chore: Sanitize titles for Slack notification (#716)

chore: Sanitize titles for Slack notification

- Avoid injection attacks by adding basic user input sanitation
- Update dist/index.js due to failing build

.github/workflows/notifications.yml

@@ -13,6 +13,43 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+      - uses: actions/github-script@v7
+        id: sanitize-title
+        with:
+          script: |
+            const isPR = !!context.payload.pull_request;
+            const isIssue = !!context.payload.issue;
+            const item = isPR ? context.payload.pull_request : isIssue ? context.payload.issue : context.payload.issue_comment.issue;
+            
+            // Sanitization functions
+            const sanitizeTitle = (title) => {
+              return title
+                // Remove potential markdown formatting
+                .replace(/[*_~`]/g, '')
+                // Remove potential HTML tags
+                .replace(/<[^>]*>/g, '')
+                // Remove multiple spaces
+                .replace(/\s{2,}/g, ' ')
+                // Trim whitespace
+                .trim()
+                // Enforce max length of 100
+                .substring(0, 100);
+            };
+            
+            // Escape special characters for Slack
+            const escapeForSlack = (text) => {
+              return text
+                .replace(/&/g, '&amp;')
+                .replace(/</g, '&lt;')
+                .replace(/[@]/g, '\\@')
+                .replace(/>/g, '&gt;')
+                .replace(/&amp;lt;/g, '&lt;')
+                .replace(/&amp;gt;/g, '&gt;');
+            };
+
+            const sanitizedTitle = escapeForSlack(sanitizeTitle(item.title));
+            console.log('Sanitized Title: ', sanitizedTitle);
+            core.setOutput('safe-title', sanitizedTitle);
       - name: Send notifications on Pull Request
         if: ${{ github.event_name == 'pull_request'}}
         id: slack_PR
@@ -23,7 +60,7 @@ jobs:
               "Notification Type": "Pull Request",
               "Notification URL":"${{ github.event.pull_request.html_url }}",
               "GitHub Repo": "${{ github.repository }}",
-              "Notification Title": "${{ github.event.pull_request.title }}"
+              "Notification Title": "${{ steps.sanitize-title.outputs.safe-title }}"
             }
         env:
           SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
@@ -37,7 +74,7 @@ jobs:
               "Notification Type": "Issue",
               "Notification URL":"${{ github.event.issue.html_url }}",
               "GitHub Repo": "${{ github.repository }}",
-              "Notification Title": "${{ github.event.issue.title }}"
+              "Notification Title": "${{ steps.sanitize-title.outputs.safe-title }}"
             }
         env:
           SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
@@ -51,7 +88,7 @@ jobs:
               "Notification Type": "Issue comment",
               "Notification URL":"${{ github.event.comment.html_url }}",
               "GitHub Repo": "${{ github.repository }}",
-              "Notification Title": "${{ github.event.issue_comment.issue.title }}"
+              "Notification Title": "${{ steps.sanitize-title.outputs.safe-title }}"
             }
         env:
           SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

dist/index.js

@@ -78456,6 +78456,14 @@ const { isUint8Array, isArrayBuffer } = __nccwpck_require__(98253)
 const { File: UndiciFile } = __nccwpck_require__(63041)
 const { parseMIMEType, serializeAMimeType } = __nccwpck_require__(94322)
 
+let random
+try {
+  const crypto = __nccwpck_require__(77598)
+  random = (max) => crypto.randomInt(0, max)
+} catch {
+  random = (max) => Math.floor(Math.random(max))
+}
+
 let ReadableStream = globalThis.ReadableStream
 
 /** @type {globalThis['File']} */
@@ -78541,7 +78549,7 @@ function extractBody (object, keepalive = false) {
     // Set source to a copy of the bytes held by object.
     source = new Uint8Array(object.buffer.slice(object.byteOffset, object.byteOffset + object.byteLength))
   } else if (util.isFormDataLike(object)) {
-    const boundary = `----formdata-undici-0${`${Math.floor(Math.random() * 1e11)}`.padStart(11, '0')}`
+    const boundary = `----formdata-undici-0${`${random(1e11)}`.padStart(11, '0')}`
     const prefix = `--${boundary}\r\nContent-Disposition: form-data`
 
     /*! formdata-polyfill. MIT License. Jimmy Wärting <https://jimmy.warting.se/opensource> */
@@ -93357,6 +93365,14 @@ module.exports = require("node:buffer");
 
 /***/ }),
 
+/***/ 77598:
+/***/ ((module) => {
+
+"use strict";
+module.exports = require("node:crypto");
+
+/***/ }),
+
 /***/ 78474:
 /***/ ((module) => {