Conformance Check Failure
Check ID: Script Infrastructure Bug
Severity: HIGH
Category: Implementation
Problem Description
The conformance checker script scripts/check-safe-outputs-conformance.sh uses set -euo pipefail alongside ((VAR++)) arithmetic expressions in its logging functions. In bash, ((VAR++)) evaluates to the old value of VAR as its exit code. When VAR is 0, ((VAR++)) evaluates to 0 (falsy), causing set -e to terminate the entire script immediately after the first counter increment.
This means the script halts after the first failure is logged — before completing SEC-004, SEC-005, USE-001 through USE-003, REQ-001 through REQ-003, IMP-001 through IMP-003 — and exits with code 1 (indicating HIGH failures) even when no HIGH failures exist, purely due to the arithmetic exit code.
Secondary issues in the same script:
IMP-002 check searches for computePermissionsForSafeOutputs (camelCase) but the actual exported Go function is ComputePermissionsForSafeOutputs (PascalCase), causing a permanent false positive.SEC-003 check applies the max-limit pattern to all *.cjs files (including fuzz harnesses, utility files, and test helpers) rather than scoping to safe-output handlers only. Additionally, the actual limit enforcement functions (enforceArrayLimit, tryEnforceArrayLimit) in limit_enforcement_helpers.cjs are not matched by the check pattern, creating false positives for any file that imports and delegates to that module.
Affected Components
- Files:
scripts/check-safe-outputs-conformance.sh (lines 22–40: logging functions; line 92: check_validation_ordering; line 115: check_max_limits; line 344: check_permission_computation)
Current Behavior
# These logging functions exit the script when the counter is 0:
log_medium() {
echo -e "\$\{YELLOW}[MEDIUM]\$\{NC} $1"
((MEDIUM_FAILURES++)) # exits 1 when MEDIUM_FAILURES was 0
}When log_medium is first called, ((MEDIUM_FAILURES++)) returns exit code 1 (the old value 0 is falsy), and set -e terminates the script. All subsequent checks are skipped, and HIGH/CRITICAL failures go undetected.
Expected Behavior
All 13 conformance checks (SEC-001 through IMP-003) should run to completion. Counter increments should not cause early termination.
Remediation Steps
This task can be assigned to a Copilot coding agent with the following steps:
- Replace all
((VAR++)) arithmetic expressions in logging functions with VAR=$((VAR+1)) (POSIX-safe increment that always returns exit 0):
((CRITICAL_FAILURES++)) → CRITICAL_FAILURES=$((CRITICAL_FAILURES+1))((HIGH_FAILURES++)) → HIGH_FAILURES=$((HIGH_FAILURES+1))((MEDIUM_FAILURES++)) → MEDIUM_FAILURES=$((MEDIUM_FAILURES+1))((LOW_FAILURES++)) → LOW_FAILURES=$((LOW_FAILURES+1))((sections_found++)) → sections_found=$((sections_found+1))
- Fix the
IMP-002 check (line ~345) to use the correct PascalCase function name: change computePermissionsForSafeOutputs to ComputePermissionsForSafeOutputs.
- Fix the
SEC-003 check to exclude non-handler files. Add filter patterns for fuzz harnesses, test files, and utilities (e.g., fuzz_, _helpers, constants, error_, messages, sanitize_), or maintain an explicit allowlist of files that require max limit enforcement.
- Update the
SEC-003 check pattern to also recognize enforceArrayLimit\|tryEnforceArrayLimit (the actual functions exported from limit_enforcement_helpers.cjs).
Verification
After remediation, verify by running:
bash scripts/check-safe-outputs-conformance.sh
The script should run all 13 checks to completion, exit with the correct code, and not false-positive on IMP-002 or the utility files in SEC-003.
References
- Conformance Checker:
scripts/check-safe-outputs-conformance.sh
- Limit enforcement module:
actions/setup/js/limit_enforcement_helpers.cjs
- Permission computation:
pkg/workflow/safe_outputs_permissions.go (function: ComputePermissionsForSafeOutputs)
- Run ID: §22281286232
- Date: 2026-02-22
Generated by Daily Safe Outputs Conformance Checker
Conformance Check Failure
Check ID: Script Infrastructure Bug
Severity: HIGH
Category: Implementation
Problem Description
The conformance checker script
scripts/check-safe-outputs-conformance.shusesset -euo pipefailalongside((VAR++))arithmetic expressions in its logging functions. In bash,((VAR++))evaluates to the old value ofVARas its exit code. WhenVARis0,((VAR++))evaluates to0(falsy), causingset -eto terminate the entire script immediately after the first counter increment.This means the script halts after the first failure is logged — before completing SEC-004, SEC-005, USE-001 through USE-003, REQ-001 through REQ-003, IMP-001 through IMP-003 — and exits with code
1(indicating HIGH failures) even when no HIGH failures exist, purely due to the arithmetic exit code.Secondary issues in the same script:
IMP-002check searches forcomputePermissionsForSafeOutputs(camelCase) but the actual exported Go function isComputePermissionsForSafeOutputs(PascalCase), causing a permanent false positive.SEC-003check applies the max-limit pattern to all*.cjsfiles (including fuzz harnesses, utility files, and test helpers) rather than scoping to safe-output handlers only. Additionally, the actual limit enforcement functions (enforceArrayLimit,tryEnforceArrayLimit) inlimit_enforcement_helpers.cjsare not matched by the check pattern, creating false positives for any file that imports and delegates to that module.Affected Components
scripts/check-safe-outputs-conformance.sh(lines 22–40: logging functions; line 92:check_validation_ordering; line 115:check_max_limits; line 344:check_permission_computation)Current Behavior
When
log_mediumis first called,((MEDIUM_FAILURES++))returns exit code1(the old value0is falsy), andset -eterminates the script. All subsequent checks are skipped, and HIGH/CRITICAL failures go undetected.Expected Behavior
All 13 conformance checks (SEC-001 through IMP-003) should run to completion. Counter increments should not cause early termination.
Remediation Steps
This task can be assigned to a Copilot coding agent with the following steps:
((VAR++))arithmetic expressions in logging functions withVAR=$((VAR+1))(POSIX-safe increment that always returns exit 0):((CRITICAL_FAILURES++))→CRITICAL_FAILURES=$((CRITICAL_FAILURES+1))((HIGH_FAILURES++))→HIGH_FAILURES=$((HIGH_FAILURES+1))((MEDIUM_FAILURES++))→MEDIUM_FAILURES=$((MEDIUM_FAILURES+1))((LOW_FAILURES++))→LOW_FAILURES=$((LOW_FAILURES+1))((sections_found++))→sections_found=$((sections_found+1))IMP-002check (line ~345) to use the correct PascalCase function name: changecomputePermissionsForSafeOutputstoComputePermissionsForSafeOutputs.SEC-003check to exclude non-handler files. Add filter patterns for fuzz harnesses, test files, and utilities (e.g.,fuzz_,_helpers,constants,error_,messages,sanitize_), or maintain an explicit allowlist of files that require max limit enforcement.SEC-003check pattern to also recognizeenforceArrayLimit\|tryEnforceArrayLimit(the actual functions exported fromlimit_enforcement_helpers.cjs).Verification
After remediation, verify by running:
The script should run all 13 checks to completion, exit with the correct code, and not false-positive on
IMP-002or the utility files inSEC-003.References
scripts/check-safe-outputs-conformance.shactions/setup/js/limit_enforcement_helpers.cjspkg/workflow/safe_outputs_permissions.go(function:ComputePermissionsForSafeOutputs)