github.com/google/osv-scalibr@v0.4.1/veles/secrets/github/checksum/checksum.go (about) 1 // Copyright 2025 Google LLC 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 // Package checksum contains the checksum validation logic for github tokens 16 package checksum 17 18 import ( 19 "bytes" 20 "hash/crc32" 21 ) 22 23 // Validate validates a GitHub token 24 func Validate(token []byte) bool { 25 _, suf, ok := bytes.Cut(token, []byte("_")) 26 if !ok { 27 return false 28 } 29 30 if len(suf) <= 6 { 31 return false 32 } 33 34 // Split content and checksum 35 splitIdx := len(suf) - 6 36 content, checksum := suf[:splitIdx], suf[splitIdx:] 37 38 // Compute CRC32 on ASCII bytes of the content (not decoded base62) 39 crc := crc32.ChecksumIEEE(content) 40 41 // Encode checksum in base62 (ignoring a possible overflow) 42 got := base62Encode(crc, 6) 43 44 return bytes.Equal(got, checksum) 45 } 46 47 const base62Chars = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" 48 49 func base62Encode(n uint32, size int) []byte { 50 result := make([]byte, size) 51 for i := size - 1; i >= 0; i-- { 52 result[i] = base62Chars[n%62] 53 n /= 62 54 } 55 // ignore the overflow 56 return result 57 }