From af1c172877985bf8ac574dc49e5b9c82e8cd1a1c Mon Sep 17 00:00:00 2001
From: B <6723574+louisgv@users.noreply.github.com>
Date: Fri, 6 Mar 2026 10:02:56 +0000
Subject: [PATCH] fix: reject control characters in GITHUB_TOKEN validation

GITHUB_TOKEN containing newlines, tabs, or carriage returns could
corrupt ~/.config/gh/hosts.yml before permissions are set (line 314)
and bypass validation in downstream consumers. Defense-in-depth fix
following the pattern established in sh/shared/key-request.sh:78.

Fixes #2239

Agent: team-lead
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 sh/shared/github-auth.sh | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/sh/shared/github-auth.sh b/sh/shared/github-auth.sh
index 49d5059a4..16786b429 100755
--- a/sh/shared/github-auth.sh
+++ b/sh/shared/github-auth.sh
@@ -289,6 +289,12 @@ ensure_gh_auth() {
                 return 1
                 ;;
         esac
+        # SECURITY: Reject tokens containing newlines, tabs, or carriage returns
+        # to prevent credential file corruption and bypass of downstream validation.
+        if [[ "${GITHUB_TOKEN}" =~ $'\n' ]] || [[ "${GITHUB_TOKEN}" =~ $'\t' ]] || [[ "${GITHUB_TOKEN}" =~ $'\r' ]]; then
+            log_error "GITHUB_TOKEN contains invalid control characters (newline/tab/CR)"
+            return 1
+        fi
 
         # Fast path: skip persistence if gh is already authenticated with
         # stored credentials (not just the env var). Temporarily unset