trufflehog icon indicating copy to clipboard operation
trufflehog copied to clipboard

Published 20 hours ago verified publisher icon trufflesecurity

error unarchiving chunk: input type must be an io.ReaderAt and io.Seeker because of zip format constraints

Open rgmz opened this issue 5 months ago • 3 comments

Please review the Community Note before submitting

TruffleHog Version

Trace Output

2024-02-04T17:35:52-05:00       error   trufflehog      error unarchiving chunk.        {"source_manager_worker_id": "g9Nv6", "repo": "https://github.com/intel-cloud/cosbench.git", "commit": "380218a", "path": "0.3.1.0.zip", "timeout": 30, "error": "handling file 69: 0.3.1.0/ext/libs/com.springsource.org.apache.commons.codec-1.3.0.jar: input type must be an io.ReaderAt and io.Seeker because of zip format constraints"}

Expected Behavior

It should be possible to scan nested zip files.

Actual Behavior

Scanning zip files inside of other archives appears to fail.

Steps to Reproduce

Scan a zip or other archive that contains other zip files.

Environment

N/A

Additional Context

https://github.com/mholt/archiver/blob/81f9e06b11ad6ba424f8311c0bc18ceb01f2b67a/zip.go#L182

References

N/A

rgmz avatar Feb 04 '24 22:02 rgmz

@ahrav according to git bisect, #2253 broke scanning nested archives (or at least zip files nested inside of other archives). Any thoughts on how we could resolve this? Could the logic be tweaked while preserving some optimizations?

$ git bisect start
$ git bisect good <old-commit>
$ git bisect bad
$ git bisect run /tmp/bisect_script.sh
...
commit 39f0310f1f02a05cf12c1c8ac358fedbbd15b848
Author: ahrav <>
Date:   Fri Dec 22 07:41:54 2023 -0800

    [fixup] -  Refactor to Pass Reader for Binary Diffs and Archived Data; Optimize /tmp Directory Cleanup (#2253)

 main.go                    | 30 ++++++++++++++++++++++++++++--
 pkg/cleantemp/cleantemp.go | 25 -------------------------
 pkg/engine/engine.go       |  5 +++++
 pkg/handlers/archive.go    |  7 +------
 pkg/sources/git/git.go     | 23 +----------------------
 5 files changed, 35 insertions(+), 55 deletions(-)
bisect found first bad commit
script code 
 #!/bin/sh

~/sdk/go1.21.0/bin/go build || exit 125   # an exit code of 125 asks "git bisect"
         # to "skip" the current commit

# run the application and check that it produces good output
./trufflehog filesystem /tmp/0.3.1.0.zip --only-verified 2>&1 | grep -q "input type must be an io.ReaderAt and io.Seeker because of zip format constraints"

if [ $? -eq 0 ]; then
    exit 1
else
    exit 0
fi

rgmz avatar Feb 06 '24 22:02 rgmz