Add GHA & linting (missing files)

tstromberg · tstromberg · commit de610a02be63 · 2025-08-12T15:38:05.000-04:00
diff --git a/ratelimit.go b/ratelimit.go
@@ -0,0 +1,58 @@
+// Package main - ratelimit.go provides rate limiting functionality.
+package main
+
+import (
+	"sync"
+	"time"
+)
+
+// RateLimiter implements a simple token bucket rate limiter.
+type RateLimiter struct {
+	lastRefill time.Time
+	mu         sync.Mutex
+	refillRate time.Duration
+	tokens     int
+	maxTokens  int
+}
+
+// NewRateLimiter creates a new rate limiter.
+func NewRateLimiter(maxTokens int, refillRate time.Duration) *RateLimiter {
+	return &RateLimiter{
+		tokens:     maxTokens,
+		maxTokens:  maxTokens,
+		refillRate: refillRate,
+		lastRefill: time.Now(),
+	}
+}
+
+// Allow checks if an operation is allowed under the rate limit.
+func (r *RateLimiter) Allow() bool {
+	r.mu.Lock()
+	defer r.mu.Unlock()
+
+	// Refill tokens based on elapsed time
+	now := time.Now()
+	elapsed := now.Sub(r.lastRefill)
+	tokensToAdd := int(elapsed / r.refillRate)
+
+	if tokensToAdd > 0 {
+		r.tokens = minInt(r.tokens+tokensToAdd, r.maxTokens)
+		r.lastRefill = now
+	}
+
+	// Check if we have tokens available
+	if r.tokens > 0 {
+		r.tokens--
+		return true
+	}
+
+	return false
+}
+
+// minInt returns the minimum of two integers.
+func minInt(a, b int) int {
+	if a < b {
+		return a
+	}
+	return b
+}
diff --git a/security.go b/security.go
@@ -0,0 +1,117 @@
+// Package main - security.go provides security utilities and validation functions.
+package main
+
+import (
+	"errors"
+	"fmt"
+	"regexp"
+	"strings"
+)
+
+const (
+	// Security constants.
+	minTokenLength   = 40   // GitHub tokens are at least 40 chars
+	maxTokenLength   = 255  // Reasonable upper bound
+	maxUsernameLen   = 39   // GitHub username max length
+	maxURLLength     = 2048 // Maximum URL length
+	minPrintableChar = 0x20 // Minimum printable character
+	deleteChar       = 0x7F // Delete character
+)
+
+var (
+	// githubUsernameRegex validates GitHub usernames.
+	// GitHub usernames can only contain alphanumeric characters and hyphens,
+	// cannot start or end with hyphen, and max 39 characters.
+	githubUsernameRegex = regexp.MustCompile(`^[a-zA-Z0-9][a-zA-Z0-9-]{0,37}[a-zA-Z0-9]$|^[a-zA-Z0-9]$`)
+
+	// githubTokenRegex validates GitHub token format.
+	// Classic tokens: 40 hex chars.
+	// New tokens: ghp_ (personal), ghs_ (server), ghr_ (refresh), gho_ (OAuth), ghu_ (user-to-server) followed by base62 chars.
+	// Fine-grained tokens: github_pat_ followed by base62 chars.
+	githubTokenRegex = regexp.MustCompile(`^[a-f0-9]{40}$|^gh[psoru]_[A-Za-z0-9]{36,251}$|^github_pat_[A-Za-z0-9]{82}$`)
+)
+
+// validateGitHubUsername validates a GitHub username.
+func validateGitHubUsername(username string) error {
+	if username == "" {
+		return errors.New("username cannot be empty")
+	}
+	if len(username) > maxUsernameLen {
+		return fmt.Errorf("username too long: %d > %d", len(username), maxUsernameLen)
+	}
+	if !githubUsernameRegex.MatchString(username) {
+		return fmt.Errorf("invalid GitHub username format: %s", username)
+	}
+	return nil
+}
+
+// validateGitHubToken performs basic validation on a GitHub token.
+func validateGitHubToken(token string) error {
+	if token == "" {
+		return errors.New("token cannot be empty")
+	}
+
+	tokenLen := len(token)
+	if tokenLen < minTokenLength {
+		return fmt.Errorf("token too short: %d < %d", tokenLen, minTokenLength)
+	}
+	if tokenLen > maxTokenLength {
+		return fmt.Errorf("token too long: %d > %d", tokenLen, maxTokenLength)
+	}
+
+	// Check for common placeholder values
+	if strings.Contains(strings.ToLower(token), "your_token") ||
+		strings.Contains(strings.ToLower(token), "xxx") ||
+		strings.Contains(token, "...") {
+		return errors.New("token appears to be a placeholder")
+	}
+
+	if !githubTokenRegex.MatchString(token) {
+		return errors.New("token does not match expected GitHub token format")
+	}
+
+	return nil
+}
+
+// sanitizeForLog removes sensitive information from strings before logging.
+func sanitizeForLog(s string) string {
+	// Redact tokens (both classic 40-char hex and new format)
+	// Classic tokens
+	s = regexp.MustCompile(`\b[a-f0-9]{40}\b`).ReplaceAllString(s, "[REDACTED-TOKEN]")
+	// New format tokens (ghp_, ghs_, ghr_, gho_, ghu_)
+	s = regexp.MustCompile(`\bgh[psoru]_[A-Za-z0-9]{36,251}\b`).ReplaceAllString(s, "[REDACTED-TOKEN]")
+	// Fine-grained personal access tokens
+	s = regexp.MustCompile(`\bgithub_pat_[A-Za-z0-9]{82}\b`).ReplaceAllString(s, "[REDACTED-TOKEN]")
+	// Bearer tokens in headers
+	s = regexp.MustCompile(`Bearer [A-Za-z0-9_\-.]+`).ReplaceAllString(s, "Bearer [REDACTED]")
+	// Authorization headers
+	s = regexp.MustCompile(`Authorization: \S+`).ReplaceAllString(s, "Authorization: [REDACTED]")
+
+	return s
+}
+
+// validateURL performs strict validation on URLs.
+func validateURL(rawURL string) error {
+	if rawURL == "" {
+		return errors.New("URL cannot be empty")
+	}
+
+	// Check for null bytes or control characters
+	for _, r := range rawURL {
+		if r < minPrintableChar || r == deleteChar {
+			return errors.New("URL contains control characters")
+		}
+	}
+
+	// Ensure URL starts with https://
+	if !strings.HasPrefix(rawURL, "https://") {
+		return errors.New("URL must use HTTPS")
+	}
+
+	// Check for URL length limits
+	if len(rawURL) > maxURLLength {
+		return errors.New("URL too long")
+	}
+
+	return nil
+}
