fix: remove all typeof core guards from sanitize_content_core.cjs

Copilot · pelikhan · web-flow · commit fd30d3e6bda9 · 2026-04-27T16:28:45.000Z
A shim is always loaded in Node.js environments, so the guards are unnecessary. Removed all 13 remaining typeof core !== "undefined" guard wrappers across the file (URL redaction, mention escaping, template delimiter detection, GitHub reference filtering). Agent-Logs-Url: https://github.com/github/gh-aw/sessions/d67f99b2-824d-43ca-a316-13659e8da6a5 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
diff --git a/actions/setup/js/sanitize_content_core.cjs b/actions/setup/js/sanitize_content_core.cjs
@@ -208,12 +208,8 @@ function sanitizeUrlProtocols(s) {
       const domainLower = domain.toLowerCase();
       const sanitized = sanitizeDomainName(domainLower);
       const truncated = domainLower.length > 12 ? domainLower.substring(0, 12) + "..." : domainLower;
-      if (typeof core !== "undefined" && core.info) {
-        core.info(`Redacted URL: ${truncated}`);
-      }
-      if (typeof core !== "undefined" && core.debug) {
-        core.debug(`Redacted URL (full): ${match}`);
-      }
+      core.info(`Redacted URL: ${truncated}`);
+      core.debug(`Redacted URL (full): ${match}`);
       addRedactedDomain(domainLower);
       // Return sanitized domain format
       return sanitized ? `(${sanitized}/redacted)` : "(redacted)";
@@ -224,12 +220,8 @@ function sanitizeUrlProtocols(s) {
         const protocol = protocolMatch[1] + ":";
         // Truncate the matched URL for logging (keep first 12 chars + "...")
         const truncated = match.length > 12 ? match.substring(0, 12) + "..." : match;
-        if (typeof core !== "undefined" && core.info) {
-          core.info(`Redacted URL: ${truncated}`);
-        }
-        if (typeof core !== "undefined" && core.debug) {
-          core.debug(`Redacted URL (full): ${match}`);
-        }
+        core.info(`Redacted URL: ${truncated}`);
+        core.debug(`Redacted URL (full): ${match}`);
         addRedactedDomain(protocol);
       }
       return "(redacted)";
@@ -288,12 +280,8 @@ function sanitizeUrlDomains(s, allowed) {
       // Redact the domain but preserve the protocol and structure for debugging
       const sanitized = sanitizeDomainName(hostname);
       const truncated = hostname.length > 12 ? hostname.substring(0, 12) + "..." : hostname;
-      if (typeof core !== "undefined" && core.info) {
-        core.info(`Redacted URL: ${truncated}`);
-      }
-      if (typeof core !== "undefined" && core.debug) {
-        core.debug(`Redacted URL (full): ${match}`);
-      }
+      core.info(`Redacted URL: ${truncated}`);
+      core.debug(`Redacted URL (full): ${match}`);
       addRedactedDomain(hostname);
       // Return sanitized domain format
       return sanitized ? `(${sanitized}/redacted)` : "(redacted)";
@@ -356,9 +344,7 @@ function neutralizeAllMentions(s) {
   // This prevents bypass patterns like "test_@user" from escaping sanitization
   return s.replace(/(^|[^A-Za-z0-9`])@([A-Za-z0-9](?:[A-Za-z0-9_-]{0,37}[A-Za-z0-9])?(?:\/[A-Za-z0-9._-]+)?)/g, (m, p1, p2) => {
     // Log when a mention is escaped to help debug issues
-    if (typeof core !== "undefined" && core.info) {
-      core.info(`Escaped mention: @${p2} (not in allowed list)`);
-    }
+    core.info(`Escaped mention: @${p2} (not in allowed list)`);
     return `${p1}\`@${p2}\``;
   });
 }
@@ -771,9 +757,7 @@ function neutralizeTemplateDelimiters(s) {
     if (/\{\{/.test(result)) {
       if (!detectedTypes.has("jinja2")) {
         detectedTypes.add("jinja2");
-        if (typeof core !== "undefined" && core.info) {
-          core.info("Template syntax detected: Jinja2/Liquid double braces {{");
-        }
+        core.info("Template syntax detected: Jinja2/Liquid double braces {{");
       }
       result = result.replace(/\{\{/g, "\\{\\{");
     }
@@ -783,9 +767,7 @@ function neutralizeTemplateDelimiters(s) {
     if (/<%=/.test(result)) {
       if (!detectedTypes.has("erb")) {
         detectedTypes.add("erb");
-        if (typeof core !== "undefined" && core.info) {
-          core.info("Template syntax detected: ERB delimiter <%=");
-        }
+        core.info("Template syntax detected: ERB delimiter <%=");
       }
       result = result.replace(/<%=/g, "\\<%=");
     }
@@ -795,9 +777,7 @@ function neutralizeTemplateDelimiters(s) {
     if (/\$\{/.test(result)) {
       if (!detectedTypes.has("js")) {
         detectedTypes.add("js");
-        if (typeof core !== "undefined" && core.info) {
-          core.info("Template syntax detected: JavaScript template literal ${");
-        }
+        core.info("Template syntax detected: JavaScript template literal ${");
       }
       result = result.replace(/\$\{/g, "\\$\\{");
     }
@@ -807,9 +787,7 @@ function neutralizeTemplateDelimiters(s) {
     if (/\{#/.test(result)) {
       if (!detectedTypes.has("jinja2comment")) {
         detectedTypes.add("jinja2comment");
-        if (typeof core !== "undefined" && core.info) {
-          core.info("Template syntax detected: Jinja2 comment {#");
-        }
+        core.info("Template syntax detected: Jinja2 comment {#");
       }
       result = result.replace(/\{#/g, "\\{\\#");
     }
@@ -819,9 +797,7 @@ function neutralizeTemplateDelimiters(s) {
     if (/\{%/.test(result)) {
       if (!detectedTypes.has("jekyll")) {
         detectedTypes.add("jekyll");
-        if (typeof core !== "undefined" && core.info) {
-          core.info("Template syntax detected: Jekyll/Liquid directive {%");
-        }
+        core.info("Template syntax detected: Jekyll/Liquid directive {%");
       }
       result = result.replace(/\{%/g, "\\{\\%");
     }
@@ -834,7 +810,7 @@ function neutralizeTemplateDelimiters(s) {
   const result = applyToNonCodeRegions(s, escapeInText);
 
   // Log a summary warning if any template patterns were detected
-  if (detectedTypes.size > 0 && typeof core !== "undefined" && core.warning) {
+  if (detectedTypes.size > 0) {
     core.warning(
       "Template-like syntax detected and escaped. " +
         "This is a defense-in-depth measure to prevent potential template injection " +
@@ -859,19 +835,15 @@ function buildAllowedGitHubReferences() {
   }
 
   if (allowedRefsEnv === "") {
-    if (typeof core !== "undefined" && core.info) {
-      core.info("GitHub reference filtering: all references will be escaped (GH_AW_ALLOWED_GITHUB_REFS is empty)");
-    }
+    core.info("GitHub reference filtering: all references will be escaped (GH_AW_ALLOWED_GITHUB_REFS is empty)");
     return []; // Empty array means escape all references
   }
 
   const refs = allowedRefsEnv
     .split(",")
     .map(ref => ref.trim().toLowerCase())
     .filter(ref => ref);
-  if (typeof core !== "undefined" && core.info) {
-    core.info(`GitHub reference filtering: allowed repos = ${refs.join(", ")}`);
-  }
+  core.info(`GitHub reference filtering: allowed repos = ${refs.join(", ")}`);
   return refs;
 }
 
@@ -931,9 +903,7 @@ function neutralizeGitHubReferences(s, allowedRepos) {
       const refText = owner && repo ? `${owner}/${repo}#${issueNum}` : `#${issueNum}`;
 
       // Log when a reference is escaped
-      if (typeof core !== "undefined" && core.info) {
-        core.info(`Escaped GitHub reference: ${refText} (not in allowed list)`);
-      }
+      core.info(`Escaped GitHub reference: ${refText} (not in allowed list)`);
 
       return `${prefix}\`${refText}\``;
     }
