fix: resolve 10 bugs found in code review#2894
Open
hobostay wants to merge 1 commit intosherlock-project:masterfrom
Open
fix: resolve 10 bugs found in code review#2894hobostay wants to merge 1 commit intosherlock-project:masterfrom
hobostay wants to merge 1 commit intosherlock-project:masterfrom
Conversation
- Fix NoneType crash when response is None (WAF check and detection logic accessed r.text/r.status_code without null guard) - Fix response_text bytes/str type mismatch (r.text.encode() returns bytes but everything else expects str) - Fix global result counter giving wrong totals across multiple usernames (convert globvar to instance variable, reset per-username) - Fix dead None check on response_time_s list in xlsx export (list is always initialized, individual values need the check) - Fix xlsx output ignoring --folderoutput flag (csv/txt respected it) - Fix Excel formula injection in xlsx HYPERLINK (escape double quotes) - Fix unused username_unclaimed parameter in SiteInformation (was accepted but immediately overwritten with random token) - Fix unused error_type parameter in get_response() (never referenced) - Fix mutable default arguments [] in SitesInformation methods - Fix finish() called once after all usernames instead of per-username - Fix version tag parsing assuming 'v' prefix with tag[1:] (use lstrip) - Fix Python 3.9 incompatible type hints (str|None → Optional[str]) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Code review identified and fixes 10 bugs across
sherlock.py,notify.py, andsites.py:HIGH — Crashes
r.textandr.status_codewere accessed in WAF detection and account detection logic without null checks. Network errors (timeout, proxy failure, etc.) returnresponse = None, causingAttributeErroron every detection path.MEDIUM — Incorrect Behavior
response_textbytes/str type mismatch —r.text.encode(r.encoding or "UTF-8")returnsbytes, but the fallback assigns""(str). Downstream consumers (CSV, display) expect str, causingTypeErrorwhen concatenating or writing.globvarwas a module-level global never reset. Runningsherlock user1 user2would show cumulative count (e.g., "8 results" when user2 only had 3). Converted to instance variable, reset per-username instart().response_time_sin xlsx export — The listresponse_time_swas checkedif response_time_s is None(always False since it's initialized as[]). Individualquery_timevalues were never checked for None.--folderoutputflag — CSV and TXT correctly write to--folderoutput, but xlsx always wrote to cwd.finish()called once after ALL usernames —start()was called per-username butfinish()was outside the loop, so the summary only appeared once with a cumulative count.MEDIUM — Security
=HYPERLINK("...")formulas without sanitizing double quotes, allowing formula breakout.LOW — Code Quality
username_unclaimedparameter inSiteInformation.__init__— Accepted with defaultsecrets.token_urlsafe(10)but immediately overwritten withsecrets.token_urlsafe(32). Parameter value was never used.error_typeparameter inget_response()— Passed from call site but never referenced in the function body.[]—do_not_excludeanddo_not_removeused[]as defaults, which are shared across calls in Python.vprefix —latest_remote_tag[1:]strips exactly one character, breaking if the tag has novprefix. Changed tolstrip('v').str|Noneanddict[str, ...]syntax doesn't work on 3.9. Changed toOptionaland removed the return type hint.Test plan
test_validate_targets.pypasses (956 targets validated)sherlock user1 user2 --txt --csv --xlsx --folderoutput /tmp/outand verify per-username counts are correct--folderoutputdirectory🤖 Generated with Claude Code