Skip to content

Match GitHub tokens of any length in redaction#3

Merged
rblaine95 merged 2 commits into
masterfrom
fix/rules-guard-gho-token-length
Jul 1, 2026
Merged

Match GitHub tokens of any length in redaction#3
rblaine95 merged 2 commits into
masterfrom
fix/rules-guard-gho-token-length

Conversation

@rblaine95

@rblaine95 rblaine95 commented Jul 1, 2026

Copy link
Copy Markdown
Owner

Summary

Fixes a redaction gap discovered live: gh auth token emits a gho_… OAuth token that was not redacted. Root cause was a brittle exact-length quantifier in the GitHub token pattern.

The bug

The pattern required exactly 36 characters after the prefix:

/\bgh[oprsu]_[A-Za-z0-9]{36}\b/g

A token whose body is longer than 36 chars fails the {36}\b anchor and passes through in the clear. GitHub has publicly stated token lengths may grow over time, so an exact length is fragile by design.

The fix

/\bgh[oprsu]_[A-Za-z0-9]{36,}/g

{36,} matches 36-or-more, and dropping the trailing \b (the greedy class already ends the match at the first non-[A-Za-z0-9]) keeps longer tokens fully covered. Verified by probe: gho_ + 36 chars and gho_ + 40 chars both redact to [REDACTED]; ghp_/ghu_/ghs_/ghr_ still covered.

Test

Adds a 40-character gho_ entry to the provider-token redaction suite — the exact case the old {36} pattern let slip.

Scope note

This is source-only. The gap that leaked a real token in-session was compounded by a load boundary: a running omp session keeps the rules-guard copy it loaded at startup, so any fix (this one included) only takes effect after the plugin is reinstalled/updated and the session is restarted.

Verification

  • bun test — 58 pass, 0 fail, 100.00% funcs / 100.00% lines, exit 0.
  • bun typecheck — clean.
  • bunx biome check — clean.
  • Pre-commit hk hooks pass.

Summary by CodeRabbit

  • Bug Fixes
    • Improved secret redaction so GitHub-style provider tokens are more reliably hidden in output, including longer token variants.
    • Expanded coverage for token redaction to ensure newly added token shapes are also masked.

The GitHub token redaction pattern required exactly 36 characters after
the prefix (`gh[oprsu]_[A-Za-z0-9]{36}`), so a longer token slipped
through unredacted. GitHub has stated token lengths may grow over time,
so pin the pattern to 36-or-more (`{36,}`) instead of exactly 36.

Add a regression assertion with a 40-character `gho_` body, which the
old exact-length pattern failed to redact.

Glory to the Omnissiah
@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@rblaine95, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 50 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 27dffc85-36fb-4216-afdd-a184498e0744

📥 Commits

Reviewing files that changed from the base of the PR and between 2cefff7 and 9159b94.

📒 Files selected for processing (2)
  • extensions/rules-guard/index.test.ts
  • extensions/rules-guard/index.ts
📝 Walkthrough

Walkthrough

The GitHub token redaction regex in extensions/rules-guard/index.ts was modified to match tokens with 36 or more characters instead of exactly 36, removing the word-boundary constraint. The corresponding test file was updated to include an additional 40-character gho_ token variant.

Changes

GitHub token redaction fix

Layer / File(s) Summary
Regex fix and test coverage
extensions/rules-guard/index.ts, extensions/rules-guard/index.test.ts
The token redaction regex now matches gh[oprsu]_[A-Za-z0-9]{36,} (variable length, no word boundary) instead of exactly 36 characters, and the test suite adds a 40-character gho_ token to validate this longer match.

Estimated code review effort: 1 (Trivial) | ~3 minutes

Related Issues: None specified.

Related PRs: None specified.

Suggested labels: bug, security

Suggested reviewers: rblaine95

🐰

A token too long once slipped away,
Now caught by a pattern that lets it stay—
Redacted and safe, whatever the length,
The regex grew wiser, gaining its strength.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and accurately summarizes the main change: expanding GitHub token redaction to handle tokens of any length.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

coderabbitai[bot]

This comment was marked as resolved.

GitHub began rolling out a stateless installation-token format on
2026-04-27: `ghs_APPID_JWT`, a `ghs_`-prefixed JWT that is ~520
characters long and contains underscores and two dots. The single
`gh[oprsu]_[A-Za-z0-9]{36,}` redaction pattern stops at the first
underscore after the app id, so the whole token passed through
unredacted.

Split `ghs_` into its own pattern using GitHub's recommended
`ghs_[A-Za-z0-9._-]{36,}`, which matches both the classic 36-character
form and the new stateless form. The other prefixes (`ghp_`, `gho_`,
`ghu_`, `ghr_`) stay strict so an ordinary token does not consume
trailing prose. A redactor should fail toward over-redaction, so the
broad character class is preferred over a tighter shape that assumes a
numeric app id.

Add regression assertions for both the classic and stateless `ghs_`
shapes.

Glory to the Omnissiah
@rblaine95 rblaine95 merged commit 3912f80 into master Jul 1, 2026
2 checks passed
@rblaine95 rblaine95 deleted the fix/rules-guard-gho-token-length branch July 1, 2026 12:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant