Skip to content

Fix nil pointer panics in GitHub analyzer gist/repo binding functions#4864

Open
shahzadhaider1 wants to merge 2 commits intotrufflesecurity:mainfrom
shahzadhaider1:INS-442-fix-nil-pointer-in-github-analyzer
Open

Fix nil pointer panics in GitHub analyzer gist/repo binding functions#4864
shahzadhaider1 wants to merge 2 commits intotrufflesecurity:mainfrom
shahzadhaider1:INS-442-fix-nil-pointer-in-github-analyzer

Conversation

@shahzadhaider1
Copy link
Copy Markdown
Contributor

@shahzadhaider1 shahzadhaider1 commented Apr 3, 2026
edited by cursor bot
Loading

Problem

A panic was caught in the GitHub analyzer worker:

runtime error: invalid memory address or nil pointer dereference
github.com/trufflesecurity/trufflehog/v3/pkg/analyzer/analyzers/github.secretInfoToGistBindings
    pkg/analyzer/analyzers/github/github.go:129

The GitHub API returns description and owner as optional nullable fields on gist objects. When a gist has no description, the API returns null, leaving Description as a nil *string. The code dereferenced it directly (*gist.Description) without any nil guard.

The same class of bug existed across several functions in the file: *gist.Owner.Login, *gist.ID, *repo.Name, *repo.FullName, *user.Login, *user.Type; all raw dereferences of fields that the go-github library defines as optional pointers.

Why safe getters alone weren't enough for Owner

For Description, replacing the dereference with GetDescription() (returns "" on nil) is sufficient, a gist without a description is still attributable.

For Owner, falling back to an empty string silently produces corrupt output:

  • FullyQualifiedName: "gist.github.com//abc123": malformed
  • Parent resource with empty Name and Type

A gist with no owner cannot be meaningfully attributed, so it is skipped rather than emitting bad data. This is consistent with how PrintGists in common/github.go already handles nil gist pointers.

Checklist:

  • Tests passing (make test-community)?
  • Lint passing (make lint this requires golangci-lint)?

Note

Medium Risk
Changes GitHub analyzer output generation to use safe getters and to skip repos/gists missing owners, which could reduce emitted bindings for some edge-case API responses. Logic is small and localized but affects permission attribution results.

Overview
Fixes GitHub analyzer nil-pointer panics by replacing direct pointer dereferences on gh.User, gh.Repository, and gh.Gist fields with go-github Get*() accessors.

Updates binding generation to skip repositories and gists that have no Owner, avoiding malformed FullyQualifiedName/parent resources, and adds a focused unit test covering nil gist Description and nil Owner cases.

Reviewed by Cursor Bugbot for commit d6d4d75. Bugbot is set up for automated code reviews on this repo. Configure here.

@shahzadhaider1 shahzadhaider1 requested a review from a team April 3, 2026 21:02
@shahzadhaider1 shahzadhaider1 requested a review from a team as a code owner April 3, 2026 21:02
cursor[bot]
cursor bot reviewed Apr 3, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 2 potential issues.

Fix All in Cursor

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@shahzadhaider1