Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a flag to disable ssl verify #2905

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add a flag to disable ssl verify #2905

wants to merge 1 commit into from

Conversation

rgmz
Copy link
Contributor

@rgmz rgmz commented Jun 2, 2024
edited
Loading

Description:

This creates an experimental flag to disable SSL verification for detectors. This is useful in corporate environments where MITMing SSL traffic is common and certificates are replaced with self-signed ones.

This implementation is an incomplete POC.

  • There may not be total coverage for http clients
  • Detectors that rely on third-party libraries likely need to be configured separately.

Checklist:

  • Tests passing (make test-community)?
  • Lint passing (make lint this requires golangci-lint)?

@rgmz rgmz requested a review from a team as a code owner June 2, 2024 15:05
@rgmz rgmz force-pushed the feat/ssl-verify branch from 80e4c51 to 8116ef4 Compare June 5, 2024 00:38
@rgmz rgmz force-pushed the feat/ssl-verify branch 3 times, most recently from bc5f5d1 to ae43a9b Compare June 21, 2024 02:48
@rgmz rgmz force-pushed the feat/ssl-verify branch 2 times, most recently from cd9eb96 to ea06b39 Compare July 1, 2024 18:36
@zricethezav
Copy link
Collaborator

Slapping a draft label on this since it's an incomplete POC

@zricethezav zricethezav marked this pull request as draft July 9, 2024 21:53
@rgmz
Copy link
Contributor Author

rgmz commented Jul 9, 2024

It could use a review to determine whether it's worth putting any more effort into.

@ahrav
Copy link
Collaborator

ahrav commented Jul 9, 2024

It could use a review to determine whether it's worth putting any more effort into.

I like the idea, but I'm a bit nervous about the global variable. Is there a way to use the flag to construct the transport instead? I'm concerned that it's too easy for anyone to reach into the transport and change the TLSConfig. That being said, if others are okay with this approach, I won't object. 😅

@rgmz
Copy link
Contributor Author

rgmz commented Jul 9, 2024

I like the idea, but I'm a bit nervous about the global variable.

It's a bit of a smell. I couldn't think of an easier way to propagate such a value to multiple packages before the dependent code initializes.

@rgmz rgmz mentioned this pull request Sep 4, 2024
Merged
2 tasks
@rgmz rgmz force-pushed the feat/ssl-verify branch 3 times, most recently from 8864c74 to 4866a8f Compare November 8, 2024 13:58
@rgmz rgmz force-pushed the feat/ssl-verify branch 2 times, most recently from 864bff4 to e6cc78b Compare November 27, 2024 00:33
@rgmz
Copy link
Contributor Author

rgmz commented Nov 27, 2024

Unfortunately, it seems this isn't possible. The hundreds of detectors with logic like defaultClient = common.SaneHttpClient() means that SaneHttpClient() gets invoked well before init in main.go.

As far as I'm aware, there's no equivalent to something like Kotlin's lazy { } initializer. Would it be feasible to initialize the client on each FromData call instead?

@rgmz
Copy link
Contributor Author

rgmz commented Dec 31, 2024

Unfortunately, it seems this isn't possible. The hundreds of detectors with logic like defaultClient = common.SaneHttpClient() means that SaneHttpClient() gets invoked well before init in main.go.

As far as I'm aware, there's no equivalent to something like Kotlin's lazy { } initializer. Would it be feasible to initialize the client on each FromData call instead?

For this to work, the top-level var would need to be replaced with a lazy initialization.

trufflehog/pkg/detectors/scrapingbee/scrapingbee.go

Lines 61 to 63 in 316316e

if s.client == nil {
s.client = common.SaneHttpClient()
}

@rgmz rgmz mentioned this pull request Jan 1, 2025
Merged
2 tasks
@rgmz rgmz force-pushed the feat/ssl-verify branch from 9c3d04e to acfc46b Compare January 1, 2025 18:40
@rgmz rgmz force-pushed the feat/ssl-verify branch 3 times, most recently from 28f6bfe to dcfd02a Compare January 12, 2025 17:36
@rgmz
Copy link
Contributor Author

rgmz commented Jan 12, 2025

For this to work, the top-level var would need to be replaced with a lazy initialization.

I've managed to partially solve this, at least for detectors that were using detectors.DetectorHttpClientWithNoLocalAddresses and detectors.DetectorHttpClientWithLocalAddresses.

@rgmz rgmz marked this pull request as ready for review January 12, 2025 17:38
@rgmz rgmz requested a review from a team as a code owner January 12, 2025 17:38
@rgmz rgmz requested a review from a team as a code owner January 12, 2025 17:38
@rgmz rgmz force-pushed the feat/ssl-verify branch 3 times, most recently from d6edbe8 to dc5983e Compare January 13, 2025 22:59
rosecodym
rosecodym requested changes Jan 15, 2025
View reviewed changes
Copy link
Collaborator

@rosecodym rosecodym left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In theory, if you could toggle ssl-verify while the scan was running, changes to it wouldn't affect detectors that had already been initialized, right?

If so - and I really hate to be the bearer of bad news on this - that means the new feature flag operates differently from the other defined ones in a way that actually matters not to you (or any other OSS user) but to TruffleHog Enterprise, which also uses this code. TruffleHog Enterprise runs as a persistent daemon, so we need the ability to dynamically toggle feature flags of running processes and have the changes be reflected. Having some flags require scanner restarts and other flags not require them is an accident waiting to happen.

I know this kind of sends you back to the drawing board, but I really want to avoid some future person having a really irritating surprise.

(Or I'm misreading this and imagined a problem that doesn't exist!)

@rgmz
Copy link
Contributor Author

rgmz commented Jan 15, 2025

In theory, if you could toggle ssl-verify while the scan was running, changes to it wouldn't affect detectors that had already been initialized, right?

That is correct for HTTP-based detectors. Non-HTTP detectors like MongoDB would work dynamically.

Detectors that use common.SaneClient() or detectors.DetectorHttpClientWithNoLocalAddresses create a singleton at start-up, either globally or per-detector. 'Fixing' this would require changing 800+ detectors to dynamically create HTTP clients, and that may have other implications.

Since this pattern is literally from the first commit of v3, I think a change of that scale is probably outside of the scope of this. :/

@rgmz rgmz force-pushed the feat/ssl-verify branch 2 times, most recently from 8148920 to 592b1fb Compare January 17, 2025 19:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rosecodym rosecodym rosecodym requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@rgmz @zricethezav @ahrav @rosecodym