security: add GitHub token format validation

2026-03-23 17:47:10 +02:00
parent 1dbf7e33f9
commit 9b31be5457
1 changed files with 16 additions and 0 deletions
--- a/src/github.rs
+++ b/src/github.rs
@@ -11,6 +11,22 @@ pub struct GitHubClient {

 impl GitHubClient {
    pub fn new(token: Option<String>) -> Result<Self> {
+        // Validate token format if provided
+        if let Some(ref t) = token {
+            if !t.is_empty() {
+                // GitHub classic tokens start with 'ghp_'
+                // Fine-grained tokens start with 'github_pat_'
+                // OAuth tokens don't have a specific prefix
+                let is_valid_format = t.starts_with("ghp_") || 
+                                      t.starts_with("github_pat_") ||
+                                      t.len() >= 20; // Generic check for reasonable token length
+                
+                if !is_valid_format {
+                    anyhow::bail!("Invalid GitHub token format. Token should start with 'ghp_' (classic) or 'github_pat_' (fine-grained)");
+                }
+            }
+        }
+
        let mut headers = HeaderMap::new();
        headers.insert(USER_AGENT, HeaderValue::from_static("gh-celebs"));
        headers.insert(ACCEPT, HeaderValue::from_static("application/vnd.github.v3+json"));