Fixed failing apk handler test#4844
Fixed failing apk handler test#4844MuneebUllahKhan222 wants to merge 1 commit intotrufflesecurity:mainfrom
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| }{ | ||
| "apk_with_3_leaked_keys": { | ||
| archiveURL: "https://github.com/joeleonjr/leakyAPK/raw/refs/heads/main/aws_leak.apk", | ||
| archiveURL: "https://raw.githubusercontent.com/MuneebUllahKhan222/asset-hosting/refs/heads/main/aws_leak.apk", |
There was a problem hiding this comment.
Test fetches APK from untrusted personal repository
Medium Severity
The test now downloads an APK binary from a personal GitHub account (MuneebUllahKhan222/asset-hosting) during CI. Any owner of that account can replace aws_leak.apk with arbitrary content at any time — a malicious APK could exploit parser vulnerabilities in the handler under test or in underlying zip/archive libraries. Additionally, this is identical in fragility to the original problem: if the repo is deleted or made private, the test breaks again. Test fixtures with sensitive-looking secrets should be stored in the project's own repository or a controlled, immutable artifact store.
There was a problem hiding this comment.
This is how we are going to do it for now. Later on we will have to store the artifact of a GCP bucket or Trufflehog's github repo.
nabeelalam
left a comment
nabeelalam
left a comment
There was a problem hiding this comment.
Thanks for taking care of this issue @MuneebUllahKhan222. Approving this with one small change.
Can you also enable the test by removing the line:
trufflehog/pkg/handlers/apk_test.go
Line 16 in 61d57c1
Also, is this planned to be temporary? In that case leaving a comment would be helpful to indicate that this URL needs to be updated at some point.
2 participants
Description:
This PR fixes the failing APK handler test due to the deletion of an artifact that it uses.
To fix this I have re-uploaded the artifact to my public repo and used that in test.
Checklist:
make test-community)?make lintthis requires golangci-lint)?Note
Low Risk
Low risk: only updates a test fixture download URL, with no production code changes; remaining risk is continued dependence on an external GitHub-hosted asset for test stability.
Overview
Fixes a failing
TestAPKHandlerby updating the APK fixture download URL to a new GitHub-hosted location after the previous artifact was removed.No runtime behavior changes; this only affects test setup and reliability.
Written by Cursor Bugbot for commit 547cf57. This will update automatically on new commits. Configure here.