trufflehog icon indicating copy to clipboard operation
trufflehog copied to clipboard

Published 20 hours ago verified publisher icon trufflesecurity

Multi-part secrets are not reliably detected

Open rgmz opened this issue 6 months ago • 0 comments

Please review the Community Note before submitting

TruffleHog Version

Latest

Trace Output

N/A

Expected Behavior

Detectors like DockerHub which require both a username and password should pick up multi-part secrets.

Example: TruffleHog should pick up johndoe:dckr_pat_rotated and johndoe:dckr_pat_newandactive when processing commits.

    DOCKERHUB_USER = 'johndoe'
-    DOCKERHUB_PASSWORD = 'dckr_pat_rotated'
+    DOCKERHUB_PASSWORD = 'dckr_pat_newandactive'

Actual Behavior

TruffleHog only searches added lines for Git sources, meaning that the commit shown above will be processed without any surrounding context:


    DOCKERHUB_PASSWORD = 'dckr_pat_newandactive'

This is due to how the GitParse logic is written: https://github.com/trufflesecurity/trufflehog/blob/857a37160074198a128f176f6534fd318d3c9494/pkg/gitparse/gitparse.go#L391-L396

Changing that line fixes the issue (or at least partially mitigates it), however, further care is needed to make sure that secrets are only reported for the commit they're introduced in.

- currentDiff.Content.Write([]byte("\n")) 
+ currentDiff.Content.Write(line[1:])

Steps to Reproduce

N/A

Environment

N/A

Additional Context

N/A

References

N/A

rgmz avatar Jan 01 '24 02:01 rgmz