nuclei/pkg/protocols/common/protocolstate/headless.go

package protocolstate

import (
	"context"
	"net"
	"strings"

	"github.com/go-rod/rod"
	"github.com/go-rod/rod/lib/proto"
	"github.com/projectdiscovery/networkpolicy"
	"github.com/projectdiscovery/nuclei/v3/pkg/types"
	errorutil "github.com/projectdiscovery/utils/errors"
	stringsutil "github.com/projectdiscovery/utils/strings"
	urlutil "github.com/projectdiscovery/utils/url"
	"go.uber.org/multierr"
)

// initalize state of headless protocol

var (
	ErrURLDenied  = errorutil.NewWithFmt("headless: url %v dropped by rule: %v")
	ErrHostDenied = errorutil.NewWithFmt("host %v dropped by network policy")

	allowLocalFileAccess bool
)

func GetNetworkPolicy(ctx context.Context) *networkpolicy.NetworkPolicy {
	execCtx := GetExecutionContext(ctx)
	if execCtx == nil {
		return nil
	}
	dialers, ok := dialers.Get(execCtx.ExecutionID)
	if !ok || dialers == nil {
		return nil
	}
	return dialers.NetworkPolicy
}

// ValidateNFailRequest validates and fails request
// if the request does not respect the rules, it will be canceled with reason
func ValidateNFailRequest(options *types.Options, page *rod.Page, e *proto.FetchRequestPaused) error {
	reqURL := e.Request.URL
	normalized := strings.ToLower(reqURL)      // normalize url to lowercase
	normalized = strings.TrimSpace(normalized) // trim leading & trailing whitespaces
	if !allowLocalFileAccess && stringsutil.HasPrefixI(normalized, "file:") {
		return multierr.Combine(FailWithReason(page, e), ErrURLDenied.Msgf(reqURL, "use of file:// protocol disabled use '-lfa' to enable"))
	}
	// validate potential invalid schemes
	// javascript protocol is allowed for xss fuzzing
	if stringsutil.HasPrefixAnyI(normalized, "ftp:", "externalfile:", "chrome:", "chrome-extension:") {
		return multierr.Combine(FailWithReason(page, e), ErrURLDenied.Msgf(reqURL, "protocol blocked by network policy"))
	}
	if !isValidHost(options, reqURL) {
		return multierr.Combine(FailWithReason(page, e), ErrURLDenied.Msgf(reqURL, "address blocked by network policy"))
	}
	return nil
}

// FailWithReason fails request with AccessDenied reason
func FailWithReason(page *rod.Page, e *proto.FetchRequestPaused) error {
	m := proto.FetchFailRequest{
		RequestID:   e.RequestID,
		ErrorReason: proto.NetworkErrorReasonAccessDenied,
	}
	return m.Call(page)
}

// InitHeadless initializes headless protocol state
func InitHeadless(localFileAccess bool) {
	allowLocalFileAccess = localFileAccess
}

// isValidHost checks if the host is valid (only limited to http/https protocols)
func isValidHost(options *types.Options, targetUrl string) bool {
	if !stringsutil.HasPrefixAny(targetUrl, "http:", "https:") {
		return true
	}

	dialers, ok := dialers.Get(options.ExecutionId)
	if !ok {
		return true
	}

	np := dialers.NetworkPolicy
	if !ok || np == nil {
		return true
	}

	urlx, err := urlutil.Parse(targetUrl)
	if err != nil {
		// not a valid url
		return false
	}
	targetUrl = urlx.Hostname()
	_, ok = np.ValidateHost(targetUrl)
	return ok
}

// IsHostAllowed checks if the host is allowed by network policy
func IsHostAllowed(executionId string, targetUrl string) bool {
	dialers, ok := dialers.Get(executionId)
	if !ok {
		return true
	}

	np := dialers.NetworkPolicy
	if !ok || np == nil {
		return true
	}

	sepCount := strings.Count(targetUrl, ":")
	if sepCount > 1 {
		// most likely a ipv6 address (parse url and validate host)
		return np.Validate(targetUrl)
	}
	if sepCount == 1 {
		host, _, _ := net.SplitHostPort(targetUrl)
		if _, ok := np.ValidateHost(host); !ok {
			return false
		}
		return true
	}
	// just a hostname or ip without port
	_, ok = np.ValidateHost(targetUrl)
	return ok
}
optional file read in headless protocol (#4055) * use -lfa and -lna in headless * fix lna in headless * misc update * fix nil pointer dereference in test * fix lint & unit test * use urlutil * headless protocol scheme improvements * add unit and integration tests * run unit test from binary --------- Co-authored-by: Tarun Koyalwar <tarun@projectdiscovery.io> 2023-08-25 18:30:46 +05:30			`package protocolstate`

			`import (`
introducing execution id 2025-05-05 22:15:44 +02:00			`"context"`
fix network policy error 2024-02-06 02:03:33 +05:30			`"net"`
optional file read in headless protocol (#4055) * use -lfa and -lna in headless * fix lna in headless * misc update * fix nil pointer dereference in test * fix lint & unit test * use urlutil * headless protocol scheme improvements * add unit and integration tests * run unit test from binary --------- Co-authored-by: Tarun Koyalwar <tarun@projectdiscovery.io> 2023-08-25 18:30:46 +05:30			`"strings"`

			`"github.com/go-rod/rod"`
			`"github.com/go-rod/rod/lib/proto"`
			`"github.com/projectdiscovery/networkpolicy"`
wip 2025-05-06 10:13:46 +02:00			`"github.com/projectdiscovery/nuclei/v3/pkg/types"`
optional file read in headless protocol (#4055) * use -lfa and -lna in headless * fix lna in headless * misc update * fix nil pointer dereference in test * fix lint & unit test * use urlutil * headless protocol scheme improvements * add unit and integration tests * run unit test from binary --------- Co-authored-by: Tarun Koyalwar <tarun@projectdiscovery.io> 2023-08-25 18:30:46 +05:30			`errorutil "github.com/projectdiscovery/utils/errors"`
			`stringsutil "github.com/projectdiscovery/utils/strings"`
			`urlutil "github.com/projectdiscovery/utils/url"`
			`"go.uber.org/multierr"`
			`)`

			`// initalize state of headless protocol`

			`var (`
wip 2025-05-06 10:13:46 +02:00			`ErrURLDenied = errorutil.NewWithFmt("headless: url %v dropped by rule: %v")`
			`ErrHostDenied = errorutil.NewWithFmt("host %v dropped by network policy")`

optional file read in headless protocol (#4055) * use -lfa and -lna in headless * fix lna in headless * misc update * fix nil pointer dereference in test * fix lint & unit test * use urlutil * headless protocol scheme improvements * add unit and integration tests * run unit test from binary --------- Co-authored-by: Tarun Koyalwar <tarun@projectdiscovery.io> 2023-08-25 18:30:46 +05:30			`allowLocalFileAccess bool`
			`)`

introducing execution id 2025-05-05 22:15:44 +02:00			`func GetNetworkPolicy(ctx context.Context) *networkpolicy.NetworkPolicy {`
			`execCtx := GetExecutionContext(ctx)`
			`if execCtx == nil {`
			`return nil`
			`}`
wip 2025-05-06 10:13:46 +02:00			`dialers, ok := dialers.Get(execCtx.ExecutionID)`
			`if !ok \|\| dialers == nil {`
introducing execution id 2025-05-05 22:15:44 +02:00			`return nil`
			`}`
wip 2025-05-06 10:13:46 +02:00			`return dialers.NetworkPolicy`
introducing execution id 2025-05-05 22:15:44 +02:00			`}`

optional file read in headless protocol (#4055) * use -lfa and -lna in headless * fix lna in headless * misc update * fix nil pointer dereference in test * fix lint & unit test * use urlutil * headless protocol scheme improvements * add unit and integration tests * run unit test from binary --------- Co-authored-by: Tarun Koyalwar <tarun@projectdiscovery.io> 2023-08-25 18:30:46 +05:30			`// ValidateNFailRequest validates and fails request`
			`// if the request does not respect the rules, it will be canceled with reason`
wip 2025-05-06 10:13:46 +02:00			`func ValidateNFailRequest(options types.Options, page rod.Page, e *proto.FetchRequestPaused) error {`
optional file read in headless protocol (#4055) * use -lfa and -lna in headless * fix lna in headless * misc update * fix nil pointer dereference in test * fix lint & unit test * use urlutil * headless protocol scheme improvements * add unit and integration tests * run unit test from binary --------- Co-authored-by: Tarun Koyalwar <tarun@projectdiscovery.io> 2023-08-25 18:30:46 +05:30			`reqURL := e.Request.URL`
			`normalized := strings.ToLower(reqURL) // normalize url to lowercase`
			`normalized = strings.TrimSpace(normalized) // trim leading & trailing whitespaces`
			`if !allowLocalFileAccess && stringsutil.HasPrefixI(normalized, "file:") {`
			`return multierr.Combine(FailWithReason(page, e), ErrURLDenied.Msgf(reqURL, "use of file:// protocol disabled use '-lfa' to enable"))`
			`}`
			`// validate potential invalid schemes`
			`// javascript protocol is allowed for xss fuzzing`
use stringsutil.HasPrefixAnyI 2023-08-28 08:15:30 +00:00			`if stringsutil.HasPrefixAnyI(normalized, "ftp:", "externalfile:", "chrome:", "chrome-extension:") {`
optional file read in headless protocol (#4055) * use -lfa and -lna in headless * fix lna in headless * misc update * fix nil pointer dereference in test * fix lint & unit test * use urlutil * headless protocol scheme improvements * add unit and integration tests * run unit test from binary --------- Co-authored-by: Tarun Koyalwar <tarun@projectdiscovery.io> 2023-08-25 18:30:46 +05:30			`return multierr.Combine(FailWithReason(page, e), ErrURLDenied.Msgf(reqURL, "protocol blocked by network policy"))`
			`}`
wip 2025-05-06 10:13:46 +02:00			`if !isValidHost(options, reqURL) {`
optional file read in headless protocol (#4055) * use -lfa and -lna in headless * fix lna in headless * misc update * fix nil pointer dereference in test * fix lint & unit test * use urlutil * headless protocol scheme improvements * add unit and integration tests * run unit test from binary --------- Co-authored-by: Tarun Koyalwar <tarun@projectdiscovery.io> 2023-08-25 18:30:46 +05:30			`return multierr.Combine(FailWithReason(page, e), ErrURLDenied.Msgf(reqURL, "address blocked by network policy"))`
			`}`
			`return nil`
			`}`

			`// FailWithReason fails request with AccessDenied reason`
			`func FailWithReason(page rod.Page, e proto.FetchRequestPaused) error {`
			`m := proto.FetchFailRequest{`
			`RequestID: e.RequestID,`
			`ErrorReason: proto.NetworkErrorReasonAccessDenied,`
			`}`
			`return m.Call(page)`
			`}`

			`// InitHeadless initializes headless protocol state`
wip 2025-05-06 10:13:46 +02:00			`func InitHeadless(localFileAccess bool) {`
optional file read in headless protocol (#4055) * use -lfa and -lna in headless * fix lna in headless * misc update * fix nil pointer dereference in test * fix lint & unit test * use urlutil * headless protocol scheme improvements * add unit and integration tests * run unit test from binary --------- Co-authored-by: Tarun Koyalwar <tarun@projectdiscovery.io> 2023-08-25 18:30:46 +05:30			`allowLocalFileAccess = localFileAccess`
			`}`

			`// isValidHost checks if the host is valid (only limited to http/https protocols)`
wip 2025-05-06 10:13:46 +02:00			`func isValidHost(options *types.Options, targetUrl string) bool {`
optional file read in headless protocol (#4055) * use -lfa and -lna in headless * fix lna in headless * misc update * fix nil pointer dereference in test * fix lint & unit test * use urlutil * headless protocol scheme improvements * add unit and integration tests * run unit test from binary --------- Co-authored-by: Tarun Koyalwar <tarun@projectdiscovery.io> 2023-08-25 18:30:46 +05:30			`if !stringsutil.HasPrefixAny(targetUrl, "http:", "https:") {`
			`return true`
			`}`
introducing execution id 2025-05-05 22:15:44 +02:00
wip 2025-05-06 10:13:46 +02:00			`dialers, ok := dialers.Get(options.ExecutionId)`
			`if !ok {`
introducing execution id 2025-05-05 22:15:44 +02:00			`return true`
			`}`

wip 2025-05-06 10:13:46 +02:00			`np := dialers.NetworkPolicy`
introducing execution id 2025-05-05 22:15:44 +02:00			`if !ok \|\| np == nil {`
optional file read in headless protocol (#4055) * use -lfa and -lna in headless * fix lna in headless * misc update * fix nil pointer dereference in test * fix lint & unit test * use urlutil * headless protocol scheme improvements * add unit and integration tests * run unit test from binary --------- Co-authored-by: Tarun Koyalwar <tarun@projectdiscovery.io> 2023-08-25 18:30:46 +05:30			`return true`
			`}`
introducing execution id 2025-05-05 22:15:44 +02:00
optional file read in headless protocol (#4055) * use -lfa and -lna in headless * fix lna in headless * misc update * fix nil pointer dereference in test * fix lint & unit test * use urlutil * headless protocol scheme improvements * add unit and integration tests * run unit test from binary --------- Co-authored-by: Tarun Koyalwar <tarun@projectdiscovery.io> 2023-08-25 18:30:46 +05:30			`urlx, err := urlutil.Parse(targetUrl)`
			`if err != nil {`
			`// not a valid url`
			`return false`
			`}`
			`targetUrl = urlx.Hostname()`
introducing execution id 2025-05-05 22:15:44 +02:00			`_, ok = np.ValidateHost(targetUrl)`
optional file read in headless protocol (#4055) * use -lfa and -lna in headless * fix lna in headless * misc update * fix nil pointer dereference in test * fix lint & unit test * use urlutil * headless protocol scheme improvements * add unit and integration tests * run unit test from binary --------- Co-authored-by: Tarun Koyalwar <tarun@projectdiscovery.io> 2023-08-25 18:30:46 +05:30			`return ok`
			`}`
javascript protocol for scripting (includes 15+ proto libs) (#4109) * rebase js-layer PR from @ice3man543 * package restructuring * working * fix duplicated event & matcher status * fix lint error * fix response field * add new functions * multiple minor improvements * fix incorrect stats in js protocol * sort output metadata in cli * remove temp files * remove dead code * add unit and integration test * fix lint error * add jsdoclint using llm * fix error in test * add js lint using llm * generate docs of libs * llm lint * remove duplicated docs * update generated docs * update prompt in doclint * update docs * temp disable version check test * fix unit test and add retry * fix panic in it * update and move jsdocs * updated jsdocs * update docs * update container platform in test * dir restructure and adding docs * add api_reference and remove markdown docs * fix imports * add javascript design and contribution docs * add js protocol documentation * update integration test and docs * update doc ext mdx->md * minor update to docs * new integration test and more * move go libs and add docs * gen new net docs and more * final docs update * add new devtool * use fastdialer * fix build fail * use fastdialer + network sandbox support * add reserved keyword 'Port' * update Port to new syntax * misc update * always enable templatectx in js protocol * move docs to 'js-proto-docs' repo * remove scrapefuncs binary --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-09-16 16:02:17 +05:30
			`// IsHostAllowed checks if the host is allowed by network policy`
wip 2025-05-06 10:13:46 +02:00			`func IsHostAllowed(executionId string, targetUrl string) bool {`
			`dialers, ok := dialers.Get(executionId)`
			`if !ok {`
javascript protocol for scripting (includes 15+ proto libs) (#4109) * rebase js-layer PR from @ice3man543 * package restructuring * working * fix duplicated event & matcher status * fix lint error * fix response field * add new functions * multiple minor improvements * fix incorrect stats in js protocol * sort output metadata in cli * remove temp files * remove dead code * add unit and integration test * fix lint error * add jsdoclint using llm * fix error in test * add js lint using llm * generate docs of libs * llm lint * remove duplicated docs * update generated docs * update prompt in doclint * update docs * temp disable version check test * fix unit test and add retry * fix panic in it * update and move jsdocs * updated jsdocs * update docs * update container platform in test * dir restructure and adding docs * add api_reference and remove markdown docs * fix imports * add javascript design and contribution docs * add js protocol documentation * update integration test and docs * update doc ext mdx->md * minor update to docs * new integration test and more * move go libs and add docs * gen new net docs and more * final docs update * add new devtool * use fastdialer * fix build fail * use fastdialer + network sandbox support * add reserved keyword 'Port' * update Port to new syntax * misc update * always enable templatectx in js protocol * move docs to 'js-proto-docs' repo * remove scrapefuncs binary --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-09-16 16:02:17 +05:30			`return true`
			`}`
introducing execution id 2025-05-05 22:15:44 +02:00
wip 2025-05-06 10:13:46 +02:00			`np := dialers.NetworkPolicy`
introducing execution id 2025-05-05 22:15:44 +02:00			`if !ok \|\| np == nil {`
			`return true`
			`}`

fix network policy error 2024-02-06 02:03:33 +05:30			`sepCount := strings.Count(targetUrl, ":")`
			`if sepCount > 1 {`
			`// most likely a ipv6 address (parse url and validate host)`
introducing execution id 2025-05-05 22:15:44 +02:00			`return np.Validate(targetUrl)`
fix network policy error 2024-02-06 02:03:33 +05:30			`}`
			`if sepCount == 1 {`
			`host, _, _ := net.SplitHostPort(targetUrl)`
introducing execution id 2025-05-05 22:15:44 +02:00			`if _, ok := np.ValidateHost(host); !ok {`
fix network policy error 2024-02-06 02:03:33 +05:30			`return false`
			`}`
			`return true`
			`}`
			`// just a hostname or ip without port`
introducing execution id 2025-05-05 22:15:44 +02:00			`_, ok = np.ValidateHost(targetUrl)`
javascript protocol for scripting (includes 15+ proto libs) (#4109) * rebase js-layer PR from @ice3man543 * package restructuring * working * fix duplicated event & matcher status * fix lint error * fix response field * add new functions * multiple minor improvements * fix incorrect stats in js protocol * sort output metadata in cli * remove temp files * remove dead code * add unit and integration test * fix lint error * add jsdoclint using llm * fix error in test * add js lint using llm * generate docs of libs * llm lint * remove duplicated docs * update generated docs * update prompt in doclint * update docs * temp disable version check test * fix unit test and add retry * fix panic in it * update and move jsdocs * updated jsdocs * update docs * update container platform in test * dir restructure and adding docs * add api_reference and remove markdown docs * fix imports * add javascript design and contribution docs * add js protocol documentation * update integration test and docs * update doc ext mdx->md * minor update to docs * new integration test and more * move go libs and add docs * gen new net docs and more * final docs update * add new devtool * use fastdialer * fix build fail * use fastdialer + network sandbox support * add reserved keyword 'Port' * update Port to new syntax * misc update * always enable templatectx in js protocol * move docs to 'js-proto-docs' repo * remove scrapefuncs binary --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-09-16 16:02:17 +05:30			`return ok`
			`}`