trufflehog
trufflehog copied to clipboard
trufflesecurity
GitHub scan panic regression introduced in 3.78.2 (still present as of 3.83.6)
TruffleHog Version
3.83.6
Trace Output
$ trufflehog github --trace --no-update --repo=https://github.com/bsquare-corp/modbus-sphere-library
2024-11-13T12:00:26Z info-2 trufflehog trufflehog 3.83.6
🐷🔑🐷 TruffleHog. Unearth your secrets. 🐷🔑🐷
2024-11-13T12:00:26Z info-4 trufflehog default engine options set
2024-11-13T12:00:26Z info-4 trufflehog engine initialized
2024-11-13T12:00:26Z info-4 trufflehog setting up aho-corasick core
2024-11-13T12:00:26Z info-4 trufflehog set up aho-corasick core
2024-11-13T12:00:26Z info-2 trufflehog starting scanner workers {"count": 8}
2024-11-13T12:00:26Z info-2 trufflehog starting detector workers {"count": 64}
2024-11-13T12:00:26Z info-2 trufflehog starting verificationOverlap workers {"count": 8}
2024-11-13T12:00:26Z info-2 trufflehog starting notifier workers {"count": 8}
2024-11-13T12:00:26Z info-0 trufflehog running source {"source_manager_worker_id": "vakj2", "with_units": true}
2024-11-13T12:00:26Z info-2 trufflehog enumerating source {"source_manager_worker_id": "vakj2"}
2024-11-13T12:00:26Z info-2 trufflehog Caching repository info {"source_manager_worker_id": "vakj2"}
2024-11-13T12:00:26Z info-1 trufflehog Enumerating with token {"source_manager_worker_id": "vakj2"}
2024-11-13T12:00:26Z info-3 trufflehog chunking unit {"source_manager_worker_id": "vakj2", "unit_kind": "repo", "unit": "https://github.com/bsquare-corp/modbus-sphere-library.git"}
2024-11-13T12:00:26Z info-2 trufflehog attempting to clone repo {"source_manager_worker_id": "vakj2", "unit_kind": "repo", "unit": "https://github.com/bsquare-corp/modbus-sphere-library.git", "repo": "https://github.com/bs
quare-corp/modbus-sphere-library.git"}
2024-11-13T12:00:26Z info-0 trufflehog Completed enumeration {"source_manager_worker_id": "vakj2", "num_repos": 1, "num_orgs": 0, "num_members": 0}
2024-11-13T12:00:27Z info-3 trufflehog git subcommand finished {"source_manager_worker_id": "vakj2", "unit_kind": "repo", "unit": "https://github.com/bsquare-corp/modbus-sphere-library.git", "repo": "https://github.com/bsquare-co
rp/modbus-sphere-library.git", "subcommand": "git clone", "repo": "https://github.com/bsquare-corp/modbus-sphere-library.git", "path": "/var/folders/5q/mxtt6b4x4p3bpmjsm_r8th4h0000gn/T/trufflehog-37292-325172469", "args": [], "output": ""
}
2024-11-13T12:00:27Z info-1 trufflehog successfully cloned repo {"source_manager_worker_id": "vakj2", "unit_kind": "repo", "unit": "https://github.com/bsquare-corp/modbus-sphere-library.git", "repo": "https://github.com/bs
quare-corp/modbus-sphere-library.git", "subcommand": "git clone", "repo": "https://github.com/bsquare-corp/modbus-sphere-library.git", "path": "/var/folders/5q/mxtt6b4x4p3bpmjsm_r8th4h0000gn/T/trufflehog-37292-325172469", "args": []}
panic: runtime error: index out of range [0] with length 0
goroutine 241 [running]:
github.com/trufflesecurity/trufflehog/v3/pkg/sources/git.getSafeRemoteURL(0x14001e1c330, {0x105b926dc?, 0x0?})
/home/runner/work/trufflehog/trufflehog/pkg/sources/git/git.go:1209 +0xb4
github.com/trufflesecurity/trufflehog/v3/pkg/sources/git.(*Git).ScanCommits(0x14001d24120, {0x1072fd6a0, 0x14001c103f0}, 0x4b?, {0x140029f4320, 0x4b}, 0x14001a25c20, {0x1072d2300, 0x14000cf81e0})
/home/runner/work/trufflehog/trufflehog/pkg/sources/git/git.go:546 +0x54
github.com/trufflesecurity/trufflehog/v3/pkg/sources/git.(*Git).ScanRepo(0x14001d24120, {0x1072fd6a0, 0x14001c103f0}, 0x14001e1c330, {0x140029f4320, 0x4b}, 0x0?, {0x1072d2300, 0x14000cf81e0})
/home/runner/work/trufflehog/trufflehog/pkg/sources/git/git.go:924 +0xb8
github.com/trufflesecurity/trufflehog/v3/pkg/sources/github.(*Source).cloneAndScanRepo(0x14000186c80, {0x1072fd6a0, 0x14001c103f0}, {0x14002998460, 0x39}, {{0x14001e0c230, 0xc}, {0x14001b09818, 0x15}, {0x14000079a40, ...}, ...}, ...)
/home/runner/work/trufflehog/trufflehog/pkg/sources/github/github.go:731 +0x170
github.com/trufflesecurity/trufflehog/v3/pkg/sources/github.(*Source).scanRepo(0x14000186c80, {0x1072fd6a0, 0x14001c103f0}, {0x14002998460, 0x39}, {0x1072d2300, 0x14000cf81e0})
/home/runner/work/trufflehog/trufflehog/pkg/sources/github/github.go:678 +0x154
github.com/trufflesecurity/trufflehog/v3/pkg/sources/github.(*Source).ChunkUnit(0x14000186c80, {0x1072fd6a0, 0x14001c10300}, {0x1072d3660?, 0x140009395c0?}, {0x1072d2300, 0x14000cf81e0})
/home/runner/work/trufflehog/trufflehog/pkg/sources/github/github.go:1533 +0xc8
github.com/trufflesecurity/trufflehog/v3/pkg/sources.(*SourceManager).runWithUnits.func3()
/home/runner/work/trufflehog/trufflehog/pkg/sources/source_manager.go:369 +0x1ec
golang.org/x/sync/errgroup.(*Group).Go.func1()
/home/runner/go/pkg/mod/golang.org/x/[email protected]/errgroup/errgroup.go:78 +0x54
created by golang.org/x/sync/errgroup.(*Group).Go in goroutine 202
/home/runner/go/pkg/mod/golang.org/x/[email protected]/errgroup/errgroup.go:75 +0x98
Expected Behavior
Successful scan
Actual Behavior
Panic
Steps to Reproduce
trufflehog github --trace --no-update --repo=https://github.com/bsquare-corp/modbus-sphere-library
Environment
OSX M1 Sequoia 15.1
Additional Context
By pinning the version to 3.78.1 the problem does not occur. Pinning the version to 3.78.2 the problem starts occurring, indicating a change introduced in that version is the root cause.
I can't reproduce this. What version of Git are you using?
$ git --version
git version 2.39.5 (Apple Git-154)
$ trufflehog github --no-update --repo=https://github.com/bsquare-corp/modbus-sphere-library
🐷🔑🐷 TruffleHog. Unearth your secrets. 🐷🔑🐷
2024-11-13T10:19:52-05:00 info-0 trufflehog running source {"source_manager_worker_id": "UVVDE", "with_units": true}
2024-11-13T10:19:52-05:00 info-0 trufflehog Completed enumeration {"source_manager_worker_id": "UVVDE", "num_repos": 1, "num_orgs": 0, "num_members": 0}
2024-11-13T10:19:52-05:00 info-0 trufflehog scanning repo {"source_manager_worker_id": "UVVDE", "unit_kind": "repo", "unit": "https://github.com/bsquare-corp/modbus-sphere-library.git", "repo": "https://github.com/bsquare-corp/modbus-sphere-library.git"}
2024-11-13T10:19:53-05:00 info-0 trufflehog finished scanning {"chunks": 175, "bytes": 375461, "verified_secrets": 0, "unverified_secrets": 0, "scan_duration": "935.811667ms", "trufflehog_version": "dev"
The problematic line is here; it shouldn't be possible for a freshly cloned repository to not contain a remote URL. https://github.com/trufflesecurity/trufflehog/blob/61304007df30c950013692dcdbda2185e9af2283/pkg/sources/git/git.go#L1208-L1209
What do you see if you have
$ git clone https://github.com/bsquare-corp/modbus-sphere-library.git
$ cd modbus-sphere-library
$ git config --get remote.origin.url
https://github.com/bsquare-corp/modbus-sphere-library.git
I get nothing, because the above pre-supposes the remote will be called 'origin', mine is not, its called 'github'.
That might explain the reason why this fails..
$ git config list | grep clone
clone.defaultremotename=github
$ git config --get remote.github.url
https://github.com/bsquare-corp/modbus-sphere-library.git
$
I get nothing, because the above pre-supposes the remote will be called 'origin', mine is not, its called 'github'.
Origin is the default remote name for cloned repositories (https://git-scm.com/book/en/v2/Git-Branching-Remote-Branches). Is there a configuration value that changes the default?
Yes, I indicated that in my message above... clone.defaultremotename
Hi @richardj-bsquare I wasn’t able to reproduce this issue with the latest version. Could you please confirm if it's still occurring on your end?
