From 153c59d7ab183970883efa6441a5d287a181fcd3 Mon Sep 17 00:00:00 2001 From: Ahrav Dutta Date: Fri, 2 Aug 2024 14:05:27 -0700 Subject: [PATCH 1/4] Create a new context with timeout per request --- pkg/engine/engine.go | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/pkg/engine/engine.go b/pkg/engine/engine.go index 04090a2aae17..dc47d8d95778 100644 --- a/pkg/engine/engine.go +++ b/pkg/engine/engine.go @@ -882,11 +882,15 @@ func (e *Engine) verificationOverlapWorker(ctx context.Context) { // DO NOT VERIFY at this stage of the pipeline. matchedBytes := detector.Matches() for _, match := range matchedBytes { + ctx, cancel := context.WithTimeout(ctx, time.Second*10) results, err := detector.FromData(ctx, false, match) - ctx.Logger().Error( - err, "error finding results in chunk during verification overlap", - "detector", detector.Key.Type().String(), - ) + cancel() + if err != nil { + ctx.Logger().Error( + err, "error finding results in chunk during verification overlap", + "detector", detector.Key.Type().String(), + ) + } if len(results) == 0 { continue @@ -980,9 +984,7 @@ func (e *Engine) detectChunk(ctx context.Context, data detectableChunk) { if e.printAvgDetectorTime { start = time.Now() } - ctx, cancel := context.WithTimeout(ctx, time.Second*10) defer common.Recover(ctx) - defer cancel() isFalsePositive := detectors.GetFalsePositiveCheck(data.detector) @@ -996,7 +998,10 @@ func (e *Engine) detectChunk(ctx context.Context, data detectableChunk) { for _, matchBytes := range matches { matchCount++ detectBytesPerMatch.Observe(float64(len(matchBytes))) + + ctx, cancel := context.WithTimeout(ctx, time.Second*10) results, err := data.detector.Detector.FromData(ctx, data.chunk.Verify, matchBytes) + cancel() if err != nil { ctx.Logger().Error( err, "error finding results in chunk", From 099f8f83310ee2e9a903c4af5e01c05cbae217af Mon Sep 17 00:00:00 2001 From: Ahrav Dutta Date: Fri, 2 Aug 2024 14:19:32 -0700 Subject: [PATCH 2/4] match timeout --- pkg/detectors/privatekey/ssh.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/detectors/privatekey/ssh.go b/pkg/detectors/privatekey/ssh.go index 44ccf616f30a..cc514f7066d4 100644 --- a/pkg/detectors/privatekey/ssh.go +++ b/pkg/detectors/privatekey/ssh.go @@ -87,7 +87,7 @@ func firstResponseFromSSH(ctx context.Context, parsedKey any, username, hostport } func sshDialWithContext(ctx context.Context, network, addr string, config *ssh.ClientConfig) (*ssh.Client, error) { - d := net.Dialer{Timeout: config.Timeout} + d := net.Dialer{} conn, err := d.DialContext(ctx, network, addr) if err != nil { return nil, fmt.Errorf("error dialing %s: %w", addr, err) From ca1bb7a5fae3b074b50aa0457f368ef81c38f756 Mon Sep 17 00:00:00 2001 From: Ahrav Dutta Date: Fri, 2 Aug 2024 14:22:09 -0700 Subject: [PATCH 3/4] use context timeout --- pkg/detectors/privatekey/ssh.go | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/pkg/detectors/privatekey/ssh.go b/pkg/detectors/privatekey/ssh.go index cc514f7066d4..b7e11d37b02a 100644 --- a/pkg/detectors/privatekey/ssh.go +++ b/pkg/detectors/privatekey/ssh.go @@ -7,7 +7,6 @@ import ( "fmt" "net" "strings" - "time" "golang.org/x/crypto/ssh" ) @@ -35,8 +34,7 @@ func firstResponseFromSSH(ctx context.Context, parsedKey any, username, hostport // Verify the server fingerprint to ensure that there is no MITM replay attack config := &ssh.ClientConfig{ - Timeout: 5 * time.Second, - User: username, + User: username, Auth: []ssh.AuthMethod{ ssh.PublicKeys(signer), }, From 32f30beed4141a61dfa2082f8542aad70d86c3c0 Mon Sep 17 00:00:00 2001 From: Ahrav Dutta Date: Fri, 2 Aug 2024 14:24:24 -0700 Subject: [PATCH 4/4] reduce timeout --- pkg/engine/engine.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/engine/engine.go b/pkg/engine/engine.go index dc47d8d95778..f3792fae02e3 100644 --- a/pkg/engine/engine.go +++ b/pkg/engine/engine.go @@ -882,7 +882,7 @@ func (e *Engine) verificationOverlapWorker(ctx context.Context) { // DO NOT VERIFY at this stage of the pipeline. matchedBytes := detector.Matches() for _, match := range matchedBytes { - ctx, cancel := context.WithTimeout(ctx, time.Second*10) + ctx, cancel := context.WithTimeout(ctx, time.Second*2) results, err := detector.FromData(ctx, false, match) cancel() if err != nil {