I have no idea how to reproduce this, but it's possible for ahocorasickcore.calculateSpan to produce a matchSpan where the startIdx is greater than the endIdx. This results in a panic.
2024-06-21T19:40:03-04:00 error trufflehog goroutine 113 [running]:
runtime/debug.Stack()
/home/user/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.22.2.linux-amd64/src/runtime/debug/stack.go:24 +0x5e
github.com/trufflesecurity/trufflehog/v3/pkg/common.Recover({0x4db1c60, 0xc001439e60})
/home/user/dev/github.com/trufflesecurity/trufflehog/pkg/common/recover.go:17 +0x5b
panic({0x3e209e0?, 0xc001985728?})
/home/user/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.22.2.linux-amd64/src/runtime/panic.go:770 +0x132
github.com/trufflesecurity/trufflehog/v3/pkg/engine/ahocorasick.(*DetectorMatch).extractMatches(...)
/home/user/dev/github.com/trufflesecurity/trufflehog/pkg/engine/ahocorasick/ahocorasickcore.go:199
github.com/trufflesecurity/trufflehog/v3/pkg/engine/ahocorasick.(*Core).FindDetectorMatches(0xc002984960, {0xc0027df000, 0x6400, 0x6e55})
/home/user/dev/github.com/trufflesecurity/trufflehog/pkg/engine/ahocorasick/ahocorasickcore.go:256 +0x445
github.com/trufflesecurity/trufflehog/v3/pkg/engine.(*Engine).scannerWorker(0xc00003c900, {0x4db1c60, 0xc001439e60})
/home/user/dev/github.com/trufflesecurity/trufflehog/pkg/engine/engine.go:752 +0x5b1
github.com/trufflesecurity/trufflehog/v3/pkg/engine.(*Engine).startScannerWorkers.func1()
/home/user/dev/github.com/trufflesecurity/trufflehog/pkg/engine/engine.go:621 +0xf1
created by github.com/trufflesecurity/trufflehog/v3/pkg/engine.(*Engine).startScannerWorkers in goroutine 1
/home/user/dev/github.com/trufflesecurity/trufflehog/pkg/engine/engine.go:617 +0xfe
{"scanner_worker_id": "i2K7u", "recover": "runtime error: slice bounds out of range [6019:5600]", "error": "panic"}
Please review the Community Note before submitting
TruffleHog Version
HEAD
Description
I have no idea how to reproduce this, but it's possible for
ahocorasickcore.calculateSpan
to produce amatchSpan
where thestartIdx
is greater than theendIdx
. This results in a panic.I guess there ought to be a sanity check here, before returning: https://github.com/trufflesecurity/trufflehog/blob/de19a39f2cc6a103a4e207b780716d46e77de732/pkg/engine/ahocorasick/ahocorasickcore.go#L88-L89