search

trufflesecurity / trufflehog

Find and verify secrets
https://trufflesecurity.com
GNU Affero General Public License v3.0
14.39k stars 1.57k forks source link

`ahocorasickcore.calculateSpan`: ensure startIdx is before endIdx #3002

Open rgmz opened 2 weeks ago

rgmz commented 2 weeks ago

Please review the Community Note before submitting

TruffleHog Version

HEAD

Description

I have no idea how to reproduce this, but it's possible for ahocorasickcore.calculateSpan to produce a matchSpan where the startIdx is greater than the endIdx. This results in a panic.

2024-06-21T19:40:03-04:00       error   trufflehog      goroutine 113 [running]:
runtime/debug.Stack()
        /home/user/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.22.2.linux-amd64/src/runtime/debug/stack.go:24 +0x5e
github.com/trufflesecurity/trufflehog/v3/pkg/common.Recover({0x4db1c60, 0xc001439e60})
        /home/user/dev/github.com/trufflesecurity/trufflehog/pkg/common/recover.go:17 +0x5b
panic({0x3e209e0?, 0xc001985728?})
        /home/user/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.22.2.linux-amd64/src/runtime/panic.go:770 +0x132
github.com/trufflesecurity/trufflehog/v3/pkg/engine/ahocorasick.(*DetectorMatch).extractMatches(...)
        /home/user/dev/github.com/trufflesecurity/trufflehog/pkg/engine/ahocorasick/ahocorasickcore.go:199
github.com/trufflesecurity/trufflehog/v3/pkg/engine/ahocorasick.(*Core).FindDetectorMatches(0xc002984960, {0xc0027df000, 0x6400, 0x6e55})
        /home/user/dev/github.com/trufflesecurity/trufflehog/pkg/engine/ahocorasick/ahocorasickcore.go:256 +0x445
github.com/trufflesecurity/trufflehog/v3/pkg/engine.(*Engine).scannerWorker(0xc00003c900, {0x4db1c60, 0xc001439e60})
        /home/user/dev/github.com/trufflesecurity/trufflehog/pkg/engine/engine.go:752 +0x5b1
github.com/trufflesecurity/trufflehog/v3/pkg/engine.(*Engine).startScannerWorkers.func1()
        /home/user/dev/github.com/trufflesecurity/trufflehog/pkg/engine/engine.go:621 +0xf1
created by github.com/trufflesecurity/trufflehog/v3/pkg/engine.(*Engine).startScannerWorkers in goroutine 1
        /home/user/dev/github.com/trufflesecurity/trufflehog/pkg/engine/engine.go:617 +0xfe
        {"scanner_worker_id": "i2K7u", "recover": "runtime error: slice bounds out of range [6019:5600]", "error": "panic"}

I guess there ought to be a sanity check here, before returning: https://github.com/trufflesecurity/trufflehog/blob/de19a39f2cc6a103a4e207b780716d46e77de732/pkg/engine/ahocorasick/ahocorasickcore.go#L88-L89