonexistent-repo.git git conf�� --local --get ode_modules/.bin/git 1/x64/lib/node_m/usr/lib/git-core/git git /git git add . git tions/setup/node_modules/.bin/git -M main bin/git git (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

🤖 Smoke CI run 24835338039 completed — 2026-04-23T12:32:53Z

Generated by Smoke CI · ● 395.5K ·

Copilot AI linked an issue Apr 23, 2026 that may be closed by this pull request
sanitize_content_core: hardenUnicodeText missing Tag Characters block (U+E0020–U+E007F) — fully invisible ASCII-equivalent encod [Content truncated due to length] #28058
Closed
@szabta89
fix: strip Unicode Tag Characters (U+E0020-U+E007F) in hardenUnicodeText
9335458 
These Cf-category codepoints (Plane 14) have exact 1:1 ASCII equivalents
and are completely invisible in all standard renderers including GitHub
Markdown. A prompt-injected agent could encode any payload in Tag Characters
and post it via the safe-outputs write path — it would appear blank to human
reviewers but decode 1:1 for downstream consumers.

Add Step 3b to hardenUnicodeText() that strips the full Tag Characters block
(surrogate pairs \uDB40\uDC00–\uDB40\uDC7F) and add 7 regression tests
covering boundary codepoints, full payload encoding, mixed text, and the
@mention-bypass vector using Tag Characters.

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/a54c95e5-86a7-4979-8835-18ab24cfd2c2

Co-authored-by: szabta89 <1330202+szabta89@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix missing Tag Characters block in hardenUnicodeText function fix: strip Unicode Tag Characters (U+E0020–U+E007F) in hardenUnicodeText Apr 23, 2026
Copilot AI requested a review from szabta89 April 23, 2026 12:34
@pelikhan pelikhan marked this pull request as ready for review April 23, 2026 12:46
Copilot AI review requested due to automatic review settings April 23, 2026 12:46
Copilot AI reviewed Apr 23, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes a Unicode sanitization gap where Plane-14 Unicode Tag Characters (invisible ASCII-equivalent codepoints) could bypass hardenUnicodeText() and carry invisible payloads through sanitized output paths.

Changes:

  • Strip Plane-14 Unicode Tag Characters (U+E0000–U+E007F) in hardenUnicodeText() via a surrogate-pair regex.
  • Add regression tests covering boundary tag codepoints, full tag-encoded ASCII payloads, mixed/adjacent sequences, and an @mention-bypass vector.
Show a summary per file
File Description
actions/setup/js/sanitize_content_core.cjs Adds a hardening step to remove Plane-14 Tag Characters using a surrogate-pair range.
actions/setup/js/sanitize_content.test.cjs Adds targeted tests ensuring tag characters are removed and can’t bypass @mention neutralization.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 2/2 changed files
  • Comments generated: 1

Comment thread actions/setup/js/sanitize_content.test.cjs Outdated
Comment on lines +1748 to +1756
describe("Unicode Tag Characters removal (U+E0020–U+E007F, Plane 14)", () => {
it("should strip a single Tag Characters codepoint (U+E0041 = TAG LATIN CAPITAL LETTER A)", () => {
// \uDB40\uDC41 is the surrogate pair for U+E0041
const input = "Hello\uDB40\uDC41World";
expect(sanitizeContent(input)).toBe("HelloWorld");
});

it("should strip LANGUAGE TAG (U+E0001) at the boundary of the Tag block", () => {
// \uDB40\uDC01 is the surrogate pair for U+E0001
Copy link

Copilot AI Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The describe block title says “U+E0020–U+E007F”, but the implementation (and the tests in this block) cover the full Plane-14 Tag range U+E0000–U+E007F (e.g., the LANGUAGE TAG test uses U+E0001). Please update the description to match the actual stripped range to avoid confusion when debugging future regressions.

Copilot uses AI. Check for mistakes.
@github-actions github-actions Bot mentioned this pull request Apr 23, 2026
Open
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 23, 2026

🧪 Test Quality Sentinel Report

Test Quality Score: 90/100

Excellent test quality

Metric Value
New/modified tests analyzed 7
✅ Design tests (behavioral contracts) 7 (100%)
⚠️ Implementation tests (low value) 0 (0%)
Tests with error/edge cases 7 (100%)
Duplicate test clusters 0
Test inflation detected ⚠️ Yes (50 test lines / 8 prod lines ≈ 6.25:1 ratio)
🚨 Coding-guideline violations None

Test Classification Details

Test File Classification Issues Detected
should strip a single Tag Characters codepoint (U+E0041) sanitize_content.test.cjs ✅ Design Boundary value, verifies observable output
should strip LANGUAGE TAG (U+E0001) at the boundary sanitize_content.test.cjs ✅ Design Lower-boundary codepoint, verifies observable output
should strip CANCEL TAG (U+E007F) at the upper boundary sanitize_content.test.cjs ✅ Design Upper-boundary codepoint, verifies observable output
should strip a full ASCII string encoded in Tag Characters — invisible payload attack sanitize_content.test.cjs ✅ Design Real attack vector, full invisible-payload scenario
should strip Tag Characters mixed with normal ASCII text sanitize_content.test.cjs ✅ Design Mixed-content edge case, verifies non-tag chars are preserved
should strip multiple adjacent Tag Characters sanitize_content.test.cjs ✅ Design Multiple consecutive surrogates, verifies empty output
should neutralize @mention bypass using Tag Characters between @ and username sanitize_content.test.cjs ✅ Design Security invariant: @mention detection bypass prevention

Flagged Tests — Requires Review

⚠️ Test Inflation — sanitize_content.test.cjs

Issue: 50 lines added to the test file vs 8 lines added to the production file — a ratio of ~6.25:1, exceeding the 2:1 threshold.

Context: This is a low-severity flag in this case. The production change is a single targeted regex line, while the tests rightly cover multiple boundary conditions, attack vectors, and surrogate-pair edge cases. The inflation is justified by the security-sensitive nature of the feature.

Suggestion: No action required. The breadth of coverage is appropriate for a security fix touching invisible-character sanitization.

Language Support

Tests analyzed:

  • 🐹 Go (*_test.go): 0 tests
  • 🟨 JavaScript (*.test.cjs): 7 tests (vitest)

Verdict

Check passed. 0% of new tests are implementation tests (threshold: 30%). All 7 new tests verify observable behavioral contracts with strong edge-case and boundary coverage. The test inflation flag is technical but contextually justified for security-focused sanitization tests.

📖 Understanding Test Classifications

Design Tests (High Value) verify what the system does:

  • Assert on observable outputs, return values, or state changes
  • Cover error paths and boundary conditions
  • Would catch a behavioral regression if deleted
  • Remain valid even after internal refactoring

Implementation Tests (Low Value) verify how the system does it:

  • Assert on internal function calls (mocking internals)
  • Only test the happy path with typical inputs
  • Break during legitimate refactoring even when behavior is correct
  • Give false assurance: they pass even when the system is wrong

Goal: Shift toward tests that describe the system's behavioral contract — the promises it makes to its users and collaborators.

References:

🧪 Test quality analysis by Test Quality Sentinel · ● 368.9K ·

github-actions[bot]
github-actions Bot approved these changes Apr 23, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Test Quality Sentinel: 90/100. Test quality is excellent — 0% of new tests are implementation tests (threshold: 30%). All 7 new tests verify observable behavioral contracts covering boundary codepoints, attack vectors, and mixed-content edge cases.

@pelikhan
Copy link
Copy Markdown
Collaborator

pelikhan commented Apr 23, 2026

@copilot review all comments

Copy link
Copy Markdown
Contributor Author

Copilot AI commented Apr 23, 2026

@copilot review all comments

Fixed in 0f47b56 — updated the describe block title from "U+E0020–U+E007F" to "U+E0000–U+E007F" to accurately reflect the full Plane-14 Tag range being stripped.

Copilot AI requested a review from pelikhan April 23, 2026 13:24
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 23, 2026

Hey @Copilot 👋 — great work patching the Unicode Tag Characters gap in hardenUnicodeText()! Closing off that invisible ASCII-equivalent injection vector is an important security hardening step.

This PR looks well-structured: the fix is tightly scoped to the missing surrogate-pair range, and the test suite covers boundary values, mixed-text scenarios, and the @mention bypass case comprehensively. Nothing to flag here — this is ready for maintainer review. 🟢

Generated by Contribution Check · ● 1.2M ·

@github-actions github-actions Bot added the lgtm label Apr 23, 2026
@github-actions github-actions Bot mentioned this pull request Apr 23, 2026
Open
@pelikhan pelikhan merged commit 5291662 into main Apr 23, 2026
@pelikhan pelikhan deleted the copilot/fix-harden-unicode-text branch April 23, 2026 13:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@github-actions github-actions[bot] github-actions[bot] approved these changes

@szabta89 szabta89 Awaiting requested review from szabta89

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@szabta89 szabta89

Copilot code review Copilot

Labels

lgtm

Projects

None yet

Milestone

No milestone

4 participants

@pelikhan @szabta89