search

trufflesecurity / trufflehog

Find, verify, and analyze leaked credentials
https://trufflesecurity.com
GNU Affero General Public License v3.0
17.34k stars 1.72k forks source link

Panic #3530

Open ankushgoel27 opened 3 weeks ago

ankushgoel27 commented 3 weeks ago

Please review the Community Note before submitting

TruffleHog Version

Dev

Trace Output

{"level":"error","ts":"2024-10-30T09:43:31Z","logger":"trufflehog","msg":"goroutine 428 [running]:\nruntime/debug.Stack()\n\t/root/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.23.0.linux-amd64/src/runtime/debug/stack.go:26 +0x5e\ngithub.co
m/trufflesecurity/trufflehog/v3/pkg/common.Recover({0x52d3d60, 0xc001a0dc50})\n\t/root/trufflehog/pkg/common/recover.go:17 +0x5b\npanic({0x462da00?, 0xc0202b4f78?})\n\t/root/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.23.0.linux-amd64/src/runtime/panic.go:785 +0x132\ngithub.com/trufflesecurity/trufflehog/v3/pkg/detectors/gcpapplicationdefaultcredentials.Scanner.FromData({0x52d3d60?}, {0x72c413104d10, 0xc022556ba0}, 0x0, {0xc020619500?, 0x0?, 0x0?})\n\t/root/trufflehog/pk
g/detectors/gcpapplicationdefaultcredentials/gcpapplicationdefaultcredentials.go:83 +0x505\ngithub.com/trufflesecurity/trufflehog/v3/pkg/engine.(*Engine).verificationOverlapWorker(0xc002d4e000, {0x52d3d60, 0xc001a0dc50})\n\t/root/truffle
hog/pkg/engine/engine.go:925 +0x584\ngithub.com/trufflesecurity/trufflehog/v3/pkg/engine.(*Engine).startVerificationOverlapWorkers.func1()\n\t/root/trufflehog/pkg/engine/engine.go:685 +0xdc\ncreated by github.com/trufflesecurity/truffleh
og/v3/pkg/engine.(*Engine).startVerificationOverlapWorkers in goroutine 1\n\t/root/trufflehog/pkg/engine/engine.go:681 +0x10f\n","verification_overlap_worker_id":"46WSo","recover":"runtime error: slice bounds out of range [:3] with lengt
h 0","error":"panic"}

To obtain the trace output, run trufflehog with the --trace flag. --->

Expected Behavior

should cause a panic error

Actual Behavior

caused error while verifying GCP credentials

Steps to Reproduce

  1. Go to '...'
  2. Click on '....'
  3. Scroll down to '....'
  4. See error

Environment

Ubuntu latest

Additional Context

References

rgmz commented 3 weeks ago

The issue is that there's no check json.Unmarshal succeeded. Just because err == nil doesn't mean unmarshalling was successful; if you provide it garbage data, the unmarshaller happily returns an empty struct :).

https://github.com/trufflesecurity/trufflehog/blob/e81ff7630cc44f9ceefda31cb7659343961c51ff/pkg/detectors/gcpapplicationdefaultcredentials/gcpapplicationdefaultcredentials.go#L71-L74

Hence why [:3] is out of range: https://github.com/trufflesecurity/trufflehog/blob/e81ff7630cc44f9ceefda31cb7659343961c51ff/pkg/detectors/gcpapplicationdefaultcredentials/gcpapplicationdefaultcredentials.go#L83

rgmz commented 2 days ago

Fixed by #3535.