search

blacklanternsecurity / bbot

A recursive internet scanner for hackers.
https://www.blacklanternsecurity.com/bbot/
GNU General Public License v3.0
4.02k stars 370 forks source link

Trufflehog is not version locked #1458

Closed domwhewell-sage closed 2 weeks ago

domwhewell-sage commented 2 weeks ago

Describe the bug The latest version of trufflehog 3.78.1 (released 2 days ago) is no longer finding our test unverified secret

~/.bbot/tools/trufflehog git file:///tmp/test_keys/
🐷🔑🐷  TruffleHog. Unearth your secrets. 🐷🔑🐷

2024-06-13T20:39:44+01:00       info-0  trufflehog      running source  {"source_manager_worker_id": "xpxBT", "with_units": true}
2024-06-13T20:39:44+01:00       info-0  trufflehog      scanning repo   {"source_manager_worker_id": "xpxBT", "unit": "/tmp/test_keys/", "unit_kind": "dir", "repo": "/tmp/test_keys/"}
✅ Found verified result 🐷🔑
Detector Type: URI
Decoder Type: PLAIN
Raw result: https://admin:admin@the-internet.herokuapp.com
Commit: 7e9ad4002a3fcd40298735a71d90e2ce521301f3
Email: BBOT Test <bbot@blacklanternsecurity.com>
File: keys.txt
Line: 2
Timestamp: 2024-06-13 18:20:06 +0000

2024-06-13T20:39:45+01:00       info-0  trufflehog      finished scanning       {"chunks": 2, "bytes": 236, "verified_secrets": 1, "unverified_secrets": 0, "scan_duration": "1.070352313s", "trufflehog_version": "3.78.1"}

Nothing has changed on our side but truffle hog automatically goes off and does a sneaky update unless you have the --no-update flag on

By rolling back the version on my machine and using this flag I was able to get the events to be emitted and the tests to pass

~/.bbot/tools/trufflehog --no-update git file:///tmp/test_keys/
🐷🔑🐷  TruffleHog. Unearth your secrets. 🐷🔑🐷

2024-06-13T20:37:22+01:00       info-0  trufflehog      running source  {"source_manager_worker_id": "Lfvfr", "with_units": true}
✅ Found verified result 🐷🔑
Detector Type: URI
Decoder Type: PLAIN
Raw result: https://admin:admin@the-internet.herokuapp.com
Commit: 7e9ad4002a3fcd40298735a71d90e2ce521301f3
Email: BBOT Test <bbot@blacklanternsecurity.com>
File: keys.txt
Line: 2
Timestamp: 2024-06-13 18:20:06 +0000

Found unverified result 🐷🔑❓
Verification issue: lookup internal.host.com on 172.29.64.1:53: no such host
Detector Type: URI
Decoder Type: PLAIN
Raw result: https://admin:admin@internal.host.com
Commit: 7e9ad4002a3fcd40298735a71d90e2ce521301f3
Email: BBOT Test <bbot@blacklanternsecurity.com>
File: keys.txt
Line: 5
Timestamp: 2024-06-13 18:20:06 +0000

2024-06-13T20:37:23+01:00       info-0  trufflehog      finished scanning       {"chunks": 2, "bytes": 236, "verified_secrets": 1, "unverified_secrets": 1, "scan_duration": "1.011314663s", "trufflehog_version": "3.75.1"}

We should add the --no-update flag to the command in the trufflehog module so it is version locked to the one specified in the module options that way we can ensure the version that is in use is one that is compatible with bbot and has not introduced an bugs

TheTechromancer commented 2 weeks ago

Opened upstream issue:

https://github.com/trufflesecurity/trufflehog/issues/2974