search

trufflesecurity / trufflehog

Find, verify, and analyze leaked credentials
https://trufflesecurity.com
GNU Affero General Public License v3.0
17.34k stars 1.72k forks source link

Git source should fail if directory doesn't exists #3005

Open rgmz opened 5 months ago

rgmz commented 5 months ago

Please review the Community Note before submitting

TruffleHog Version

HEAD

Description

When using TruffleHog with a file:// uri, the scan will complete with a 0 exit code even if the directory doesn't exist.

$ ls /tmp/fake-dir/
ls: cannot access '/tmp/fake-dir/': No such file or directory
$ ./trufflehog git file:///tmp/fake-dir/
๐Ÿท๐Ÿ”‘๐Ÿท  TruffleHog. Unearth your secrets. ๐Ÿท๐Ÿ”‘๐Ÿท

2024-06-23T18:12:55-04:00       info-0  trufflehog      running source  {"source_manager_worker_id": "XIh5z", "with_units": true}
2024-06-23T18:12:55-04:00       info-0  trufflehog      finished scanning       {"chunks": 0, "bytes": 0, "verified_secrets": 0, "unverified_secrets": 0, "scan_duration": "4.326315ms", "trufflehog_version": "dev"}
$ echo $?
0
rgmz commented 5 months ago

It seems that git.scanDir returns an error (repository does not exist), however, the error seems to vanish into a void.

https://github.com/trufflesecurity/trufflehog/blob/de19a39f2cc6a103a4e207b780716d46e77de732/pkg/sources/git/git.go#L324-L330

https://github.com/trufflesecurity/trufflehog/blob/de19a39f2cc6a103a4e207b780716d46e77de732/pkg/sources/git/git.go#L1272

https://github.com/trufflesecurity/trufflehog/blob/de19a39f2cc6a103a4e207b780716d46e77de732/pkg/sources/source_manager.go#L369-L372

Confusingly, scanDirs and scanRepos โ€” which would log such an error โ€” don't seem to run in any configuration I tested. They only get called runWithoutUnits.

https://github.com/trufflesecurity/trufflehog/blob/de19a39f2cc6a103a4e207b780716d46e77de732/pkg/sources/source_manager.go#L286

sahil9001 commented 1 month ago

I have raised a PR for this @rgmz , please check

mcastorina commented 1 week ago

3612 partially addresses this issue by logging the non-fatal errors produced during a scan.

The directory not existing should probably be a fatal error though.

ยป ./trufflehog git file:///tmp/fake-dir/
๐Ÿท๐Ÿ”‘๐Ÿท  TruffleHog. Unearth your secrets. ๐Ÿท๐Ÿ”‘๐Ÿท

2024-11-14T23:34:31-08:00       info-0  trufflehog      running source  {"source_manager_worker_id": "FdwKg", "with_units": true}
2024-11-14T23:34:31-08:00       error   trufflehog      encountered errors during scan  {"errors": ["error chunking dir \"/tmp/fake-dir/\": repository does not exist"]}
2024-11-14T23:34:31-08:00       info-0  trufflehog      finished scanning       {"chunks": 0, "bytes": 0, "verified_secrets": 0, "unverified_secrets": 0, "scan_duration": "31.771833ms", "trufflehog_version": "dev"}