Support indeterminacy in alchemy and update detector docs #1510
Conversation
rosecodym
changed the title
pkg/common/http.go
Outdated
| func SaneHttpClientTimeOut(timeOutSeconds int64) *http.Client { | ||
| func SaneHttpClientTimeOut(timeoutMs int64) *http.Client { | ||
| httpClient := &http.Client{} | ||
| httpClient.Timeout = time.Second * time.Duration(timeOutSeconds) | ||
| httpClient.Timeout = time.Millisecond * time.Duration(timeoutMs) |
There was a problem hiding this comment.
Since we're changing the units here already, could we change the input parameter to be a time.Duration so the user can choose? It also help readability:
client := SaneHttpClientTimeOut(10 * time.Second) // 10s
client := SaneHttpClientTimeOut(10000) // ???This will also make code that imports this function not compile* when it gets updated, which is better than silently making all timeouts 1000x faster.
*I think.. hopefully Go doesn't silently promote an int64 to a time.Duration
There was a problem hiding this comment.
That's a good suggestion but it looks like Go will silently interpret int64 values as nanoseconds. As you pointed out, this means we should be careful when vendoring the change in.
| @@ -47,6 +48,10 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result | |||
| } | |||
|
|
|||
| if verify { | |||
| client := s.client | |||
There was a problem hiding this comment.
optional: You could maybe just check s.client == nil and use it on line 59 below, rather than creating a client every time.
There was a problem hiding this comment.
do you mean mutating the scanner struct?
There was a problem hiding this comment.
Yep. Or set it as a default somewhere? As it is, every time this attempts to verify it will create a new client. Which is fine, but probably not necessary.
| In Trufflehog parlance, the first type of verification response is called _determinate_ and the second type is called _indeterminate_. Verification code should distinguish between the two by returning an error object in the result struct **only** for indeterminate failures. In general, a verifier should return an error (indicating an indeterminate failure) in all cases that haven't been explicitly identified as determinate failure states. For example, if a verifier makes an HTTP request to a hypothetical authentication endpoint, the response codes could determine what to return: | ||
| * Any `2xx` response would indicate that verification succeeded. | ||
| * A `403` response would indicate that verification failed **determinately** and no error object should be returned. | ||
| * Any other response would indicate that verification failed **indeterminately** and an error object should be returned. |
There was a problem hiding this comment.
I'm not sure we can say this is true for all apis we test against. e.g. Docker can still be a valid credential and return a 401 -
trufflehog/pkg/detectors/dockerhub/dockerhub.go
Lines 79 to 82 in 8ec5e49
So maybe adjust the language to be less certain about the indeterminate verification failure in the case of non 2XX or 403 responses.
There was a problem hiding this comment.
I was trying to pick language that made it clear that was a hypothetical case, but I guess I didn't do a good job :(
There was a problem hiding this comment.
Maybe a separate paragraph for the start of the hypothetical case? And potentially changing the would to would likely?
rosecodym
force-pushed
the
alchemy-indeterminacy
branch
from
1c719c7
to
96ab00c
Compare
rosecodym
force-pushed
the
alchemy-indeterminacy
branch
from
96ab00c
to
af642d6
Compare
This isn't an "important" detector - except that it's the template detector that the detector generator runs on! This PR also:
Durationdirectly instead of interpreting aint64as a number of secondsint64values to Durations, so we need to be careful when making this change elsewhere