Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bug] Github Action fails if any commit msg contains a single quote #2252

Closed
elewis-path opened this issue Dec 21, 2023 · 2 comments · Fixed by #2259
Closed

[bug] Github Action fails if any commit msg contains a single quote #2252

elewis-path opened this issue Dec 21, 2023 · 2 comments · Fixed by #2259
Labels
bug

Comments

@elewis-path
Copy link

The current Trufflehog Github Action is failing to run on commits if the message contains a single quote ('). I believe this is because the check here is using the github.event.commits object content without escaping it.

TruffleHog Version

current (first introduced in a6364415e6bda69e5e307c0b33281bde6937e972)

Expected Behavior

The TH Github action completes, and reports pass or fail if there are secrets detected.

Actual Behavior

The TH Github action fails to start, and always reports an error.

Steps to Reproduce

  1. Create a git commit with a single-quote in the commit msg (example: git commit --allow-empty -m "Bob's example commit")
  2. Push to a Github repo with the TH Github Action enabled
  3. Check the Github Actions output
  4. Confirm the TH action failed with a parsing error (exact text depends on the content of the commit messages):
line 67: unexpected EOF while looking for matching `"'
Error: Process completed with exit code 2.

Environment

  • Github Action

Additional Context

If the cause suggested above is correct, this would also fail if the commit author's name or email contains a single quote (anything in the commits array specified here: https://docs.github.com/en/rest/using-the-rest-api/github-event-types?apiVersion=2022-11-28#pushevent).

References

  • #0000
@nbonnotte
Copy link

I can confirm the bug. Root cause in my case seems to be the part where jq is used to get the commit length:

COMMIT_LENGTH=$(jq length <<< '[
 {
      "author": {
        "email": "nicolas.bonnotte@backmarket.com",
        "name": "Nicolas Bonnotte",
        "username": "nbonnotte"
      },
      "committer": {
        "email": "nicolas.bonnotte@backmarket.com",
        "name": "Nicolas Bonnotte",
        "username": "nbonnotte"
      },
      "distinct": true,
      "id": "...",
      "message": "Remove 'Hello World'",
      "timestamp": "2023-12-21T17:49:52+01:00",
      "tree_id": "...",
      "url": "..."
    }
]')

If the JSON contains any single quote, like in my example, jq gets confused and exists with an error

jq: error: Could not open file World",
      "timestamp": "2023-12-21T17:49:52+01:00",
      "tree_id": "...",
      "url": "..."
    }
]: No such file or directory

@0x2b3bfa0 0x2b3bfa0 mentioned this issue Dec 22, 2023
Merged
2 tasks
@0x2b3bfa0
Copy link
Contributor

Thanks, @elewis-path & @nbonnotte! #2259 should fix this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix commit message single quote escaping on GitHub Action 0x2b3bfa0/trufflehog
3 participants
@nbonnotte @0x2b3bfa0 @elewis-path