From 9b31be5457c81a14cd5230cde80735105b547268 Mon Sep 17 00:00:00 2001
From: Jonathan Agmon <jojo@agmon.co.il>
Date: Mon, 23 Mar 2026 17:47:10 +0200
Subject: [PATCH] security: add GitHub token format validation

---
 src/github.rs | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/src/github.rs b/src/github.rs
index 9dca201..5592fa4 100644
--- a/src/github.rs
+++ b/src/github.rs
@@ -11,6 +11,22 @@ pub struct GitHubClient {
 
 impl GitHubClient {
     pub fn new(token: Option<String>) -> Result<Self> {
+        // Validate token format if provided
+        if let Some(ref t) = token {
+            if !t.is_empty() {
+                // GitHub classic tokens start with 'ghp_'
+                // Fine-grained tokens start with 'github_pat_'
+                // OAuth tokens don't have a specific prefix
+                let is_valid_format = t.starts_with("ghp_") || 
+                                      t.starts_with("github_pat_") ||
+                                      t.len() >= 20; // Generic check for reasonable token length
+                
+                if !is_valid_format {
+                    anyhow::bail!("Invalid GitHub token format. Token should start with 'ghp_' (classic) or 'github_pat_' (fine-grained)");
+                }
+            }
+        }
+
         let mut headers = HeaderMap::new();
         headers.insert(USER_AGENT, HeaderValue::from_static("gh-celebs"));
         headers.insert(ACCEPT, HeaderValue::from_static("application/vnd.github.v3+json"));