nuclei/pkg/catalog/loader/remote_loader.go

package loader

import (
	"bufio"
	"fmt"
	"net/url"
	"strings"
	"sync"

	"github.com/pkg/errors"

	"github.com/projectdiscovery/nuclei/v3/pkg/templates/extensions"
	"github.com/projectdiscovery/nuclei/v3/pkg/utils"
	"github.com/projectdiscovery/retryablehttp-go"
	sliceutil "github.com/projectdiscovery/utils/slice"
	stringsutil "github.com/projectdiscovery/utils/strings"
	syncutil "github.com/projectdiscovery/utils/sync"
)

type ContentType string

const (
	Template ContentType = "Template"
	Workflow ContentType = "Workflow"
)

type RemoteContent struct {
	Content []string
	Type    ContentType
	Error   error
}

func getRemoteTemplatesAndWorkflows(templateURLs, workflowURLs, remoteTemplateDomainList []string) ([]string, []string, error) {
	var (
		err   error
		muErr sync.Mutex
	)
	remoteTemplateList := sliceutil.NewSyncSlice[string]()
	remoteWorkFlowList := sliceutil.NewSyncSlice[string]()

	awg, errAwg := syncutil.New(syncutil.WithSize(50))
	if errAwg != nil {
		return nil, nil, errAwg
	}

	loadItem := func(URL string, contentType ContentType) {
		defer awg.Done()

		remoteContent := getRemoteContent(URL, remoteTemplateDomainList, contentType)
		if remoteContent.Error != nil {
			muErr.Lock()
			if err != nil {
				err = errors.New(remoteContent.Error.Error() + ": " + err.Error())
			} else {
				err = remoteContent.Error
			}
			muErr.Unlock()
		} else {
			switch remoteContent.Type {
			case Template:
				remoteTemplateList.Append(remoteContent.Content...)
			case Workflow:
				remoteWorkFlowList.Append(remoteContent.Content...)
			}
		}
	}

	for _, templateURL := range templateURLs {
		awg.Add()
		go loadItem(templateURL, Template)
	}
	for _, workflowURL := range workflowURLs {
		awg.Add()
		go loadItem(workflowURL, Workflow)
	}

	awg.Wait()

	return remoteTemplateList.Slice, remoteWorkFlowList.Slice, err
}

func getRemoteContent(URL string, remoteTemplateDomainList []string, contentType ContentType) RemoteContent {
	if err := validateRemoteTemplateURL(URL, remoteTemplateDomainList); err != nil {
		return RemoteContent{Error: err}
	}
	if strings.HasPrefix(URL, "http") && stringsutil.HasSuffixAny(URL, extensions.YAML) {
		return RemoteContent{
			Content: []string{URL},
			Type:    contentType,
		}
	}
	response, err := retryablehttp.DefaultClient().Get(URL)
	if err != nil {
		return RemoteContent{Error: err}
	}
	defer func() {
		_ = response.Body.Close()
	}()
	if response.StatusCode < 200 || response.StatusCode > 299 {
		return RemoteContent{Error: fmt.Errorf("get \"%s\": unexpect status %d", URL, response.StatusCode)}
	}

	scanner := bufio.NewScanner(response.Body)
	var templateList []string
	for scanner.Scan() {
		text := strings.TrimSpace(scanner.Text())
		if text == "" {
			continue
		}
		if utils.IsURL(text) {
			if err := validateRemoteTemplateURL(text, remoteTemplateDomainList); err != nil {
				return RemoteContent{Error: err}
			}
		}
		templateList = append(templateList, text)
	}

	if err := scanner.Err(); err != nil {
		return RemoteContent{Error: errors.Wrap(err, "get \"%s\"")}
	}

	return RemoteContent{
		Content: templateList,
		Type:    contentType,
	}
}

func validateRemoteTemplateURL(inputURL string, remoteTemplateDomainList []string) error {
	parsedURL, err := url.Parse(inputURL)
	if err != nil {
		return err
	}
	if !utils.StringSliceContains(remoteTemplateDomainList, parsedURL.Host) {
		return errors.Errorf("Remote template URL host (%s) is not present in the `remote-template-domain` list in nuclei config", parsedURL.Host)
	}
	return nil
}
Implement `-template-url` and `-workflow-url` for retrieving lists of templates/workflows to run. 2021-10-14 23:30:37 +02:00			`package loader`

			`import (`
			`"bufio"`
			`"fmt"`
* Add support to run remote template * Add remote-template-domain config only flag to specify allowed domain list to load remote templates from 2022-01-12 18:33:17 +05:30			`"net/url"`
Implement `-template-url` and `-workflow-url` for retrieving lists of templates/workflows to run. 2021-10-14 23:30:37 +02:00			`"strings"`
fixing loader FD limit 2025-05-09 21:22:37 +02:00			`"sync"`
Fixed rmeote url loader test cases 2021-11-05 17:24:23 +05:30
			`"github.com/pkg/errors"`
Typo fixes 2022-02-07 16:41:55 +02:00
nuclei v3 : misc updates (#4247) * use parsed options while signing * update project layout to v3 * fix .gitignore * remove example template * misc updates * bump tlsx version * hide template sig warning with env * js: retain value while using log * fix nil pointer derefernce * misc doc update --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-10-17 17:44:13 +05:30			`"github.com/projectdiscovery/nuclei/v3/pkg/templates/extensions"`
			`"github.com/projectdiscovery/nuclei/v3/pkg/utils"`
started move to retryablehttp 2023-03-02 14:54:01 +01:00			`"github.com/projectdiscovery/retryablehttp-go"`
fixing loader FD limit 2025-05-09 21:22:37 +02:00			`sliceutil "github.com/projectdiscovery/utils/slice"`
json templates support (load with flags, run & validate ) (#3424) * extending template identification logic * removing test code * local debug * json template loading support using flags * blacklist meta json files * minor changes --------- Co-authored-by: Tarun Koyalwar <tarun@projectdiscovery.io> 2023-03-16 09:03:59 +01:00			`stringsutil "github.com/projectdiscovery/utils/strings"`
fixing loader FD limit 2025-05-09 21:22:37 +02:00			`syncutil "github.com/projectdiscovery/utils/sync"`
Implement `-template-url` and `-workflow-url` for retrieving lists of templates/workflows to run. 2021-10-14 23:30:37 +02:00			`)`

			`type ContentType string`

			`const (`
			`Template ContentType = "Template"`
			`Workflow ContentType = "Workflow"`
			`)`

rename few vars, extract duplicate functions to utils 2022-01-24 16:48:12 +05:30			`type RemoteContent struct {`
Implement `-template-url` and `-workflow-url` for retrieving lists of templates/workflows to run. 2021-10-14 23:30:37 +02:00			`Content []string`
			`Type ContentType`
			`Error error`
			`}`

add unit test coverage for remote tempates 2022-01-21 20:14:50 +05:30			`func getRemoteTemplatesAndWorkflows(templateURLs, workflowURLs, remoteTemplateDomainList []string) ([]string, []string, error) {`
fixing loader FD limit 2025-05-09 21:22:37 +02:00			`var (`
			`err error`
			`muErr sync.Mutex`
			`)`
			`remoteTemplateList := sliceutil.NewSyncSlice[string]()`
			`remoteWorkFlowList := sliceutil.NewSyncSlice[string]()`
Implement `-template-url` and `-workflow-url` for retrieving lists of templates/workflows to run. 2021-10-14 23:30:37 +02:00
fixing loader FD limit 2025-05-09 21:22:37 +02:00			`awg, errAwg := syncutil.New(syncutil.WithSize(50))`
			`if errAwg != nil {`
			`return nil, nil, errAwg`
Implement `-template-url` and `-workflow-url` for retrieving lists of templates/workflows to run. 2021-10-14 23:30:37 +02:00			`}`

fixing loader FD limit 2025-05-09 21:22:37 +02:00			`loadItem := func(URL string, contentType ContentType) {`
			`defer awg.Done()`

			`remoteContent := getRemoteContent(URL, remoteTemplateDomainList, contentType)`
rename few vars, extract duplicate functions to utils 2022-01-24 16:48:12 +05:30			`if remoteContent.Error != nil {`
fixing loader FD limit 2025-05-09 21:22:37 +02:00			`muErr.Lock()`
Implement `-template-url` and `-workflow-url` for retrieving lists of templates/workflows to run. 2021-10-14 23:30:37 +02:00			`if err != nil {`
rename few vars, extract duplicate functions to utils 2022-01-24 16:48:12 +05:30			`err = errors.New(remoteContent.Error.Error() + ": " + err.Error())`
Implement `-template-url` and `-workflow-url` for retrieving lists of templates/workflows to run. 2021-10-14 23:30:37 +02:00			`} else {`
rename few vars, extract duplicate functions to utils 2022-01-24 16:48:12 +05:30			`err = remoteContent.Error`
Implement `-template-url` and `-workflow-url` for retrieving lists of templates/workflows to run. 2021-10-14 23:30:37 +02:00			`}`
fixing loader FD limit 2025-05-09 21:22:37 +02:00			`muErr.Unlock()`
Implement `-template-url` and `-workflow-url` for retrieving lists of templates/workflows to run. 2021-10-14 23:30:37 +02:00			`} else {`
lint 2025-05-07 23:18:33 +02:00			`switch remoteContent.Type {`
			`case Template:`
fixing loader FD limit 2025-05-09 21:22:37 +02:00			`remoteTemplateList.Append(remoteContent.Content...)`
lint 2025-05-07 23:18:33 +02:00			`case Workflow:`
fixing loader FD limit 2025-05-09 21:22:37 +02:00			`remoteWorkFlowList.Append(remoteContent.Content...)`
Implement `-template-url` and `-workflow-url` for retrieving lists of templates/workflows to run. 2021-10-14 23:30:37 +02:00			`}`
			`}`
			`}`
fixing loader FD limit 2025-05-09 21:22:37 +02:00
			`for _, templateURL := range templateURLs {`
			`awg.Add()`
			`go loadItem(templateURL, Template)`
			`}`
			`for _, workflowURL := range workflowURLs {`
			`awg.Add()`
			`go loadItem(workflowURL, Workflow)`
			`}`

			`awg.Wait()`

			`return remoteTemplateList.Slice, remoteWorkFlowList.Slice, err`
Implement `-template-url` and `-workflow-url` for retrieving lists of templates/workflows to run. 2021-10-14 23:30:37 +02:00			`}`

fixing loader FD limit 2025-05-09 21:22:37 +02:00			`func getRemoteContent(URL string, remoteTemplateDomainList []string, contentType ContentType) RemoteContent {`
Typo fixes 2022-02-07 16:41:55 +02:00			`if err := validateRemoteTemplateURL(URL, remoteTemplateDomainList); err != nil {`
fixing loader FD limit 2025-05-09 21:22:37 +02:00			`return RemoteContent{Error: err}`
validate remote input list URL and it's contents against allowed remote template domain list 2022-01-27 13:45:03 +05:30			`}`
removing .yml from remote loading (#3745) 2023-05-26 22:10:18 +02:00			`if strings.HasPrefix(URL, "http") && stringsutil.HasSuffixAny(URL, extensions.YAML) {`
fixing loader FD limit 2025-05-09 21:22:37 +02:00			`return RemoteContent{`
* Add support to run remote template * Add remote-template-domain config only flag to specify allowed domain list to load remote templates from 2022-01-12 18:33:17 +05:30			`Content: []string{URL},`
			`Type: contentType,`
			`}`
			`}`
started move to retryablehttp 2023-03-02 14:54:01 +01:00			`response, err := retryablehttp.DefaultClient().Get(URL)`
Implement `-template-url` and `-workflow-url` for retrieving lists of templates/workflows to run. 2021-10-14 23:30:37 +02:00			`if err != nil {`
fixing loader FD limit 2025-05-09 21:22:37 +02:00			`return RemoteContent{Error: err}`
Implement `-template-url` and `-workflow-url` for retrieving lists of templates/workflows to run. 2021-10-14 23:30:37 +02:00			`}`
lint 2025-05-07 23:18:33 +02:00			`defer func() {`
			`_ = response.Body.Close()`
			`}()`
Implement `-template-url` and `-workflow-url` for retrieving lists of templates/workflows to run. 2021-10-14 23:30:37 +02:00			`if response.StatusCode < 200 \|\| response.StatusCode > 299 {`
fixing loader FD limit 2025-05-09 21:22:37 +02:00			`return RemoteContent{Error: fmt.Errorf("get \"%s\": unexpect status %d", URL, response.StatusCode)}`
Implement `-template-url` and `-workflow-url` for retrieving lists of templates/workflows to run. 2021-10-14 23:30:37 +02:00			`}`

			`scanner := bufio.NewScanner(response.Body)`
			`var templateList []string`
			`for scanner.Scan() {`
			`text := strings.TrimSpace(scanner.Text())`
			`if text == "" {`
			`continue`
			`}`
validate remote input list URL and it's contents against allowed remote template domain list 2022-01-27 13:45:03 +05:30			`if utils.IsURL(text) {`
Typo fixes 2022-02-07 16:41:55 +02:00			`if err := validateRemoteTemplateURL(text, remoteTemplateDomainList); err != nil {`
fixing loader FD limit 2025-05-09 21:22:37 +02:00			`return RemoteContent{Error: err}`
validate remote input list URL and it's contents against allowed remote template domain list 2022-01-27 13:45:03 +05:30			`}`
			`}`
Implement `-template-url` and `-workflow-url` for retrieving lists of templates/workflows to run. 2021-10-14 23:30:37 +02:00			`templateList = append(templateList, text)`
			`}`

			`if err := scanner.Err(); err != nil {`
fixing loader FD limit 2025-05-09 21:22:37 +02:00			`return RemoteContent{Error: errors.Wrap(err, "get \"%s\"")}`
Implement `-template-url` and `-workflow-url` for retrieving lists of templates/workflows to run. 2021-10-14 23:30:37 +02:00			`}`

fixing loader FD limit 2025-05-09 21:22:37 +02:00			`return RemoteContent{`
Implement `-template-url` and `-workflow-url` for retrieving lists of templates/workflows to run. 2021-10-14 23:30:37 +02:00			`Content: templateList,`
			`Type: contentType,`
			`}`
			`}`
validate remote input list URL and it's contents against allowed remote template domain list 2022-01-27 13:45:03 +05:30
Typo fixes 2022-02-07 16:41:55 +02:00			`func validateRemoteTemplateURL(inputURL string, remoteTemplateDomainList []string) error {`
validate remote input list URL and it's contents against allowed remote template domain list 2022-01-27 13:45:03 +05:30			`parsedURL, err := url.Parse(inputURL)`
			`if err != nil {`
			`return err`
			`}`
			`if !utils.StringSliceContains(remoteTemplateDomainList, parsedURL.Host) {`
			return errors.Errorf("Remote template URL host (%s) is not present in the `remote-template-domain` list in nuclei config", parsedURL.Host)
			`}`
			`return nil`
			`}`