trufflehog icon indicating copy to clipboard operation
trufflehog copied to clipboard

Published 20 hours ago verified publisher icon trufflesecurity

Gist Scanning Errors

Open joeleonjr opened this issue 3 months ago • 4 comments

TruffleHog Version

trufflehog 3.71.1

Trace Output

Trace back

Expected Behavior

Gists should be scanned just like any other repository on GitHub.

Actual Behavior

Depending on the Gist URL structure, one of two different errors spits out:

URLs with the username (https://gist.github.com/raccoons-bot/627e15a45a596068ce8bfef3fd05ccdb.git)

Failed to fetch repository	{"source_manager_worker_id": "Xwjd7", "repo": "https://gist.github.com/raccoons-bot/627e15a45a596068ce8bfef3fd05ccdb.git", "error": "GET https://api.github.com/repos/raccoons-bot/627e15a45a596068ce8bfef3fd05ccdb: 404 Not Found []"}

URLs without the username (https://gist.github.com/274463.git)

Unable to cache repository info	{"source_manager_worker_id": "ATqG1", "repo": "https://gist.github.com/274463.git", "error": "missing cached info for gist: https://gist.github.com/274463.git"}

Steps to Reproduce

Run the following commands:

trufflehog github --repo https://gist.github.com/274463.git trufflehog github --repo https://gist.github.com/raccoons-bot/627e15a45a596068ce8bfef3fd05ccdb.git

Environment

  • OS: OSX
  • Version 14.2.1

Additional Context

I believe this was introduced in PR #2379 .

joeleonjr avatar Mar 28 '24 14:03 joeleonjr

This is caused by two faulty assumptions:

  1. that Gist URLs only contain one path segment
  2. that Gists wouldn't be scanned directly via the --repo flag https://github.com/trufflesecurity/trufflehog/blob/55b3c1c0ec497fa0f274168b9868b4a47c734cd2/pkg/sources/github/github.go#L429-L437

An obvious hot-fix would be to check whether the host is "gist.github.com", similar to what the existing code does elsewhere (prior code to #2379). However, this is a bad long-term solution as it won't work on GitHub Enterprise Server. https://github.com/rgmz/trufflehog/blob/283d83f113ff8762c8c301d1f3de7767c67f02e2/pkg/sources/github/github.go#L1074-L1075

rgmz avatar Mar 28 '24 14:03 rgmz

Would it be reasonable to add a CLI flag just for gists?

joeleonjr avatar Mar 28 '24 15:03 joeleonjr

I think they are different enough that it would make sense. There's a lot of awkward code around mingling repositories and gists.

rgmz avatar Mar 29 '24 01:03 rgmz

TruffleHog Version

trufflehog 3.71.1

Trace Output

Trace back

Expected Behavior

Gists should be scanned just like any other repository on GitHub.

Actual Behavior

Depending on the Gist URL structure, one of two different errors spits out:

URLs with the username (https://gist.github.com/raccoons-bot/627e15a45a596068ce8bfef3fd05ccdb.git)

Failed to fetch repository	{"source_manager_worker_id": "Xwjd7", "repo": "https://gist.github.com/raccoons-bot/627e15a45a596068ce8bfef3fd05ccdb.git", "error": "GET https://api.github.com/repos/raccoons-bot/627e15a45a596068ce8bfef3fd05ccdb: 404 Not Found []"}

URLs without the username (https://gist.github.com/274463.git)

Unable to cache repository info	{"source_manager_worker_id": "ATqG1", "repo": "https://gist.github.com/274463.git", "error": "missing cached info for gist: https://gist.github.com/274463.git"}

Steps to Reproduce

Run the following commands:

trufflehog github --repo https://gist.github.com/274463.git trufflehog github --repo https://gist.github.com/raccoons-bot/627e15a45a596068ce8bfef3fd05ccdb.git

Environment

  • OS: OSX
  • Version 14.2.1

Additional Context

I believe this was introduced in PR #2379 .

JefriReynaldi avatar Apr 03 '24 10:04 JefriReynaldi