trufflehog icon indicating copy to clipboard operation
trufflehog copied to clipboard

Published 20 hours ago verified publisher icon trufflesecurity

FTP detector ignores context timeout

Open rgmz opened this issue 1 year ago • 4 comments

2024-12-02T12:08:21-05:00 error trufflehog a detector ignored the context timeout {"detector_worker_id": "J5m7Y", "detector": {"type":"FTP"}, "timeout": 60, "link": "https://github.com/Samsung/ChromiumGStreamerBackend/blob/29c79f177ee954858d754c0faf6d237b4a8a7fbd/net/base/net_util_unittest.cc#L1"}}

rgmz avatar Dec 02 '24 17:12 rgmz

The FTP detector does not use context for handling timeouts. Instead, it relies on this logic for setting timeouts. The issue comes because s.verificationTimeout is never set, causing it to always fall back to defaultVerificationTimeout, which is 5 seconds.

To address this, I tried a solution where the timeout is retrieved from the context instead of relying on the current logic.

func getContextTimeout(ctx context.Context) time.Duration {
	deadline, ok := ctx.Deadline()
	if !ok {
		return defaultVerificationTimeout
	}
	return time.Until(deadline)
}

With this change, the scan_duration matches whatever timeout I pass for --detector-timeout, as shown in the screenshot below. However, I noticed that if I pass --detector-timeout greater than 30 seconds, the scan_duration still caps at 30 seconds. It seems like there’s a limit enforced somewhere, but I haven’t checked where that happens yet.

Screenshot from 2024-12-30 18-57-29

kashifkhan0771 avatar Dec 30 '24 14:12 kashifkhan0771

If this solution looks fine, I can create a pull request.

kashifkhan0771 avatar Dec 30 '24 14:12 kashifkhan0771

The issue comes because s.verificationTimeout is never set, causing it to always fall back to defaultVerificationTimeout, which is 5 seconds.

While that is an issue, it's a bit more complicated. Even if the detector uses defaultVerificationTimeout, which is a reasonable limit, the call toftp.Dial can hang for much longer.

Running a local test with some additional logs we can see that the FTP detector waits 240s before returning an error:

2024-12-30T11:54:08-05:00	info-0	trufflehog	running source	{"source_manager_worker_id": "Azdxr", "with_units": true}
Dialing google.com:80...
...
2024-12-30T11:54:19-05:00	error	trufflehog	a detector ignored the context timeout	{"detector_worker_id": "vdHRj", "detector": {"type":"FTP"}, "timeout": 10}
Dial error: EOF...
2024-12-30T11:58:09-05:00	info-0	trufflehog	Finished verification after	{"detector_worker_id": "vdHRj", "detector": {"type":"FTP"}, "timeout": 10, "time": 240.179151834}

rgmz avatar Dec 30 '24 16:12 rgmz

That's weird because we are passing timeout to ftp.Dial here. Whatever timeout is set the ftp.Dial should use the same 🤔

Also, can you share the command you are using to run?

kashifkhan0771 avatar Dec 31 '24 06:12 kashifkhan0771