Skip to content

fix(file): prefilter must enumerate overlapping literal hits#3

Merged
M09Ic merged 1 commit into
chainreactors:masterfrom
wuchulonly:fix/prefilter-overlapping-literals
Jul 7, 2026
Merged

fix(file): prefilter must enumerate overlapping literal hits#3
M09Ic merged 1 commit into
chainreactors:masterfrom
wuchulonly:fix/prefilter-overlapping-literals

Conversation

@wuchulonly

Copy link
Copy Markdown

Problem

relevantSourcesBytes (the per-line prefilter that selects which templates to
run) enumerated literal hits with a non-overlapping leftmost-first Find
loop (start = hit.Start + 1).

When one template's literal (e.g. begin rsa private key) shares its start
with — or is otherwise shadowed by — a shorter literal contributed by
another loaded template (e.g. begin), the automaton never reports the longer
literal, so that template is silently dropped from the scan.

Impact is not just cosmetic: on a real multi-secret file, only ~5 of 156 loaded
rules fired (private-key, jwt, stripe, database … all missed), even
though each of those templates matches correctly when loaded on its own. The
more templates you load, the more get shadowed.

Fix

Enumerate every literal occurrence with FindAllOverlapping, which reports
all matches regardless of the automaton's leftmost match kind. The change is
confined to the single prefilter function that all three scan paths
(block / line / content) already funnel through.

Test

TestScanner_Prefilter_OverlappingLiterals lists the shorter shadowing
literals before the private-key template so they win leftmost-first
tie-breaking — the exact condition that used to hide the finding. It fails on
the old loop and passes with the fix
. Existing proton/file tests stay green.

🤖 Generated with Claude Code

relevantSourcesBytes selected candidate templates per line with a
non-overlapping leftmost-first Find loop (start = hit.Start + 1). When
one template's literal (e.g. "begin rsa private key") shares its start
with — or is otherwise shadowed by — a shorter literal contributed by
another loaded template (e.g. "begin"), the automaton never reported
the longer literal, so that template was silently dropped from the
scan. On a real multi-secret file this made only ~5 of 156 loaded
rules fire (private-key, jwt, stripe, database ... all missed) while
each fired correctly when loaded alone.

Enumerate every literal occurrence with FindAllOverlapping, which
reports all matches regardless of the automaton's leftmost match kind.

Add TestScanner_Prefilter_OverlappingLiterals: shorter shadowing
literals are listed before the private-key template so they win
leftmost-first tie-breaking — the exact condition that used to hide
the finding. Fails on the old loop, passes now.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@M09Ic
M09Ic merged commit 471f99e into chainreactors:master Jul 7, 2026
5 checks passed
wuchulonly pushed a commit to chainreactors/aiscan that referenced this pull request Jul 7, 2026
bump chainreactors/proton 至 471f99e(含预过滤修复):上游 AC 行级
预过滤用非重叠 leftmost-first Find 迭代挑候选模板,长字面量
("begin rsa private key")被其它已加载模板的更短字面量("begin")
遮蔽 → 多密钥文件里 156 条规则只命中约 5 条(private-key/jwt/
stripe/database 全漏)。上游已改用 FindAllOverlapping(chainreactors/proton#3)。

proton -j 输出改用 nuclei-style 连字符键(template-id/template-name),
不再直接 marshal 内部 parsers.Result 泄漏 template_id(该共享类型
被 scan 等其它数据路径依赖,不能改库 tag);新增 jsonFinding 结构体。

修复 pkg/tools/proton 4 个 E2E:DetectsAllCategories / ProtonJSON /
Pipe_CatToProtonWithExpression / Pipe_ShellToPseudoToShell。

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants