Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add explicit warning when an overlap is detected #2929

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add explicit warning when an overlap is detected #2929

wants to merge 1 commit into from

Conversation

rgmz
Copy link
Contributor

@rgmz rgmz commented Jun 6, 2024
edited
Loading

Description:

Similar to #2922, the goal of this change is to provide clear and actionable information if a detection is impacted.

The problem is currently that "verification overlap" doesn't provide useful feedback. Even if you use --results=unknown to see the error, it doesn't tell you which detectors overlapped.

2024-06-06T08:27:05-04:00       info-0  trufflehog      WARNING: A result will not be verified because more than one detector matches. You can override this behavior by using the --allow-verification-overlap flag    {"verification_overlap_worker_id": "2hlPu", "detectors": ["AzureSearchAdminKey", "AzureDevopsPersonalAccessToken"]}

Checklist:

  • Tests passing (make test-community)?
  • Lint passing (make lint this requires golangci-lint)?

@CLAassistant
Copy link

CLAassistant commented Jun 6, 2024
edited
Loading

CLA assistant check
All committers have signed the CLA.

@rgmz rgmz force-pushed the feat/overlap-notify branch 5 times, most recently from f334a37 to 503266e Compare June 6, 2024 12:42
@rgmz rgmz marked this pull request as ready for review June 6, 2024 12:42
@rgmz rgmz requested review from a team as code owners June 6, 2024 12:42
@rgmz rgmz force-pushed the feat/overlap-notify branch from 503266e to 7bc6358 Compare June 6, 2024 12:49
rgmz
rgmz commented Jun 6, 2024
View reviewed changes
pkg/engine/engine.go
@@ -752,7 +779,20 @@ func (e *Engine) verificationOverlapWorker(ctx context.Context) {
continue
}

if likelyDuplicate(ctx, key, chunkSecrets) {
if ok, t := likelyDuplicate(ctx, key, chunkSecrets); ok {
Copy link
Contributor Author

@rgmz rgmz Jun 6, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Personally, I don't understand the threat model for this feature. It silently skips verification if a result matches more than one detector, which happens frequently during normal operation and can result in valid secrets being skipped.

The notion of a "malicious" detector is confusing — is Truffle adding malicious detectors to TruffleHog? Either this check needs a whitelist of common overlaps (e.g., Azure-related, URL and FTP), or it should only trigger between built-in and custom detectors (IMO).

pkg/engine/engine_test.go
@@ -633,7 +633,7 @@ func TestLikelyDuplicate(t *testing.T) {
name: "empty strings",
val: chunkSecretKey{"", detectorA.Key},
dupes: map[chunkSecretKey]struct{}{{"", detectorB.Key}: {}},
expected: true,
expected: false,
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should empty strings be considered duplicates? I guess it makes sense, but I'd initially tweaked the logic for likelyDuplicate to ignore anything smaller than 3 characters.

@rgmz rgmz force-pushed the feat/overlap-notify branch 3 times, most recently from adb2b14 to e9988fa Compare June 21, 2024 02:51
@rgmz rgmz force-pushed the feat/overlap-notify branch 2 times, most recently from ae3db9c to 582444e Compare July 1, 2024 18:37
@rgmz rgmz force-pushed the feat/overlap-notify branch from 582444e to c3e49e8 Compare September 13, 2024 11:45
@rgmz rgmz force-pushed the feat/overlap-notify branch from c3e49e8 to 7021992 Compare November 3, 2024 14:37
@rgmz rgmz requested a review from a team as a code owner November 3, 2024 14:37
@rgmz rgmz force-pushed the feat/overlap-notify branch 3 times, most recently from 5ca7755 to 9dd4a83 Compare November 11, 2024 19:20
@rgmz rgmz force-pushed the feat/overlap-notify branch from 9dd4a83 to 1841161 Compare December 2, 2024 13:29
@rgmz rgmz requested a review from a team as a code owner December 2, 2024 13:29
@rgmz rgmz force-pushed the feat/overlap-notify branch from 1841161 to 099544a Compare December 15, 2024 15:29
@rgmz rgmz force-pushed the feat/overlap-notify branch from 099544a to 030ca35 Compare December 21, 2024 16:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rgmz @CLAassistant