fix: address MINOR review findings on PR #93 (round 2)

- Add User-Agent header to all requests (gpt-review-bot) - Limit successful response body to 10 MiB via io.LimitReader (security-review-bot) - Add CheckRedirect to strip Authorization on cross-host redirects (security-review-bot) - Fix decodeBase64Content to strip both \r and \n (gpt-review-bot) - Document that transport errors are not retried (sonnet-review-bot) - Update package doc to reflect current scope (no review submission yet) - Add tests for User-Agent, empty-token auth skip, CRLF base64, CheckRedirect
2026-05-12 16:00:09 -07:00
parent 5b43afc6d4
commit 75f65fbf5d
4 changed files with 89 additions and 6 deletions
@@ -61,10 +61,10 @@ func escapePath(p string) string {
 }

 // decodeBase64Content decodes base64-encoded content from the GitHub contents API.
-// GitHub returns base64 content with newlines for formatting, which we strip before decoding.
+// GitHub returns base64 content with line breaks for formatting; we strip \r and \n before decoding.
 func decodeBase64Content(encoded string) (string, error) {
 	// GitHub inserts newlines in base64 content
-	cleaned := strings.ReplaceAll(encoded, "\n", "")
+	cleaned := strings.NewReplacer("\n", "", "\r", "").Replace(encoded)
 	decoded, err := base64.StdEncoding.DecodeString(cleaned)
 	if err != nil {
 		return "", err