Skip to content

fix regex for checking github fine-grained tokens #130

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tstromberg merged 2 commits into from
Apr 8, 2026
+10 −5
Merged

fix regex for checking github fine-grained tokens #130

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f6849d5
fix regex for checking github fine-grained tokens
prezha Apr 5, 2026
c4a2377
Update cmd/reviewGOOSE/security_test.go
prezha Apr 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions cmd/reviewGOOSE/security.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,8 @@ var (
// githubTokenRegex validates GitHub token format.
// Classic tokens: 40 hex chars.
// New tokens: ghp_ (personal), ghs_ (server), ghr_ (refresh), gho_ (OAuth), ghu_ (user-to-server) followed by base62 chars.
// Fine-grained tokens: github_pat_ followed by base62 chars.
githubTokenRegex = regexp.MustCompile(`^[a-f0-9]{40}$|^gh[psoru]_[A-Za-z0-9]{36,251}$|^github_pat_[A-Za-z0-9]{82}$`)
// Fine-grained tokens: github_pat_ followed by 22 base62 chars, underscore, and 59 base62 chars.
githubTokenRegex = regexp.MustCompile(`^[a-f0-9]{40}$|^gh[psoru]_[A-Za-z0-9]{36,251}$|^github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59}$`)
)

// validateGitHubUsername validates a GitHub username.
Expand Down Expand Up @@ -80,7 +80,7 @@ func sanitizeForLog(s string) string {
// New format tokens (ghp_, ghs_, ghr_, gho_, ghu_)
s = regexp.MustCompile(`\bgh[psoru]_[A-Za-z0-9]{36,251}\b`).ReplaceAllString(s, "[REDACTED-TOKEN]")
// Fine-grained personal access tokens
s = regexp.MustCompile(`\bgithub_pat_[A-Za-z0-9]{82}\b`).ReplaceAllString(s, "[REDACTED-TOKEN]")
s = regexp.MustCompile(`\bgithub_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59}\b`).ReplaceAllString(s, "[REDACTED-TOKEN]")
// Bearer tokens in headers
s = regexp.MustCompile(`Bearer [A-Za-z0-9_\-.]+`).ReplaceAllString(s, "Bearer [REDACTED]")
// Authorization headers
Expand Down
9 changes: 7 additions & 2 deletions cmd/reviewGOOSE/security_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -138,11 +138,16 @@ func TestValidateGitHubToken(t *testing.T) {
},
{
name: "fine-grained PAT",
token: "github_pat_" + strings.Repeat("a", 82),
token: "github_pat_" + strings.Repeat("a", 22) + "_" + strings.Repeat("b", 59),
wantErr: false,
},

// Invalid tokens
{
name: "fine-grained PAT",
token: "github_pat_" + strings.Repeat("a", 82),
wantErr: true,
},
{
name: "empty string",
token: "",
Expand Down Expand Up @@ -223,7 +228,7 @@ func TestSanitizeForLog(t *testing.T) {
},
{
name: "fine-grained PAT redacted",
input: "token=github_pat_" + strings.Repeat("b", 82),
input: "token=github_pat_" + strings.Repeat("a", 22) + "_" + strings.Repeat("b", 59),
wantHide: true,
},
{
Expand Down
Loading