Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Scan GitHub issue & pr titles #1899

Merged
merged 1 commit into from
Nov 23, 2023
Merged

Scan GitHub issue & pr titles #1899

merged 1 commit into from
Nov 23, 2023

Conversation

rgmz
Copy link
Contributor

@rgmz rgmz commented Oct 17, 2023

Description:

This change appends issue and pr titles to the scan data for --issue-comments and --pr-comments respectively. People apparently share secrets in titles, for instance: https://github.com/coinbase/waas-client-library-go /issues/52 (intentional space to avoid linking).

It would be ideal to write test cases for this, however, off the top of my head I'm not sure the best way to test chunkIssues and chunkPullRequests. Unit tests would seemingly require either mocking s.visibilityOf() or rewriting the code.

trufflehog/pkg/sources/github/github.go

Lines 1313 to 1335 in 6ea3a7d

func (s *Source) chunkIssues(ctx context.Context, repo, repoPath string, issues []*github.Issue, chunksChan chan *sources.Chunk) error {
for _, issue := range issues {
// Skip pull requests since covered by processPRs.
if issue.IsPullRequest() {
continue
}
// Create chunk and send it to the channel.
chunk := &sources.Chunk{
SourceName: s.name,
SourceID: s.SourceID(),
JobID: s.JobID(),
SourceType: s.Type(),
SourceMetadata: &source_metadatapb.MetaData{
Data: &source_metadatapb.MetaData_Github{
Github: &source_metadatapb.Github{
Link: sanitizer.UTF8(issue.GetHTMLURL()),
Username: sanitizer.UTF8(issue.GetUser().GetLogin()),
Email: sanitizer.UTF8(issue.GetUser().GetEmail()),
Repository: sanitizer.UTF8(repo),
Timestamp: sanitizer.UTF8(issue.GetCreatedAt().String()),
Visibility: s.visibilityOf(ctx, repoPath),

Checklist:

  • Tests passing (make test-community)?
  • Lint passing (make lint this requires golangci-lint)?

@rgmz rgmz requested a review from a team as a code owner October 17, 2023 23:22
@rgmz rgmz force-pushed the feat/github-scan-titles branch 2 times, most recently from 688ebe9 to bac45cc Compare October 30, 2023 00:07
ahrav
ahrav approved these changes Nov 23, 2023
View reviewed changes
Copy link
Collaborator

@ahrav ahrav left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This makes sense to me. Goes to show, secrets literally are everywhere 😅 Thanks for the addition.

@ahrav ahrav merged commit 1f502fd into trufflesecurity:main Nov 23, 2023
8 of 9 checks passed
@rgmz rgmz deleted the feat/github-scan-titles branch November 23, 2023 03:20
@rgmz
Copy link
Contributor Author

rgmz commented Nov 23, 2023

It occurs to me that it might be better to separate them with a newline, in case any patterns rely on word boundaries.

@rgmz rgmz mentioned this pull request Nov 23, 2023
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ahrav ahrav ahrav approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rgmz @ahrav