The URL https://api.github.com does not end with a "/". An attacker can thus send the request to any server!
The regular expression is a decoy, no match is also a match, thanks to the greedy quantifier.

Check out the detailed solution here:
https://www.sonarsource.com/knowledge/code-challenges/advent-calendar-2022/?day=3&solution

@SonarResearch The hostname part of the URL does not end with a slash. The appended user input from the `path` parameter can change the domain of the API request which could leak the Authorization environment variable.

The domain github.computer is available and could be reached by the API handler if the `path` parameter is set to "puter".

@SonarResearch the regex doesn't start with a / and HTTP requests may contain paths that do not start with a / (ex: OPTIONS allows *), which would be appended to api.github.com. Since the regex does not contain a ., we need to find another public suffix that starts with com but does not contain a dot and register apit.github.<suffix>.

@SonarResearch The other commenters here have very creative solutions. But there is a simpler way if github.computer isn't available anymore because @becojo already bought it:

Regex.IsMatch() does not perform a global regex match, it just searches for a match somewhere in the string. Also, the regex does not use $ to match for the end of the line. This leads to an empty string matching the regex (remember that * matches 0-inf chars). So the regex does not do anything and we can send an arbitrary path. (https://replit.com/@realansgar/BlueInfatuatedConnection#main.cs)

https://api.github.com" does not end with a slash. So we can append a path like .attacker.com and register api.github.com.attacker.com and capture the authHeader.