From 19e6cd5d8989266da27bc60278b00309f7e77dde Mon Sep 17 00:00:00 2001
From: Paul Hutchinson <paulhappyhutchinson@protonmail.ch>
Date: Mon, 17 Nov 2025 14:58:50 +0000
Subject: [PATCH 1/2] [feature] SC-166737/improve app proxy security by
 restricting where token replacements can go

---
 manifest.json                    | 7 ++++++-
 src/services/github/constants.ts | 2 +-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/manifest.json b/manifest.json
index 595aba2..1dd219b 100644
--- a/manifest.json
+++ b/manifest.json
@@ -93,7 +93,12 @@
       {
         "url": "https://github.com/.*",
         "methods": ["GET", "POST"],
-        "timeout": 10
+        "timeout": 10,
+        "settingsInjection": {
+          "client_secret": {
+            "querystring": ["client_secret"]
+          }
+        }
       }
     ]
   }
diff --git a/src/services/github/constants.ts b/src/services/github/constants.ts
index 47e7eec..71f6415 100644
--- a/src/services/github/constants.ts
+++ b/src/services/github/constants.ts
@@ -5,6 +5,6 @@ export const placeholders = {
     CODE: "[user[oauth2/code]]",
     OAUTH_TOKEN_PATH: "oauth2/token",
     TOKEN: `[user[oauth2/token]]`,
-};
+} as const;
 
 export const BASE_URL = "https://api.github.com";

From d8f3dffd92e4694ab010b37c83eaf069a743136e Mon Sep 17 00:00:00 2001
From: Paul <1740195+HappyPaul55@users.noreply.github.com>
Date: Wed, 19 Nov 2025 12:24:29 +0000
Subject: [PATCH 2/2] Update manifest.json

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 manifest.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/manifest.json b/manifest.json
index 1dd219b..0eeb737 100644
--- a/manifest.json
+++ b/manifest.json
@@ -91,7 +91,7 @@
         "timeout": 10
       },
       {
-        "url": "https://github.com/.*",
+        "url": "https://github.com/login/oauth/access_token",
         "methods": ["GET", "POST"],
         "timeout": 10,
         "settingsInjection": {