2020-12-21 14:31:32 +05:30
|
|
|
package types
|
2020-12-23 20:46:42 +05:30
|
|
|
|
2021-07-16 17:28:13 +03:00
|
|
|
import (
|
2023-07-13 00:51:06 +05:30
|
|
|
"io"
|
2023-08-31 18:03:01 +05:30
|
|
|
"os"
|
|
|
|
|
"path/filepath"
|
2023-07-28 18:50:57 +03:00
|
|
|
"strings"
|
2022-06-30 14:21:54 +02:00
|
|
|
"time"
|
|
|
|
|
|
2021-07-16 17:28:13 +03:00
|
|
|
"github.com/projectdiscovery/goflags"
|
2023-10-17 17:44:13 +05:30
|
|
|
"github.com/projectdiscovery/nuclei/v3/pkg/catalog"
|
|
|
|
|
"github.com/projectdiscovery/nuclei/v3/pkg/catalog/config"
|
|
|
|
|
"github.com/projectdiscovery/nuclei/v3/pkg/model/types/severity"
|
|
|
|
|
"github.com/projectdiscovery/nuclei/v3/pkg/templates/types"
|
2023-08-31 18:03:01 +05:30
|
|
|
errorutil "github.com/projectdiscovery/utils/errors"
|
2022-11-06 21:24:23 +01:00
|
|
|
fileutil "github.com/projectdiscovery/utils/file"
|
2023-10-13 13:17:27 +05:30
|
|
|
folderutil "github.com/projectdiscovery/utils/folder"
|
2024-05-15 15:34:59 +02:00
|
|
|
unitutils "github.com/projectdiscovery/utils/unit"
|
2021-07-16 17:28:13 +03:00
|
|
|
)
|
2021-01-27 11:46:41 +05:30
|
|
|
|
2023-07-13 00:51:06 +05:30
|
|
|
var (
|
|
|
|
|
// ErrNoMoreRequests is internal error to indicate that generator has no more requests to generate
|
|
|
|
|
ErrNoMoreRequests = io.EOF
|
|
|
|
|
)
|
|
|
|
|
|
2024-09-20 17:11:22 -04:00
|
|
|
// LoadHelperFileFunction can be used to load a helper file.
|
|
|
|
|
type LoadHelperFileFunction func(helperFile, templatePath string, catalog catalog.Catalog) (io.ReadCloser, error)
|
|
|
|
|
|
2020-12-23 20:46:42 +05:30
|
|
|
// Options contains the configuration options for nuclei scanner.
|
|
|
|
|
type Options struct {
|
2021-02-26 13:13:11 +05:30
|
|
|
// Tags contains a list of tags to execute templates for. Multiple paths
|
|
|
|
|
// can be specified with -l flag and -tags can be used in combination with
|
|
|
|
|
// the -l flag.
|
2022-08-27 19:35:17 +05:30
|
|
|
Tags goflags.StringSlice
|
2021-03-14 01:15:33 +05:30
|
|
|
// ExcludeTags is the list of tags to exclude
|
2022-08-27 19:35:17 +05:30
|
|
|
ExcludeTags goflags.StringSlice
|
2021-03-05 12:08:31 +05:30
|
|
|
// Workflows specifies any workflows to run by nuclei
|
2022-08-27 19:35:17 +05:30
|
|
|
Workflows goflags.StringSlice
|
2021-10-14 23:30:37 +02:00
|
|
|
// WorkflowURLs specifies URLs to a list of workflows to use
|
2022-08-27 19:35:17 +05:30
|
|
|
WorkflowURLs goflags.StringSlice
|
2021-02-26 13:13:11 +05:30
|
|
|
// Templates specifies the template/templates to use
|
2022-08-27 19:35:17 +05:30
|
|
|
Templates goflags.StringSlice
|
2021-10-14 23:30:37 +02:00
|
|
|
// TemplateURLs specifies URLs to a list of templates to use
|
2022-08-27 19:35:17 +05:30
|
|
|
TemplateURLs goflags.StringSlice
|
2025-02-13 16:32:50 +05:30
|
|
|
// AITemplatePrompt specifies prompt to generate template using AI
|
|
|
|
|
AITemplatePrompt string
|
2022-01-12 18:33:17 +05:30
|
|
|
// RemoteTemplates specifies list of allowed URLs to load remote templates from
|
|
|
|
|
RemoteTemplateDomainList goflags.StringSlice
|
2021-02-26 13:13:11 +05:30
|
|
|
// ExcludedTemplates specifies the template/templates to exclude
|
2022-08-27 19:35:17 +05:30
|
|
|
ExcludedTemplates goflags.StringSlice
|
2022-06-24 23:09:27 +05:30
|
|
|
// ExcludeMatchers is a list of matchers to exclude processing
|
2022-08-27 19:35:17 +05:30
|
|
|
ExcludeMatchers goflags.StringSlice
|
2021-02-26 13:13:11 +05:30
|
|
|
// CustomHeaders is the list of custom global headers to send with each request.
|
2022-08-27 19:35:17 +05:30
|
|
|
CustomHeaders goflags.StringSlice
|
2021-08-08 23:42:10 +02:00
|
|
|
// Vars is the list of custom global vars
|
2021-08-09 10:51:52 +02:00
|
|
|
Vars goflags.RuntimeMap
|
2021-07-16 17:28:13 +03:00
|
|
|
// Severities filters templates based on their severity and only run the matching ones.
|
|
|
|
|
Severities severity.Severities
|
2021-10-08 22:24:29 +03:00
|
|
|
// ExcludeSeverities specifies severities to exclude
|
|
|
|
|
ExcludeSeverities severity.Severities
|
2021-11-03 02:23:48 +05:30
|
|
|
// Authors filters templates based on their author and only run the matching ones.
|
2022-08-27 19:35:17 +05:30
|
|
|
Authors goflags.StringSlice
|
2021-10-25 23:24:42 +05:30
|
|
|
// Protocols contains the protocols to be allowed executed
|
2021-11-03 17:18:35 +05:30
|
|
|
Protocols types.ProtocolTypes
|
2021-10-25 23:24:42 +05:30
|
|
|
// ExcludeProtocols contains protocols to not be executed
|
2021-11-03 17:18:35 +05:30
|
|
|
ExcludeProtocols types.ProtocolTypes
|
2021-06-30 18:39:01 +05:30
|
|
|
// IncludeTags includes specified tags to be run even while being in denylist
|
2022-08-27 19:35:17 +05:30
|
|
|
IncludeTags goflags.StringSlice
|
2021-06-30 18:39:01 +05:30
|
|
|
// IncludeTemplates includes specified templates to be run even while being in denylist
|
2022-08-27 19:35:17 +05:30
|
|
|
IncludeTemplates goflags.StringSlice
|
2022-01-07 13:00:20 +01:00
|
|
|
// IncludeIds includes specified ids to be run even while being in denylist
|
2022-08-27 19:35:17 +05:30
|
|
|
IncludeIds goflags.StringSlice
|
2022-01-07 13:00:20 +01:00
|
|
|
// ExcludeIds contains templates ids to not be executed
|
2022-08-27 19:35:17 +05:30
|
|
|
ExcludeIds goflags.StringSlice
|
2024-04-12 00:32:06 +02:00
|
|
|
// InternalResolversList is the list of internal resolvers to use
|
|
|
|
|
InternalResolversList []string
|
2021-02-26 13:13:11 +05:30
|
|
|
// ProjectPath allows nuclei to use a user defined project folder
|
|
|
|
|
ProjectPath string
|
2021-04-16 16:56:41 +05:30
|
|
|
// InteractshURL is the URL for the interactsh server.
|
2022-01-13 13:22:43 +05:30
|
|
|
InteractshURL string
|
2021-09-01 11:42:15 -05:00
|
|
|
// Interactsh Authorization header value for self-hosted servers
|
2021-09-06 19:10:32 +05:30
|
|
|
InteractshToken string
|
2021-08-03 22:47:09 -07:00
|
|
|
// Target URLs/Domains to scan using a template
|
|
|
|
|
Targets goflags.StringSlice
|
2023-11-23 19:35:20 +01:00
|
|
|
// ExcludeTargets URLs/Domains to exclude from scanning
|
|
|
|
|
ExcludeTargets goflags.StringSlice
|
2021-08-04 10:28:56 -07:00
|
|
|
// TargetsFilePath specifies the targets from a file to scan using templates.
|
2021-08-03 22:47:09 -07:00
|
|
|
TargetsFilePath string
|
2021-11-29 14:38:45 +01:00
|
|
|
// Resume the scan from the state stored in the resume config file
|
2022-02-24 14:32:41 +05:30
|
|
|
Resume string
|
2021-02-26 13:13:11 +05:30
|
|
|
// Output is the file to write found results to.
|
|
|
|
|
Output string
|
2022-03-09 12:31:12 +01:00
|
|
|
// ProxyInternal requests
|
|
|
|
|
ProxyInternal bool
|
2022-08-28 20:07:21 +09:00
|
|
|
// Show all supported DSL signatures
|
|
|
|
|
ListDslSignatures bool
|
2021-11-10 10:00:03 -06:00
|
|
|
// List of HTTP(s)/SOCKS5 proxy to use (comma separated or file input)
|
2022-08-27 19:35:17 +05:30
|
|
|
Proxy goflags.StringSlice
|
2024-12-13 04:23:27 +05:30
|
|
|
// AliveProxy is the alive proxy to use
|
|
|
|
|
AliveHttpProxy string
|
|
|
|
|
// AliveSocksProxy is the alive socks proxy to use
|
|
|
|
|
AliveSocksProxy string
|
2021-02-26 13:13:11 +05:30
|
|
|
// TemplatesDirectory is the directory to use for storing templates
|
2023-04-19 21:58:48 +05:30
|
|
|
NewTemplatesDirectory string
|
2021-02-26 13:13:11 +05:30
|
|
|
// TraceLogFile specifies a file to write with the trace of all requests
|
|
|
|
|
TraceLogFile string
|
2021-10-30 12:39:38 +03:00
|
|
|
// ErrorLogFile specifies a file to write with the errors of all requests
|
|
|
|
|
ErrorLogFile string
|
2021-02-26 13:13:11 +05:30
|
|
|
// ReportingDB is the db for report storage as well as deduplication
|
|
|
|
|
ReportingDB string
|
|
|
|
|
// ReportingConfig is the config file for nuclei reporting module
|
|
|
|
|
ReportingConfig string
|
2021-11-25 18:54:16 +02:00
|
|
|
// MarkdownExportDirectory is the directory to export reports in Markdown format
|
2021-09-19 16:26:47 +05:30
|
|
|
MarkdownExportDirectory string
|
2023-07-21 16:54:06 -04:00
|
|
|
// MarkdownExportSortMode is the method to sort the markdown reports (options: severity, template, host, none)
|
|
|
|
|
MarkdownExportSortMode string
|
2021-06-06 02:56:36 +05:30
|
|
|
// SarifExport is the file to export sarif output format to
|
|
|
|
|
SarifExport string
|
2021-02-26 13:13:11 +05:30
|
|
|
// ResolversFile is a file containing resolvers for nuclei.
|
|
|
|
|
ResolversFile string
|
|
|
|
|
// StatsInterval is the number of seconds to display stats after
|
|
|
|
|
StatsInterval int
|
|
|
|
|
// MetricsPort is the port to show metrics on
|
|
|
|
|
MetricsPort int
|
2021-09-01 01:09:16 +05:30
|
|
|
// MaxHostError is the maximum number of errors allowed for a host
|
|
|
|
|
MaxHostError int
|
2023-03-14 01:29:42 -07:00
|
|
|
// TrackError contains additional error messages that count towards the maximum number of errors allowed for a host
|
|
|
|
|
TrackError goflags.StringSlice
|
2023-01-22 10:38:50 +01:00
|
|
|
// NoHostErrors disables host skipping after maximum number of errors
|
|
|
|
|
NoHostErrors bool
|
2021-02-26 13:13:11 +05:30
|
|
|
// BulkSize is the of targets analyzed in parallel for each template
|
|
|
|
|
BulkSize int
|
|
|
|
|
// TemplateThreads is the number of templates executed in parallel
|
|
|
|
|
TemplateThreads int
|
2021-10-27 15:53:04 +05:30
|
|
|
// HeadlessBulkSize is the of targets analyzed in parallel for each headless template
|
|
|
|
|
HeadlessBulkSize int
|
|
|
|
|
// HeadlessTemplateThreads is the number of headless templates executed in parallel
|
|
|
|
|
HeadlessTemplateThreads int
|
2021-02-26 13:13:11 +05:30
|
|
|
// Timeout is the seconds to wait for a response from the server.
|
|
|
|
|
Timeout int
|
|
|
|
|
// Retries is the number of times to retry the request
|
|
|
|
|
Retries int
|
|
|
|
|
// Rate-Limit is the maximum number of requests per specified target
|
|
|
|
|
RateLimit int
|
2024-04-03 19:28:39 +02:00
|
|
|
// Rate Limit Duration interval between burst resets
|
|
|
|
|
RateLimitDuration time.Duration
|
2021-07-31 15:46:21 +05:30
|
|
|
// Rate-Limit is the maximum number of requests per minute for specified target
|
2024-04-03 19:28:39 +02:00
|
|
|
// Deprecated: Use RateLimitDuration - automatically set Rate Limit Duration to 60 seconds
|
2021-07-31 15:46:21 +05:30
|
|
|
RateLimitMinute int
|
2021-03-02 14:54:57 +05:30
|
|
|
// PageTimeout is the maximum time to wait for a page in seconds
|
2021-03-01 14:20:56 +05:30
|
|
|
PageTimeout int
|
2021-04-16 16:56:41 +05:30
|
|
|
// InteractionsCacheSize is the number of interaction-url->req to keep in cache at a time.
|
|
|
|
|
InteractionsCacheSize int
|
|
|
|
|
// InteractionsPollDuration is the number of seconds to wait before each interaction poll
|
|
|
|
|
InteractionsPollDuration int
|
|
|
|
|
// Eviction is the number of seconds after which to automatically discard
|
|
|
|
|
// interaction requests.
|
|
|
|
|
InteractionsEviction int
|
2021-11-25 18:54:16 +02:00
|
|
|
// InteractionsCoolDownPeriod is additional seconds to wait for interactions after closing
|
2021-04-16 16:56:41 +05:30
|
|
|
// of the poller.
|
2021-11-25 18:54:16 +02:00
|
|
|
InteractionsCoolDownPeriod int
|
2022-03-15 18:10:05 +05:30
|
|
|
// MaxRedirects is the maximum numbers of redirects to be followed.
|
|
|
|
|
MaxRedirects int
|
|
|
|
|
// FollowRedirects enables following redirects for http request module
|
|
|
|
|
FollowRedirects bool
|
2022-09-29 00:41:28 +02:00
|
|
|
// FollowRedirects enables following redirects for http request module only on the same host
|
|
|
|
|
FollowHostRedirects bool
|
2021-02-26 13:13:11 +05:30
|
|
|
// OfflineHTTP is a flag that specific offline processing of http response
|
|
|
|
|
// using same matchers/extractors from http protocol without the need
|
|
|
|
|
// to send a new request, reading responses from a file.
|
|
|
|
|
OfflineHTTP bool
|
2022-12-04 18:02:01 +01:00
|
|
|
// Force HTTP2 requests
|
|
|
|
|
ForceAttemptHTTP2 bool
|
2021-07-08 15:24:04 +05:30
|
|
|
// StatsJSON writes stats output in JSON format
|
|
|
|
|
StatsJSON bool
|
2021-02-26 13:13:11 +05:30
|
|
|
// Headless specifies whether to allow headless mode templates
|
|
|
|
|
Headless bool
|
|
|
|
|
// ShowBrowser specifies whether the show the browser in headless mode
|
|
|
|
|
ShowBrowser bool
|
2023-07-28 18:50:57 +03:00
|
|
|
// HeadlessOptionalArguments specifies optional arguments to pass to Chrome
|
|
|
|
|
HeadlessOptionalArguments goflags.StringSlice
|
2022-12-11 18:06:21 +05:30
|
|
|
// DisableClustering disables clustering of templates
|
|
|
|
|
DisableClustering bool
|
2021-09-26 07:56:35 +02:00
|
|
|
// UseInstalledChrome skips chrome install and use local instance
|
|
|
|
|
UseInstalledChrome bool
|
2021-09-30 19:07:59 +03:00
|
|
|
// SystemResolvers enables override of nuclei's DNS client opting to use system resolver stack.
|
2021-02-26 13:13:11 +05:30
|
|
|
SystemResolvers bool
|
2022-08-25 10:43:32 +05:30
|
|
|
// ShowActions displays a list of all headless actions
|
|
|
|
|
ShowActions bool
|
2023-09-02 14:34:05 +05:30
|
|
|
// Deprecated: Enabled by default through clistats . Metrics enables display of metrics via an http endpoint
|
2020-12-23 20:46:42 +05:30
|
|
|
Metrics bool
|
|
|
|
|
// Debug mode allows debugging request/responses for the engine
|
|
|
|
|
Debug bool
|
2021-01-12 17:18:08 +05:30
|
|
|
// DebugRequests mode allows debugging request for the engine
|
|
|
|
|
DebugRequests bool
|
|
|
|
|
// DebugResponse mode allows debugging response for the engine
|
|
|
|
|
DebugResponse bool
|
2022-10-20 17:23:00 +05:30
|
|
|
// DisableHTTPProbe disables http probing feature of input normalization
|
|
|
|
|
DisableHTTPProbe bool
|
2022-01-18 04:13:59 +05:30
|
|
|
// LeaveDefaultPorts skips normalization of default ports
|
|
|
|
|
LeaveDefaultPorts bool
|
2022-03-14 12:32:05 +05:30
|
|
|
// AutomaticScan enables automatic tech based template execution
|
|
|
|
|
AutomaticScan bool
|
2020-12-23 20:46:42 +05:30
|
|
|
// Silent suppresses any extra text and only writes found URLs on screen.
|
|
|
|
|
Silent bool
|
2021-07-07 19:03:14 +05:30
|
|
|
// Validate validates the templates passed to nuclei.
|
|
|
|
|
Validate bool
|
2022-07-13 13:30:11 +02:00
|
|
|
// NoStrictSyntax disables strict syntax check on nuclei templates (allows custom key-value pairs).
|
|
|
|
|
NoStrictSyntax bool
|
2020-12-23 20:46:42 +05:30
|
|
|
// Verbose flag indicates whether to show verbose output or not
|
2021-07-01 18:22:08 +05:30
|
|
|
Verbose bool
|
|
|
|
|
VerboseVerbose bool
|
2022-11-01 20:28:50 +05:30
|
|
|
// ShowVarDump displays variable dump
|
|
|
|
|
ShowVarDump bool
|
2024-10-14 21:01:36 +07:00
|
|
|
// VarDumpLimit limits the number of characters displayed in var dump
|
|
|
|
|
VarDumpLimit int
|
2020-12-23 20:46:42 +05:30
|
|
|
// No-Color disables the colored output.
|
|
|
|
|
NoColor bool
|
2023-04-19 21:58:48 +05:30
|
|
|
// UpdateTemplates updates the templates installed at startup (also used by cloud to update datasources)
|
2020-12-23 20:46:42 +05:30
|
|
|
UpdateTemplates bool
|
2023-03-31 05:59:29 -04:00
|
|
|
// JSON writes json line output to files
|
|
|
|
|
JSONL bool
|
2020-12-23 20:46:42 +05:30
|
|
|
// JSONRequests writes requests/responses for matches in JSON output
|
2023-07-04 16:37:56 -04:00
|
|
|
// Deprecated: use OmitRawRequests instead as of now JSONRequests(include raw requests) is always true
|
2020-12-23 20:46:42 +05:30
|
|
|
JSONRequests bool
|
2023-07-04 16:37:56 -04:00
|
|
|
// OmitRawRequests omits requests/responses for matches in JSON output
|
|
|
|
|
OmitRawRequests bool
|
2025-02-13 17:13:39 +05:30
|
|
|
// HTTPStats enables http statistics tracking and display.
|
|
|
|
|
HTTPStats bool
|
2023-11-11 02:12:27 +03:00
|
|
|
// OmitTemplate omits encoded template from JSON output
|
|
|
|
|
OmitTemplate bool
|
2023-03-31 05:59:29 -04:00
|
|
|
// JSONExport is the file to export JSON output format to
|
|
|
|
|
JSONExport string
|
2023-04-08 08:14:41 -04:00
|
|
|
// JSONLExport is the file to export JSONL output format to
|
|
|
|
|
JSONLExport string
|
2024-08-16 09:12:38 +03:00
|
|
|
// Redact redacts given keys in
|
|
|
|
|
Redact goflags.StringSlice
|
2020-12-23 20:46:42 +05:30
|
|
|
// EnableProgressBar enables progress bar
|
|
|
|
|
EnableProgressBar bool
|
2022-11-29 13:18:44 +01:00
|
|
|
// TemplateDisplay displays the template contents
|
|
|
|
|
TemplateDisplay bool
|
2020-12-23 20:46:42 +05:30
|
|
|
// TemplateList lists available templates
|
|
|
|
|
TemplateList bool
|
2024-05-04 21:11:39 +02:00
|
|
|
// TemplateList lists available tags
|
|
|
|
|
TagList bool
|
2022-05-30 14:41:24 +05:30
|
|
|
// HangMonitor enables nuclei hang monitoring
|
|
|
|
|
HangMonitor bool
|
2020-12-23 20:46:42 +05:30
|
|
|
// Stdin specifies whether stdin input was given to the process
|
|
|
|
|
Stdin bool
|
|
|
|
|
// StopAtFirstMatch stops processing template at first full match (this may break chained requests)
|
|
|
|
|
StopAtFirstMatch bool
|
2021-09-26 22:33:12 +02:00
|
|
|
// Stream the input without sorting
|
|
|
|
|
Stream bool
|
2020-12-23 20:46:42 +05:30
|
|
|
// NoMeta disables display of metadata for the matches
|
|
|
|
|
NoMeta bool
|
2022-12-04 22:16:55 +05:30
|
|
|
// Timestamp enables display of timestamp for the matcher
|
|
|
|
|
Timestamp bool
|
2020-12-23 20:46:42 +05:30
|
|
|
// Project is used to avoid sending same HTTP request multiple times
|
|
|
|
|
Project bool
|
2021-03-05 12:08:31 +05:30
|
|
|
// NewTemplates only runs newly added templates from the repository
|
|
|
|
|
NewTemplates bool
|
2022-07-13 06:19:06 -05:00
|
|
|
// NewTemplatesWithVersion runs new templates added in specific version
|
2022-08-27 19:35:17 +05:30
|
|
|
NewTemplatesWithVersion goflags.StringSlice
|
2021-04-18 17:27:45 +05:30
|
|
|
// NoInteractsh disables use of interactsh server for interaction polling
|
|
|
|
|
NoInteractsh bool
|
2021-08-09 00:22:09 +02:00
|
|
|
// EnvironmentVariables enables support for environment variables
|
|
|
|
|
EnvironmentVariables bool
|
2021-11-22 17:53:25 +05:30
|
|
|
// MatcherStatus displays optional status for the failed matches as well
|
|
|
|
|
MatcherStatus bool
|
2021-10-19 23:06:02 -04:00
|
|
|
// ClientCertFile client certificate file (PEM-encoded) used for authenticating against scanned hosts
|
|
|
|
|
ClientCertFile string
|
|
|
|
|
// ClientKeyFile client key file (PEM-encoded) used for authenticating against scanned hosts
|
|
|
|
|
ClientKeyFile string
|
|
|
|
|
// ClientCAFile client certificate authority file (PEM-encoded) used for authenticating against scanned hosts
|
|
|
|
|
ClientCAFile string
|
2023-07-07 05:39:14 +05:30
|
|
|
// Deprecated: Use ZTLS library
|
2022-01-25 20:48:21 +01:00
|
|
|
ZTLS bool
|
2023-07-14 16:09:32 +02:00
|
|
|
// AllowLocalFileAccess allows local file access from templates payloads
|
|
|
|
|
AllowLocalFileAccess bool
|
|
|
|
|
// RestrictLocalNetworkAccess restricts local network access from templates requests
|
|
|
|
|
RestrictLocalNetworkAccess bool
|
2022-06-02 17:06:50 +05:30
|
|
|
// ShowMatchLine enables display of match line number
|
|
|
|
|
ShowMatchLine bool
|
2022-03-03 19:44:29 +05:30
|
|
|
// EnablePprof enables exposing pprof runtime information with a webserver.
|
2022-04-27 11:19:44 -05:00
|
|
|
EnablePprof bool
|
2022-04-01 14:29:02 -05:00
|
|
|
// StoreResponse stores received response to output directory
|
2022-04-27 11:19:44 -05:00
|
|
|
StoreResponse bool
|
2022-04-01 14:29:02 -05:00
|
|
|
// StoreResponseDir stores received response to custom directory
|
|
|
|
|
StoreResponseDir string
|
2022-04-27 11:19:44 -05:00
|
|
|
// DisableRedirects disables following redirects for http request module
|
|
|
|
|
DisableRedirects bool
|
2022-05-11 12:30:39 +02:00
|
|
|
// SNI custom hostname
|
|
|
|
|
SNI string
|
2024-03-14 03:08:53 +05:30
|
|
|
// InputFileMode specifies the mode of input file (jsonl, burp, openapi, swagger, etc)
|
|
|
|
|
InputFileMode string
|
2023-11-29 12:17:10 -08:00
|
|
|
// DialerKeepAlive sets the keep alive duration for network requests.
|
|
|
|
|
DialerKeepAlive time.Duration
|
2022-08-25 17:42:35 +05:30
|
|
|
// Interface to use for network scan
|
|
|
|
|
Interface string
|
|
|
|
|
// SourceIP sets custom source IP address for network requests
|
|
|
|
|
SourceIP string
|
2022-10-19 03:51:45 +05:30
|
|
|
// AttackType overrides template level attack-type configuration
|
|
|
|
|
AttackType string
|
2022-10-07 20:10:00 +05:30
|
|
|
// ResponseReadSize is the maximum size of response to read
|
|
|
|
|
ResponseReadSize int
|
|
|
|
|
// ResponseSaveSize is the maximum size of response to save
|
|
|
|
|
ResponseSaveSize int
|
2022-06-21 21:10:10 +02:00
|
|
|
// Health Check
|
|
|
|
|
HealthCheck bool
|
2022-06-30 14:21:54 +02:00
|
|
|
// Time to wait between each input read operation before closing the stream
|
|
|
|
|
InputReadTimeout time.Duration
|
|
|
|
|
// Disable stdin for input processing
|
|
|
|
|
DisableStdin bool
|
2022-08-25 13:22:08 +02:00
|
|
|
// IncludeConditions is the list of conditions templates should match
|
2022-08-27 19:35:17 +05:30
|
|
|
IncludeConditions goflags.StringSlice
|
2023-08-01 14:33:43 -04:00
|
|
|
// Enable uncover engine
|
2022-11-16 11:12:39 +05:30
|
|
|
Uncover bool
|
|
|
|
|
// Uncover search query
|
|
|
|
|
UncoverQuery goflags.StringSlice
|
|
|
|
|
// Uncover search engine
|
|
|
|
|
UncoverEngine goflags.StringSlice
|
|
|
|
|
// Uncover search field
|
|
|
|
|
UncoverField string
|
|
|
|
|
// Uncover search limit
|
|
|
|
|
UncoverLimit int
|
|
|
|
|
// Uncover search delay
|
2023-05-09 03:57:56 +05:30
|
|
|
UncoverRateLimit int
|
2022-11-09 14:18:56 +01:00
|
|
|
// ScanAllIPs associated to a dns record
|
|
|
|
|
ScanAllIPs bool
|
|
|
|
|
// IPVersion to scan (4,6)
|
|
|
|
|
IPVersion goflags.StringSlice
|
2023-07-17 15:23:10 -04:00
|
|
|
// PublicTemplateDisableDownload disables downloading templates from the nuclei-templates public repository
|
|
|
|
|
PublicTemplateDisableDownload bool
|
2023-04-19 17:42:52 -04:00
|
|
|
// GitHub token used to clone/pull from private repos for custom templates
|
2023-08-01 14:33:43 -04:00
|
|
|
GitHubToken string
|
|
|
|
|
// GitHubTemplateRepo is the list of custom public/private templates GitHub repos
|
|
|
|
|
GitHubTemplateRepo []string
|
2023-07-17 15:23:10 -04:00
|
|
|
// GitHubTemplateDisableDownload disables downloading templates from custom GitHub repositories
|
|
|
|
|
GitHubTemplateDisableDownload bool
|
2023-04-19 17:42:52 -04:00
|
|
|
// GitLabServerURL is the gitlab server to use for custom templates
|
|
|
|
|
GitLabServerURL string
|
|
|
|
|
// GitLabToken used to clone/pull from private repos for custom templates
|
|
|
|
|
GitLabToken string
|
|
|
|
|
// GitLabTemplateRepositoryIDs is the comma-separated list of custom gitlab repositories IDs
|
|
|
|
|
GitLabTemplateRepositoryIDs []int
|
2023-07-17 15:23:10 -04:00
|
|
|
// GitLabTemplateDisableDownload disables downloading templates from custom GitLab repositories
|
|
|
|
|
GitLabTemplateDisableDownload bool
|
2024-10-01 11:45:10 +02:00
|
|
|
// AWS access profile from ~/.aws/credentials file for downloading templates from S3 bucket
|
|
|
|
|
AwsProfile string
|
2023-04-19 17:42:52 -04:00
|
|
|
// AWS access key for downloading templates from S3 bucket
|
2022-12-02 03:57:00 +05:30
|
|
|
AwsAccessKey string
|
2023-04-19 17:42:52 -04:00
|
|
|
// AWS secret key for downloading templates from S3 bucket
|
2022-12-02 03:57:00 +05:30
|
|
|
AwsSecretKey string
|
2023-04-19 17:42:52 -04:00
|
|
|
// AWS bucket name for downloading templates from S3 bucket
|
2022-12-02 03:57:00 +05:30
|
|
|
AwsBucketName string
|
2023-04-19 17:42:52 -04:00
|
|
|
// AWS Region name where AWS S3 bucket is located
|
2022-12-02 03:57:00 +05:30
|
|
|
AwsRegion string
|
2023-07-17 15:23:10 -04:00
|
|
|
// AwsTemplateDisableDownload disables downloading templates from AWS S3 buckets
|
|
|
|
|
AwsTemplateDisableDownload bool
|
2023-04-17 04:18:06 -04:00
|
|
|
// AzureContainerName for downloading templates from Azure Blob Storage. Example: templates
|
|
|
|
|
AzureContainerName string
|
|
|
|
|
// AzureTenantID for downloading templates from Azure Blob Storage. Example: 00000000-0000-0000-0000-000000000000
|
|
|
|
|
AzureTenantID string
|
|
|
|
|
// AzureClientID for downloading templates from Azure Blob Storage. Example: 00000000-0000-0000-0000-000000000000
|
|
|
|
|
AzureClientID string
|
|
|
|
|
// AzureClientSecret for downloading templates from Azure Blob Storage. Example: 00000000-0000-0000-0000-000000000000
|
|
|
|
|
AzureClientSecret string
|
|
|
|
|
// AzureServiceURL for downloading templates from Azure Blob Storage. Example: https://XXXXXXXXXX.blob.core.windows.net/
|
|
|
|
|
AzureServiceURL string
|
2023-07-17 15:23:10 -04:00
|
|
|
// AzureTemplateDisableDownload disables downloading templates from Azure Blob Storage
|
|
|
|
|
AzureTemplateDisableDownload bool
|
2022-12-28 02:18:00 +05:30
|
|
|
// Scan Strategy (auto,hosts-spray,templates-spray)
|
|
|
|
|
ScanStrategy string
|
2023-03-06 16:56:38 +05:30
|
|
|
// Fuzzing Type overrides template level fuzzing-type configuration
|
|
|
|
|
FuzzingType string
|
|
|
|
|
// Fuzzing Mode overrides template level fuzzing-mode configuration
|
|
|
|
|
FuzzingMode string
|
2023-06-21 13:47:18 +02:00
|
|
|
// TlsImpersonate enables TLS impersonation
|
|
|
|
|
TlsImpersonate bool
|
2024-06-11 04:43:46 +05:30
|
|
|
// DisplayFuzzPoints enables display of fuzz points for fuzzing
|
|
|
|
|
DisplayFuzzPoints bool
|
|
|
|
|
// FuzzAggressionLevel is the level of fuzzing aggression (low, medium, high.)
|
|
|
|
|
FuzzAggressionLevel string
|
|
|
|
|
// FuzzParamFrequency is the frequency of fuzzing parameters
|
|
|
|
|
FuzzParamFrequency int
|
2023-06-09 17:24:24 +02:00
|
|
|
// CodeTemplateSignaturePublicKey is the custom public key used to verify the template signature (algorithm is automatically inferred from the length)
|
|
|
|
|
CodeTemplateSignaturePublicKey string
|
|
|
|
|
// CodeTemplateSignatureAlgorithm specifies the sign algorithm (rsa, ecdsa)
|
|
|
|
|
CodeTemplateSignatureAlgorithm string
|
|
|
|
|
// SignTemplates enables signing of templates
|
|
|
|
|
SignTemplates bool
|
2023-11-16 17:56:07 +05:30
|
|
|
// EnableCodeTemplates enables code templates
|
|
|
|
|
EnableCodeTemplates bool
|
2024-03-10 23:31:17 +03:00
|
|
|
// DisableUnsignedTemplates disables processing of unsigned templates
|
|
|
|
|
DisableUnsignedTemplates bool
|
2024-11-27 16:07:59 +07:00
|
|
|
// EnableSelfContainedTemplates enables processing of self-contained templates
|
2024-11-19 19:30:28 +03:00
|
|
|
EnableSelfContainedTemplates bool
|
2024-11-27 16:07:59 +07:00
|
|
|
// EnableGlobalMatchersTemplates enables processing of global-matchers templates
|
|
|
|
|
EnableGlobalMatchersTemplates bool
|
2024-11-19 19:30:28 +03:00
|
|
|
// EnableFileTemplates enables file templates
|
|
|
|
|
EnableFileTemplates bool
|
2023-11-18 16:25:37 +05:30
|
|
|
// Disables cloud upload
|
2023-11-20 21:19:19 +05:30
|
|
|
EnableCloudUpload bool
|
2024-01-21 02:26:16 +05:30
|
|
|
// ScanID is the scan ID to use for cloud upload
|
|
|
|
|
ScanID string
|
2024-05-11 00:44:14 +05:30
|
|
|
// ScanName is the name of the scan to be uploaded
|
|
|
|
|
ScanName string
|
2024-09-12 16:13:49 +05:30
|
|
|
// ScanUploadFile is the jsonl file to upload scan results to cloud
|
|
|
|
|
ScanUploadFile string
|
2024-08-16 13:27:26 +05:30
|
|
|
// TeamID is the team ID to use for cloud upload
|
|
|
|
|
TeamID string
|
2024-01-31 01:59:49 +05:30
|
|
|
// JsConcurrency is the number of concurrent js routines to run
|
|
|
|
|
JsConcurrency int
|
2024-03-14 03:08:53 +05:30
|
|
|
// SecretsFile is file containing secrets for nuclei
|
|
|
|
|
SecretsFile goflags.StringSlice
|
|
|
|
|
// PreFetchSecrets pre-fetches the secrets from the auth provider
|
|
|
|
|
PreFetchSecrets bool
|
|
|
|
|
// FormatUseRequiredOnly only uses required fields when generating requests
|
|
|
|
|
FormatUseRequiredOnly bool
|
|
|
|
|
// SkipFormatValidation is used to skip format validation
|
|
|
|
|
SkipFormatValidation bool
|
2024-03-13 20:35:19 +05:30
|
|
|
// PayloadConcurrency is the number of concurrent payloads to run per template
|
|
|
|
|
PayloadConcurrency int
|
2024-04-09 18:31:22 +02:00
|
|
|
// ProbeConcurrency is the number of concurrent http probes to run with httpx
|
|
|
|
|
ProbeConcurrency int
|
2024-03-29 13:31:30 +05:30
|
|
|
// Dast only runs DAST templates
|
|
|
|
|
DAST bool
|
2025-02-13 18:46:28 +05:30
|
|
|
// DASTServer is the flag to start nuclei as a DAST server
|
|
|
|
|
DASTServer bool
|
|
|
|
|
// DASTServerToken is the token optional for the dast server
|
|
|
|
|
DASTServerToken string
|
|
|
|
|
// DASTServerAddress is the address for the dast server
|
|
|
|
|
DASTServerAddress string
|
|
|
|
|
// DASTReport enables dast report server & final report generation
|
|
|
|
|
DASTReport bool
|
|
|
|
|
// Scope contains a list of regexes for in-scope URLS
|
|
|
|
|
Scope goflags.StringSlice
|
|
|
|
|
// OutOfScope contains a list of regexes for out-scope URLS
|
|
|
|
|
OutOfScope goflags.StringSlice
|
2024-04-24 08:36:04 +01:00
|
|
|
// HttpApiEndpoint is the experimental http api endpoint
|
|
|
|
|
HttpApiEndpoint string
|
2024-05-04 21:53:50 +05:30
|
|
|
// ListTemplateProfiles lists all available template profiles
|
|
|
|
|
ListTemplateProfiles bool
|
2024-09-20 17:11:22 -04:00
|
|
|
// LoadHelperFileFunction is a function that will be used to execute LoadHelperFile.
|
|
|
|
|
// If none is provided, then the default implementation will be used.
|
|
|
|
|
LoadHelperFileFunction LoadHelperFileFunction
|
2024-07-15 13:27:15 +03:00
|
|
|
// timeouts contains various types of timeouts used in nuclei
|
|
|
|
|
// these timeouts are derived from dial-timeout (-timeout) with known multipliers
|
|
|
|
|
// This is internally managed and does not need to be set by user by explicitly setting
|
|
|
|
|
// this overrides the default/derived one
|
|
|
|
|
timeouts *Timeouts
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// SetTimeouts sets the timeout variants to use for the executor
|
|
|
|
|
func (opts *Options) SetTimeouts(t *Timeouts) {
|
|
|
|
|
opts.timeouts = t
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// GetTimeouts returns the timeout variants to use for the executor
|
|
|
|
|
func (eo *Options) GetTimeouts() *Timeouts {
|
|
|
|
|
if eo.timeouts != nil {
|
|
|
|
|
// redundant but apply to avoid any potential issues
|
|
|
|
|
eo.timeouts.ApplyDefaults()
|
|
|
|
|
return eo.timeouts
|
|
|
|
|
}
|
|
|
|
|
// set timeout variant value
|
|
|
|
|
eo.timeouts = NewTimeoutVariant(eo.Timeout)
|
|
|
|
|
eo.timeouts.ApplyDefaults()
|
|
|
|
|
return eo.timeouts
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Timeouts is a struct that contains all the timeout variants for nuclei
|
|
|
|
|
// dialer timeout is used to derive other timeouts
|
|
|
|
|
type Timeouts struct {
|
|
|
|
|
// DialTimeout for fastdialer (default 10s)
|
|
|
|
|
DialTimeout time.Duration
|
|
|
|
|
// Tcp(Network Protocol) Read From Connection Timeout (default 5s)
|
|
|
|
|
TcpReadTimeout time.Duration
|
|
|
|
|
// Http Response Header Timeout (default 10s)
|
|
|
|
|
// this timeout prevents infinite hangs started by server if any
|
|
|
|
|
// this is temporarily overridden when using @timeout request annotation
|
|
|
|
|
HttpResponseHeaderTimeout time.Duration
|
|
|
|
|
// HttpTimeout for http client (default -> 3 x dial-timeout = 30s)
|
|
|
|
|
HttpTimeout time.Duration
|
|
|
|
|
// JsCompilerExec timeout/deadline (default -> 2 x dial-timeout = 20s)
|
|
|
|
|
JsCompilerExecutionTimeout time.Duration
|
|
|
|
|
// CodeExecutionTimeout for code execution (default -> 3 x dial-timeout = 30s)
|
|
|
|
|
CodeExecutionTimeout time.Duration
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// NewTimeoutVariant creates a new timeout variant with the given dial timeout in seconds
|
|
|
|
|
func NewTimeoutVariant(dialTimeoutSec int) *Timeouts {
|
|
|
|
|
tv := &Timeouts{
|
|
|
|
|
DialTimeout: time.Duration(dialTimeoutSec) * time.Second,
|
|
|
|
|
}
|
|
|
|
|
tv.ApplyDefaults()
|
|
|
|
|
return tv
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// ApplyDefaults applies default values to timeout variants when missing
|
|
|
|
|
func (tv *Timeouts) ApplyDefaults() {
|
|
|
|
|
if tv.DialTimeout == 0 {
|
|
|
|
|
tv.DialTimeout = 10 * time.Second
|
|
|
|
|
}
|
|
|
|
|
if tv.TcpReadTimeout == 0 {
|
|
|
|
|
tv.TcpReadTimeout = 5 * time.Second
|
|
|
|
|
}
|
|
|
|
|
if tv.HttpResponseHeaderTimeout == 0 {
|
|
|
|
|
tv.HttpResponseHeaderTimeout = 10 * time.Second
|
|
|
|
|
}
|
|
|
|
|
if tv.HttpTimeout == 0 {
|
|
|
|
|
tv.HttpTimeout = 3 * tv.DialTimeout
|
|
|
|
|
}
|
|
|
|
|
if tv.JsCompilerExecutionTimeout == 0 {
|
|
|
|
|
tv.JsCompilerExecutionTimeout = 2 * tv.DialTimeout
|
|
|
|
|
}
|
|
|
|
|
if tv.CodeExecutionTimeout == 0 {
|
|
|
|
|
tv.CodeExecutionTimeout = 3 * tv.DialTimeout
|
|
|
|
|
}
|
2020-12-23 20:46:42 +05:30
|
|
|
}
|
2021-10-07 12:36:27 +02:00
|
|
|
|
2021-11-29 14:38:45 +01:00
|
|
|
// ShouldLoadResume resume file
|
|
|
|
|
func (options *Options) ShouldLoadResume() bool {
|
2022-02-24 14:32:41 +05:30
|
|
|
return options.Resume != "" && fileutil.FileExists(options.Resume)
|
2021-11-29 14:38:45 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// ShouldSaveResume file
|
|
|
|
|
func (options *Options) ShouldSaveResume() bool {
|
|
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
|
2022-09-29 00:41:28 +02:00
|
|
|
// ShouldFollowHTTPRedirects determines if http redirects should be followed
|
|
|
|
|
func (options *Options) ShouldFollowHTTPRedirects() bool {
|
|
|
|
|
return options.FollowRedirects || options.FollowHostRedirects
|
|
|
|
|
}
|
|
|
|
|
|
2023-06-26 14:15:12 +02:00
|
|
|
// HasClientCertificates determines if any client certificate was specified
|
|
|
|
|
func (options *Options) HasClientCertificates() bool {
|
|
|
|
|
return options.ClientCertFile != "" || options.ClientCAFile != "" || options.ClientKeyFile != ""
|
|
|
|
|
}
|
|
|
|
|
|
2021-10-29 03:19:43 +05:30
|
|
|
// DefaultOptions returns default options for nuclei
|
|
|
|
|
func DefaultOptions() *Options {
|
|
|
|
|
return &Options{
|
|
|
|
|
RateLimit: 150,
|
2024-04-03 19:28:39 +02:00
|
|
|
RateLimitDuration: time.Second,
|
2021-10-29 03:19:43 +05:30
|
|
|
BulkSize: 25,
|
|
|
|
|
TemplateThreads: 25,
|
|
|
|
|
HeadlessBulkSize: 10,
|
2024-04-16 16:57:32 +05:30
|
|
|
PayloadConcurrency: 25,
|
2021-10-29 03:19:43 +05:30
|
|
|
HeadlessTemplateThreads: 10,
|
2024-04-16 16:57:32 +05:30
|
|
|
ProbeConcurrency: 50,
|
2021-10-29 03:19:43 +05:30
|
|
|
Timeout: 5,
|
|
|
|
|
Retries: 1,
|
|
|
|
|
MaxHostError: 30,
|
2024-05-15 15:34:59 +02:00
|
|
|
ResponseReadSize: 10 * unitutils.Mega,
|
|
|
|
|
ResponseSaveSize: unitutils.Mega,
|
2021-10-29 03:19:43 +05:30
|
|
|
}
|
|
|
|
|
}
|
2022-12-21 22:48:43 +05:30
|
|
|
|
2023-01-22 10:38:50 +01:00
|
|
|
func (options *Options) ShouldUseHostError() bool {
|
|
|
|
|
return options.MaxHostError > 0 && !options.NoHostErrors
|
2022-12-21 22:48:43 +05:30
|
|
|
}
|
2023-07-28 18:50:57 +03:00
|
|
|
|
|
|
|
|
func (options *Options) ParseHeadlessOptionalArguments() map[string]string {
|
|
|
|
|
optionalArguments := make(map[string]string)
|
|
|
|
|
for _, v := range options.HeadlessOptionalArguments {
|
|
|
|
|
if argParts := strings.SplitN(v, "=", 2); len(argParts) >= 2 {
|
|
|
|
|
key := strings.TrimSpace(argParts[0])
|
|
|
|
|
value := strings.TrimSpace(argParts[1])
|
|
|
|
|
if key != "" && value != "" {
|
|
|
|
|
optionalArguments[key] = value
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return optionalArguments
|
|
|
|
|
}
|
2023-08-31 18:03:01 +05:30
|
|
|
|
2024-09-20 17:11:22 -04:00
|
|
|
// LoadHelperFile loads a helper file needed for the template.
|
|
|
|
|
//
|
|
|
|
|
// If LoadHelperFileFunction is set, then that function will be used.
|
|
|
|
|
// Otherwise, the default implementation will be used, which respects the sandbox rules and only loads files from allowed directories.
|
|
|
|
|
func (options *Options) LoadHelperFile(helperFile, templatePath string, catalog catalog.Catalog) (io.ReadCloser, error) {
|
|
|
|
|
if options.LoadHelperFileFunction != nil {
|
|
|
|
|
return options.LoadHelperFileFunction(helperFile, templatePath, catalog)
|
|
|
|
|
}
|
|
|
|
|
return options.defaultLoadHelperFile(helperFile, templatePath, catalog)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// defaultLoadHelperFile loads a helper file needed for the template
|
2023-08-31 18:03:01 +05:30
|
|
|
// this respects the sandbox rules and only loads files from
|
|
|
|
|
// allowed directories
|
2024-09-20 17:11:22 -04:00
|
|
|
func (options *Options) defaultLoadHelperFile(helperFile, templatePath string, catalog catalog.Catalog) (io.ReadCloser, error) {
|
2023-08-31 18:03:01 +05:30
|
|
|
if !options.AllowLocalFileAccess {
|
2023-10-13 13:17:27 +05:30
|
|
|
// if global file access is disabled try loading with restrictions
|
|
|
|
|
absPath, err := options.GetValidAbsPath(helperFile, templatePath)
|
2023-08-31 18:03:01 +05:30
|
|
|
if err != nil {
|
2023-10-13 13:17:27 +05:30
|
|
|
return nil, err
|
2023-08-31 18:03:01 +05:30
|
|
|
}
|
2023-10-13 13:17:27 +05:30
|
|
|
helperFile = absPath
|
|
|
|
|
}
|
|
|
|
|
f, err := os.Open(helperFile)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, errorutil.NewWithErr(err).Msgf("could not open file %v", helperFile)
|
|
|
|
|
}
|
|
|
|
|
return f, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// GetValidAbsPath returns absolute path of helper file if it is allowed to be loaded
|
|
|
|
|
// this respects the sandbox rules and only loads files from allowed directories
|
|
|
|
|
func (o *Options) GetValidAbsPath(helperFilePath, templatePath string) (string, error) {
|
|
|
|
|
// Conditions to allow helper file
|
|
|
|
|
// 1. If helper file is present in nuclei-templates directory
|
|
|
|
|
// 2. If helper file and template file are in same directory given that its not root directory
|
|
|
|
|
|
|
|
|
|
// resolve and clean helper file path
|
|
|
|
|
// ResolveNClean uses a custom base path instead of CWD
|
|
|
|
|
resolvedPath, err := fileutil.ResolveNClean(helperFilePath, config.DefaultConfig.GetTemplateDir())
|
|
|
|
|
if err == nil {
|
|
|
|
|
// As per rule 1, if helper file is present in nuclei-templates directory, allow it
|
|
|
|
|
if strings.HasPrefix(resolvedPath, config.DefaultConfig.GetTemplateDir()) {
|
|
|
|
|
return resolvedPath, nil
|
2023-08-31 18:03:01 +05:30
|
|
|
}
|
|
|
|
|
}
|
2023-10-13 13:17:27 +05:30
|
|
|
|
|
|
|
|
// CleanPath resolves using CWD and cleans the path
|
|
|
|
|
helperFilePath, err = fileutil.CleanPath(helperFilePath)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", errorutil.NewWithErr(err).Msgf("could not clean helper file path %v", helperFilePath)
|
2023-08-31 18:03:01 +05:30
|
|
|
}
|
2023-10-13 13:17:27 +05:30
|
|
|
|
|
|
|
|
templatePath, err = fileutil.CleanPath(templatePath)
|
2023-08-31 18:03:01 +05:30
|
|
|
if err != nil {
|
2023-10-13 13:17:27 +05:30
|
|
|
return "", errorutil.NewWithErr(err).Msgf("could not clean template path %v", templatePath)
|
2023-08-31 18:03:01 +05:30
|
|
|
}
|
2023-10-13 13:17:27 +05:30
|
|
|
|
|
|
|
|
// As per rule 2, if template and helper file exist in same directory or helper file existed in any child dir of template dir
|
|
|
|
|
// and both of them are present in user home directory, allow it
|
|
|
|
|
// Review: should we keep this rule ? add extra option to disable this ?
|
|
|
|
|
if isHomeDir(helperFilePath) && isHomeDir(templatePath) && strings.HasPrefix(filepath.Dir(helperFilePath), filepath.Dir(templatePath)) {
|
|
|
|
|
return helperFilePath, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// all other cases are denied
|
|
|
|
|
return "", errorutil.New("access to helper file %v denied", helperFilePath)
|
|
|
|
|
}
|
|
|
|
|
|
2024-07-22 16:59:35 +08:00
|
|
|
// isHomeDir checks if given is home directory
|
2023-10-13 13:17:27 +05:30
|
|
|
func isHomeDir(path string) bool {
|
|
|
|
|
homeDir := folderutil.HomeDirOrDefault("")
|
|
|
|
|
return strings.HasPrefix(path, homeDir)
|
2023-08-31 18:03:01 +05:30
|
|
|
}
|
