From 2215c8e5aac7398c36f775c1a8717124bc39086a Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 6 Jan 2026 17:37:28 +0000 Subject: [PATCH] Restrict sanitization to only allow 0-9, a-z, _, -, . Co-authored-by: TingluoHuang <1750815+TingluoHuang@users.noreply.github.com> --- packages/http-client/src/index.ts | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/packages/http-client/src/index.ts b/packages/http-client/src/index.ts index d3c2c956..e2e21f57 100644 --- a/packages/http-client/src/index.ts +++ b/packages/http-client/src/index.ts @@ -821,9 +821,9 @@ export class HttpClient { private _getUserAgentWithOrchestrationId(userAgent: string): string { const orchId = process.env['ACTIONS_ORCHESTRATION_ID'] if (orchId) { - // Sanitize the orchestration ID to ensure it contains only valid token characters - // Valid characters: alphanumeric, !, #, $, %, &, ', *, +, -, ., ^, _, `, |, ~ - const sanitizedId = orchId.replace(/[^a-zA-Z0-9!#$%&'*+.^_`|~-]/g, '_') + // Sanitize the orchestration ID to ensure it contains only valid characters + // Valid characters: 0-9, a-z, _, -, . + const sanitizedId = orchId.replace(/[^a-z0-9_.\-]/gi, '_') return `${userAgent} actions_orchestration_id/${sanitizedId}` } return userAgent