🔒 Fix potential header injection vulnerability in GitHub API

[is0692vs]

🔒 HTTPヘッダーインジェクションの脆弱性修正

🎯 What:
src/lib/githubViewer.ts と src/lib/github.ts において、セッショントークンを検証せずに直接 fetch 呼び出しの Authorization ヘッダーに渡していた脆弱性を修正しました。

⚠️ Risk:
不適切なトークン検証により、攻撃者がトークン内に \r\n（CRLF）などの改行文字を含めることで、HTTPヘッダーインジェクションやSSRF（Server-Side Request Forgery）攻撃を引き起こす可能性がありました。これにより、任意のAPIリクエストが実行されたり、セッションハイジャックのリスクが生じる恐れがありました。

🛡️ Solution:
APIを呼び出す前に、提供されたトークンが標準のGitHubトークン形式（英数字、ハイフン、アンダースコア、等号のみ）に一致するかを検証する正規表現チェック（/^[A-Za-z0-9_=-]+$/）を追加しました。無効なフォーマットの場合は、APIリクエストを行う前に GitHubApiError がスローされます。

---

PR created automatically by Jules for task 15995715561875187361 started by @is0692vs

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
github-user-summary	Ready	Preview, Comment	Mar 21, 2026 4:45am

[coderabbitai]

Warning

Rate limit exceeded

@is0692vs has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 23 minutes and 51 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 73b6eff7-1043-4e4e-aa99-a74837ed1eb2

📥 Commits

Reviewing files that changed from the base of the PR and between 87d145d and 26fe82d.

📒 Files selected for processing (3)

• pr_description.md
• src/lib/github.ts
• src/lib/githubViewer.ts

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix-github-token-header-injection-15995715561875187361

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[is0692vs]

レビュー内容を整理します。

• 現時点で要約対象の review body / inline 指摘は見当たりませんでした。
• コメント欄は bot 通知中心でした。

[google-labs-jules]

レビュー内容を整理します。

• 現時点で要約対象の review body / inline 指摘は見当たりませんでした。
• コメント欄は bot 通知中心でした。

了解しました。ボットのサマリー通知ですね。

[is0692vs]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.