Match GitHub tokens of any length in redaction#3
Conversation
The GitHub token redaction pattern required exactly 36 characters after
the prefix (`gh[oprsu]_[A-Za-z0-9]{36}`), so a longer token slipped
through unredacted. GitHub has stated token lengths may grow over time,
so pin the pattern to 36-or-more (`{36,}`) instead of exactly 36.
Add a regression assertion with a 40-character `gho_` body, which the
old exact-length pattern failed to redact.
Glory to the Omnissiah
|
Warning Review limit reached
Next review available in: 50 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughThe GitHub token redaction regex in extensions/rules-guard/index.ts was modified to match tokens with 36 or more characters instead of exactly 36, removing the word-boundary constraint. The corresponding test file was updated to include an additional 40-character gho_ token variant. ChangesGitHub token redaction fix
Estimated code review effort: 1 (Trivial) | ~3 minutes Related Issues: None specified. Related PRs: None specified. Suggested labels: bug, security Suggested reviewers: rblaine95 🐰
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
GitHub began rolling out a stateless installation-token format on
2026-04-27: `ghs_APPID_JWT`, a `ghs_`-prefixed JWT that is ~520
characters long and contains underscores and two dots. The single
`gh[oprsu]_[A-Za-z0-9]{36,}` redaction pattern stops at the first
underscore after the app id, so the whole token passed through
unredacted.
Split `ghs_` into its own pattern using GitHub's recommended
`ghs_[A-Za-z0-9._-]{36,}`, which matches both the classic 36-character
form and the new stateless form. The other prefixes (`ghp_`, `gho_`,
`ghu_`, `ghr_`) stay strict so an ordinary token does not consume
trailing prose. A redactor should fail toward over-redaction, so the
broad character class is preferred over a tighter shape that assumes a
numeric app id.
Add regression assertions for both the classic and stateless `ghs_`
shapes.
Glory to the Omnissiah
Summary
Fixes a redaction gap discovered live:
gh auth tokenemits agho_…OAuth token that was not redacted. Root cause was a brittle exact-length quantifier in the GitHub token pattern.The bug
The pattern required exactly 36 characters after the prefix:
A token whose body is longer than 36 chars fails the
{36}\banchor and passes through in the clear. GitHub has publicly stated token lengths may grow over time, so an exact length is fragile by design.The fix
{36,}matches 36-or-more, and dropping the trailing\b(the greedy class already ends the match at the first non-[A-Za-z0-9]) keeps longer tokens fully covered. Verified by probe:gho_+ 36 chars andgho_+ 40 chars both redact to[REDACTED];ghp_/ghu_/ghs_/ghr_still covered.Test
Adds a 40-character
gho_entry to the provider-token redaction suite — the exact case the old{36}pattern let slip.Scope note
This is source-only. The gap that leaked a real token in-session was compounded by a load boundary: a running omp session keeps the rules-guard copy it loaded at startup, so any fix (this one included) only takes effect after the plugin is reinstalled/updated and the session is restarted.
Verification
bun test— 58 pass, 0 fail, 100.00% funcs / 100.00% lines, exit 0.bun typecheck— clean.bunx biome check— clean.hkhooks pass.Summary by CodeRabbit