From af72c64b7f3e7760edb37a73f29f520f40c74510 Mon Sep 17 00:00:00 2001 From: claw Date: Tue, 12 May 2026 16:48:39 -0700 Subject: [PATCH] fix(github): correct ListContents error wrapping and move HTTPS guard before retry loop --- github/client.go | 9 +++++---- github/files.go | 2 +- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/github/client.go b/github/client.go index 8dd157b..c148f96 100644 --- a/github/client.go +++ b/github/client.go @@ -159,6 +159,11 @@ func (c *Client) doRequest(ctx context.Context, method, url string, accept strin const maxErrorBodyBytes = 64 * 1024 + // Reject non-HTTPS URLs early since the URL is immutable across retries. + if c.token != "" && !c.allowInsecureHTTP && !strings.HasPrefix(url, "https://") { + return nil, fmt.Errorf("refusing to send credentials over non-HTTPS URL %q (use AllowInsecureHTTP option for trusted networks)", url) + } + var lastErr error for attempt := 0; attempt < maxAttempts; attempt++ { if attempt > 0 { @@ -183,10 +188,6 @@ func (c *Client) doRequest(ctx context.Context, method, url string, accept strin return nil, fmt.Errorf("create request: %w", err) } if c.token != "" { - // Refuse to send credentials over plaintext unless explicitly allowed. - if !c.allowInsecureHTTP && req.URL.Scheme != "https" { - return nil, fmt.Errorf("refusing to send credentials over non-HTTPS URL %q (use AllowInsecureHTTP option for trusted networks)", req.URL.Host) - } req.Header.Set("Authorization", "Bearer "+c.token) } req.Header.Set("User-Agent", userAgent) diff --git a/github/files.go b/github/files.go index 442cc63..f09d3e5 100644 --- a/github/files.go +++ b/github/files.go @@ -42,7 +42,7 @@ func (c *Client) ListContents(ctx context.Context, owner, repo, path string) ([] if err := json.Unmarshal(body, &entries); err != nil { var single entry if err2 := json.Unmarshal(body, &single); err2 != nil { - return nil, fmt.Errorf("parse contents JSON: %w", err) + return nil, fmt.Errorf("parse contents JSON: %w", err2) } entries = []entry{single} }