trufflehog icon indicating copy to clipboard operation
trufflehog copied to clipboard
verified publisher icon trufflesecurity

syslog source: chunking metadata error

Open nabokihms opened this issue 1 year ago • 1 comments

Please review the Community Note before submitting

TruffleHog Version

v3.88.2

Trace Output

https://github.com/trufflesecurity/trufflehog/blob/b6b00bbe5460109a21287b6612bd68a86bf060c2/pkg/sources/syslog/syslog.go#L251-L285

Expected Behavior

Syslog works without error

Actual Behavior

Panic while sending long messages via syslog

Steps to Reproduce

The main issue is if the syslog message field is longer than the buffer (8096 bytes), it will be chunked.

Then there will be attempt to extract metadata from each chunk, which will end with the error for chunks with numbers 1+.

For all the following chunks of the long message the source metadata field will be nil, which will result in a panic.

Environment

  • OS: [e.g. iOS]
  • Version [e.g. 22]

Additional Context

It seems like we need to read the full message from the connection before parsing its metadata. The current approach with the limited buffer is to fragile.

References

  • #0000

nabokihms avatar Jan 29 '25 03:01 nabokihms

@trufflesecurity hello, folks. Do you need a fix for the problem? I'm currently living with a patched version.

nabokihms avatar Feb 24 '25 07:02 nabokihms

Hi @nabokihms, thank you for reporting this issue.

I was able to successfully reproduce the problem under the following scenarios:

  • Invalid input format
  • Valid input provided, but no format specified
  • Large input split into multiple chunks. The first chunk parses successfully, but subsequent chunks fail

All three scenarios resulted in panics.

I've addressed these issues in the this PR: #4366

kashifkhan0771 avatar Aug 05 '25 13:08 kashifkhan0771

Thanks a lot, @kashifkhan0771

nabokihms avatar Aug 05 '25 20:08 nabokihms