Skip to content

fix(postman): prevent infinite recursion in variable substitution #4145

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
May 16, 2025
Merged

fix(postman): prevent infinite recursion in variable substitution #4145

merged 2 commits into from
May 16, 2025

Conversation

dustin-decker
Copy link
Contributor

@dustin-decker dustin-decker commented May 16, 2025
edited
Loading

Add recursion depth limit and self-reference detection to the buildSubstitution function to prevent hanging when processing complex variable patterns. Includes comprehensive tests for edge cases.

Checklist:

  • Tests passing (make test-community)?
  • Lint passing (make lint this requires golangci-lint)?

@dustin-decker dustin-decker requested review from a team as code owners May 16, 2025 15:14
@dustin-decker dustin-decker marked this pull request as draft May 16, 2025 15:19
@dustin-decker
fix(postman): prevent infinite recursion in variable substitution
62ea1a1 
Add recursion depth limit and self-reference detection to the buildSubstitution function to prevent hanging when processing complex variable patterns. Includes comprehensive tests for edge cases.
@dustin-decker dustin-decker marked this pull request as ready for review May 16, 2025 15:50
casey-tran
casey-tran reviewed May 16, 2025
View reviewed changes
casey-tran
casey-tran approved these changes May 16, 2025
View reviewed changes
Copy link
Contributor

@casey-tran casey-tran left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for looking into this Dustin.

@dustin-decker dustin-decker merged commit c892169 into main May 16, 2025
12 of 13 checks passed
@dustin-decker dustin-decker deleted the postman-recursion branch May 16, 2025 17:59
@blsaccess blsaccess mentioned this pull request May 17, 2025
Merged
abmussani added a commit to bunnyanon/trufflehog that referenced this pull request May 21, 2025
@abmussani
Merge branch 'main' into pr-3980
9ad3304 
* main: (121 commits)
  Fixed Grafana detector (trufflesecurity#4166)
  Reduce verbosity of chunk trace logging (trufflesecurity#4161)
  Increase postman logging verbosity (trufflesecurity#4160)
  Change github file extension log message verbosity (trufflesecurity#4159)
  docs: fix typos (trufflesecurity#4158)
  fix(twitch): Update Twitch detector to handle new RawV2 field and adjust test expectations (trufflesecurity#4150)
  Add a bunch of Postman logging (trufflesecurity#4154)
  Added DataBricks Analyzer (trufflesecurity#4135)
  fixed shopify detector line number (trufflesecurity#4149)
  chore: run setup-go after checkout (trufflesecurity#4143)
  Add per-chunk detection logging (trufflesecurity#4152)
  [Feat] Added Dropbox API OAuth2 Token Analyzer (trufflesecurity#4080)
  Updated Github Source Validate method (trufflesecurity#4144)
  replace anthropic reference with groq (trufflesecurity#4147)
  [Fix] Line number issue for custom detector (trufflesecurity#3997)
  fix(postman): prevent infinite recursion in variable substitution (trufflesecurity#4145)
  Add metrics to the Postman source (trufflesecurity#4142)
  [Feat] Implementation of Posthog Analyzer (trufflesecurity#4103)
  [Feat] Added Mux API Analyzer (trufflesecurity#4128)
  fixed name of netlify analyzer in cli output (trufflesecurity#4140)
  ...

# Conflicts:
#	pkg/pb/detectorspb/detectors.pb.go
#	proto/detectors.proto
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@casey-tran casey-tran casey-tran approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dustin-decker @casey-tran