Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Panic #3530

Open
ankushgoel27 opened this issue Oct 30, 2024 · 1 comment
Open

Panic #3530

ankushgoel27 opened this issue Oct 30, 2024 · 1 comment
Labels
bug

Comments

@ankushgoel27
Copy link
Contributor

Please review the Community Note before submitting

TruffleHog Version

Dev

Trace Output

{"level":"error","ts":"2024-10-30T09:43:31Z","logger":"trufflehog","msg":"goroutine 428 [running]:\nruntime/debug.Stack()\n\t/root/go/pkg/mod/golang.org/[email protected]/src/runtime/debug/stack.go:26 +0x5e\ngithub.co
m/trufflesecurity/trufflehog/v3/pkg/common.Recover({0x52d3d60, 0xc001a0dc50})\n\t/root/trufflehog/pkg/common/recover.go:17 +0x5b\npanic({0x462da00?, 0xc0202b4f78?})\n\t/root/go/pkg/mod/golang.org/[email protected]/src/runtime/panic.go:785 +0x132\ngithub.com/trufflesecurity/trufflehog/v3/pkg/detectors/gcpapplicationdefaultcredentials.Scanner.FromData({0x52d3d60?}, {0x72c413104d10, 0xc022556ba0}, 0x0, {0xc020619500?, 0x0?, 0x0?})\n\t/root/trufflehog/pk
g/detectors/gcpapplicationdefaultcredentials/gcpapplicationdefaultcredentials.go:83 +0x505\ngithub.com/trufflesecurity/trufflehog/v3/pkg/engine.(*Engine).verificationOverlapWorker(0xc002d4e000, {0x52d3d60, 0xc001a0dc50})\n\t/root/truffle
hog/pkg/engine/engine.go:925 +0x584\ngithub.com/trufflesecurity/trufflehog/v3/pkg/engine.(*Engine).startVerificationOverlapWorkers.func1()\n\t/root/trufflehog/pkg/engine/engine.go:685 +0xdc\ncreated by github.com/trufflesecurity/truffleh
og/v3/pkg/engine.(*Engine).startVerificationOverlapWorkers in goroutine 1\n\t/root/trufflehog/pkg/engine/engine.go:681 +0x10f\n","verification_overlap_worker_id":"46WSo","recover":"runtime error: slice bounds out of range [:3] with lengt
h 0","error":"panic"}

To obtain the trace output, run trufflehog with the --trace flag.
--->

Expected Behavior

should cause a panic error

Actual Behavior

caused error while verifying GCP credentials

Steps to Reproduce

  1. Go to '...'
  2. Click on '....'
  3. Scroll down to '....'
  4. See error

Environment

Ubuntu latest

Additional Context

References

  • #0000
@rgmz
Copy link
Contributor

rgmz commented Oct 30, 2024

The issue is that there's no check json.Unmarshal succeeded. Just because err == nil doesn't mean unmarshalling was successful; if you provide it garbage data, the unmarshaller happily returns an empty struct :).

trufflehog/pkg/detectors/gcpapplicationdefaultcredentials/gcpapplicationdefaultcredentials.go

Lines 71 to 74 in e81ff76

err := json.Unmarshal([]byte(key), &creds)
if err != nil {
continue
}

Hence why [:3] is out of range:

trufflehog/pkg/detectors/gcpapplicationdefaultcredentials/gcpapplicationdefaultcredentials.go

Line 83 in e81ff76

Redacted: creds.RefreshToken[:3] + "..." + creds.RefreshToken[min(len(creds.RefreshToken)-1, 47):], // censor the refresh token

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ankushgoel27 @rgmz