Skip to content

fix: 9 bug fixes — thread safety, error handling, mutable defaults#2889

Open
verysleepylemon wants to merge 1 commit intosherlock-project:masterfrom
verysleepylemon:bugfix/thread-safety-and-error-handling
Open

fix: 9 bug fixes — thread safety, error handling, mutable defaults#2889
verysleepylemon wants to merge 1 commit intosherlock-project:masterfrom
verysleepylemon:bugfix/thread-safety-and-error-handling

Conversation

@verysleepylemon
Copy link
Copy Markdown

@verysleepylemon verysleepylemon commented Apr 8, 2026

Summary

Nine targeted bug fixes across three core modules. No new features, no dependencies added.

notify.py — Thread-safe result counter

# Fix Impact
1 Replace non-thread-safe global \globvar\ with \ hreading.Lock-protected _results_count\ Eliminates race condition when queries run concurrently
2 Add \getResults()\ read-only accessor; fix off-by-one in \ inish()\ Correct result count displayed at end of scan

sherlock.py — Error handling & CLI fixes

# Fix Impact
3 Normalise \errorType\ to list before membership check Handles sites that declare multiple error detection methods
4 Remove .encode()\ on \
.text\ (already a decoded \str) Prevents \�ytes-where-\str-expected downstream
5 Add \
is not None\ guard before WAF fingerprint scan Prevents \AttributeError\ on timed-out requests
6 Change --print-found\ (\store_true, default=\True\ — a no-op) to --no-print-found\ (\store_false) Users can now actually suppress found-site output
7 Use \lstrip('v').lstrip('release-')\ for version tag comparison Handles tags like \
elease-0.16.0\ without false update prompts

sites.py — Mutable default arguments

# Fix Impact
8 Replace \username_unclaimed=secrets.token_urlsafe(10)\ with \None\ sentinel; honour caller value Stops silently overwriting caller-supplied unclaimed usernames
9 Replace \do_not_exclude=[]\ with \None\ sentinel Prevents shared mutable default state across calls

Testing

  • All existing tests pass (\pytest\ on Python 3.10–3.13, Ubuntu/Windows/macOS)
  • No new files, no new dependencies
  • Diff: +31 −28 lines across 3 files

@verysleepylemon
fix: 9 bug fixes — thread safety, error handling, mutable defaults
1144a88 
Bug fixes:
1. notify.py: Replace non-thread-safe global counter (globvar) with
   threading.Lock-protected _results_count — fixes race conditions
   when multiple queries run concurrently
2. notify.py: Add getResults() to read count without incrementing;
   fix off-by-one in finish() display
3. sherlock.py: Normalise errorType to list before checking — handles
   sites that declare multiple error detection methods
4. sherlock.py: Remove .encode() on r.text — r.text is already a
   decoded str, double-encoding produced bytes where str was expected
5. sherlock.py: Add null-check (r is not None) before WAF fingerprint
   scan — prevents AttributeError on timed-out requests
6. sherlock.py: Change --print-found (store_true, default=True — a
   no-op) to --no-print-found (store_false) so users can actually
   suppress found-site output
7. sherlock.py: Use lstrip('v').lstrip('release-') for version tag
   comparison — handles tags like 'release-0.16.0'
8. sites.py: Replace mutable default argument
   username_unclaimed=secrets.token_urlsafe(10) with None sentinel;
   honour caller-supplied value instead of always overwriting with
   a new random token
9. sites.py: Replace mutable default argument do_not_exclude=[] with
   None sentinel — prevents shared-state bug across calls
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@verysleepylemon