`ahocorasickcore.calculateSpan`: ensure startIdx is before endIdx

[rgmz]

Please review the Community Note before submitting

TruffleHog Version

HEAD

Description

I have no idea how to reproduce this, but it's possible for ahocorasickcore.calculateSpan to produce a matchSpan where the startIdx is greater than the endIdx. This results in a panic.

2024-06-21T19:40:03-04:00       error   trufflehog      goroutine 113 [running]:
runtime/debug.Stack()
        /home/user/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.22.2.linux-amd64/src/runtime/debug/stack.go:24 +0x5e
github.com/trufflesecurity/trufflehog/v3/pkg/common.Recover({0x4db1c60, 0xc001439e60})
        /home/user/dev/github.com/trufflesecurity/trufflehog/pkg/common/recover.go:17 +0x5b
panic({0x3e209e0?, 0xc001985728?})
        /home/user/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.22.2.linux-amd64/src/runtime/panic.go:770 +0x132
github.com/trufflesecurity/trufflehog/v3/pkg/engine/ahocorasick.(*DetectorMatch).extractMatches(...)
        /home/user/dev/github.com/trufflesecurity/trufflehog/pkg/engine/ahocorasick/ahocorasickcore.go:199
github.com/trufflesecurity/trufflehog/v3/pkg/engine/ahocorasick.(*Core).FindDetectorMatches(0xc002984960, {0xc0027df000, 0x6400, 0x6e55})
        /home/user/dev/github.com/trufflesecurity/trufflehog/pkg/engine/ahocorasick/ahocorasickcore.go:256 +0x445
github.com/trufflesecurity/trufflehog/v3/pkg/engine.(*Engine).scannerWorker(0xc00003c900, {0x4db1c60, 0xc001439e60})
        /home/user/dev/github.com/trufflesecurity/trufflehog/pkg/engine/engine.go:752 +0x5b1
github.com/trufflesecurity/trufflehog/v3/pkg/engine.(*Engine).startScannerWorkers.func1()
        /home/user/dev/github.com/trufflesecurity/trufflehog/pkg/engine/engine.go:621 +0xf1
created by github.com/trufflesecurity/trufflehog/v3/pkg/engine.(*Engine).startScannerWorkers in goroutine 1
        /home/user/dev/github.com/trufflesecurity/trufflehog/pkg/engine/engine.go:617 +0xfe
        {"scanner_worker_id": "i2K7u", "recover": "runtime error: slice bounds out of range [6019:5600]", "error": "panic"}

I guess there ought to be a sanity check here, before returning: https://github.com/trufflesecurity/trufflehog/blob/de19a39f2cc6a103a4e207b780716d46e77de732/pkg/engine/ahocorasick/ahocorasickcore.go#L88-L89

[rgmz]

Another instance:

    2024-11-14T09:37:12-05:00   error   trufflehog  goroutine 94 [running]:
    runtime/debug.Stack()
        /Users/richardgomez/sdk/go1.23.2/src/runtime/debug/stack.go:26 +0x64
    github.com/trufflesecurity/trufflehog/v3/pkg/common.Recover({0x104d125a0, 0x14001c06150})
        /Users/richardgomez/dev/secrets/thog/pkg/common/recover.go:17 +0x44
    panic({0x1049a6bc0?, 0x14008b3c4b0?})
        /Users/richardgomez/sdk/go1.23.2/src/runtime/panic.go:785 +0x124
    github.com/trufflesecurity/trufflehog/v3/pkg/engine/ahocorasick.(*DetectorMatch).extractMatches(...)
        /Users/richardgomez/dev/secrets/thog/pkg/engine/ahocorasick/ahocorasickcore.go:205
    github.com/trufflesecurity/trufflehog/v3/pkg/engine/ahocorasick.(*Core).FindDetectorMatches(0x14000f61860, {0x14008c89000, 0x21a6, 0x27d2})
        /Users/richardgomez/dev/secrets/thog/pkg/engine/ahocorasick/ahocorasickcore.go:261 +0x354
    github.com/trufflesecurity/trufflehog/v3/pkg/engine.(*Engine).scannerWorker(0x14001edc000, {0x104d125a0, 0x14001c06150})
        /Users/richardgomez/dev/secrets/thog/pkg/engine/engine.go:783 +0x450
    github.com/trufflesecurity/trufflehog/v3/pkg/engine.(*Engine).startScannerWorkers.func1()
        /Users/richardgomez/dev/secrets/thog/pkg/engine/engine.go:658 +0xd8
    created by github.com/trufflesecurity/trufflehog/v3/pkg/engine.(*Engine).startScannerWorkers in goroutine 1
        /Users/richardgomez/dev/secrets/thog/pkg/engine/engine.go:654 +0xf4
        {"scanner_worker_id": "uSHmB", "recover": "runtime error: slice bounds out of range [8653:8614]", "error": "panic"}
    2024-11-14T09:37:12-05:00   info-0  trufflehog  sentry flush failed {"scanner_worker_id": "uSHmB"}