nuclei/v2/internal/runner/nucleicloud/cloud.go

package nucleicloud

import (
	"bytes"
	"encoding/json"
	"fmt"
	"io"
	"net/http"
	"net/url"
	"strings"
	"time"

	jsoniter "github.com/json-iterator/go"
	"github.com/pkg/errors"
	"github.com/projectdiscovery/nuclei/v2/pkg/output"
	"github.com/projectdiscovery/retryablehttp-go"
)

// Client is a client for result retrieval from nuclei-cloud API
type Client struct {
	baseURL    string
	apiKey     string
	httpclient *retryablehttp.Client
}

const (
	pollInterval   = 3 * time.Second
	resultSize     = 100
	defaultBaseURL = "https://cloud-dev.nuclei.sh"
)

// New returns a nuclei-cloud API client
func New(baseURL, apiKey string) *Client {
	options := retryablehttp.DefaultOptionsSingle
	options.NoAdjustTimeout = true
	options.Timeout = 60 * time.Second
	client := retryablehttp.NewClient(options)

	baseAppURL := baseURL
	if baseAppURL == "" {
		baseAppURL = defaultBaseURL
	}
	return &Client{httpclient: client, baseURL: baseAppURL, apiKey: apiKey}
}

// AddScan adds a scan for templates and target to nuclei server
func (c *Client) AddScan(req *AddScanRequest) (string, error) {
	var buf bytes.Buffer
	if err := jsoniter.NewEncoder(&buf).Encode(req); err != nil {
		return "", errors.Wrap(err, "could not encode request")
	}
	httpReq, err := retryablehttp.NewRequest(http.MethodPost, fmt.Sprintf("%s/scan", c.baseURL), bytes.NewReader(buf.Bytes()))
	if err != nil {
		return "", errors.Wrap(err, "could not make request")
	}

	resp, err := c.sendRequest(httpReq)
	if err != nil {
		return "", errors.Wrap(err, "could not do request")
	}
	defer resp.Body.Close()

	var data map[string]string
	if err := jsoniter.NewDecoder(resp.Body).Decode(&data); err != nil {
		return "", errors.Wrap(err, "could not decode resp")
	}
	id := data["id"]
	return id, nil
}

// GetResults gets results from nuclei server for an ID
// until there are no more results left to retrieve.
func (c *Client) GetResults(ID string, callback func(*output.ResultEvent), checkProgress bool, limit int) error {
	lastID := int64(0)

	for {
		uri := fmt.Sprintf("%s/results?id=%s&from=%d&size=%d", c.baseURL, ID, lastID, limit)
		httpReq, err := retryablehttp.NewRequest(http.MethodGet, uri, nil)
		if err != nil {
			return errors.Wrap(err, "could not make request")
		}

		resp, err := c.sendRequest(httpReq)
		if err != nil {
			return errors.Wrap(err, "could not do request")
		}

		var items GetResultsResponse
		if err := jsoniter.NewDecoder(resp.Body).Decode(&items); err != nil {
			resp.Body.Close()
			return errors.Wrap(err, "could not decode results")
		}
		resp.Body.Close()

		for _, item := range items.Items {
			lastID = item.ID

			var result output.ResultEvent
			if err := jsoniter.NewDecoder(strings.NewReader(item.Raw)).Decode(&result); err != nil {
				return errors.Wrap(err, "could not decode result item")
			}
			callback(&result)
		}

		//This is checked during scan is added else if no item found break out of loop.
		if checkProgress {
			if items.Finished && len(items.Items) == 0 {
				break
			}
		} else if len(items.Items) == 0 {
			break
		}

		time.Sleep(pollInterval)
	}
	return nil
}

func (c *Client) GetScans(limit int, from string) ([]GetScanRequest, error) {
	var items []GetScanRequest
	httpReq, err := retryablehttp.NewRequest(http.MethodGet, fmt.Sprintf("%s/scan?from=%s&size=%d", c.baseURL, url.QueryEscape(from), limit), nil)
	if err != nil {
		return items, errors.Wrap(err, "could not make request")
	}

	resp, err := c.sendRequest(httpReq)
	if err != nil {
		return nil, errors.Wrap(err, "could not do request")
	}
	defer resp.Body.Close()

	if err := jsoniter.NewDecoder(resp.Body).Decode(&items); err != nil {
		return items, errors.Wrap(err, "could not decode results")
	}
	return items, nil
}

// Delete a scan and it's issues by the scan id.
func (c *Client) DeleteScan(id string) (DeleteScanResults, error) {
	deletescan := DeleteScanResults{}
	httpReq, err := retryablehttp.NewRequest(http.MethodDelete, fmt.Sprintf("%s/scan?id=%s", c.baseURL, id), nil)
	if err != nil {
		return deletescan, errors.Wrap(err, "could not make request")
	}

	resp, err := c.sendRequest(httpReq)
	if err != nil {
		return deletescan, errors.Wrap(err, "could not do request")
	}
	defer resp.Body.Close()

	if err := jsoniter.NewDecoder(resp.Body).Decode(&deletescan); err != nil {
		return deletescan, errors.Wrap(err, "could not delete scan")
	}
	return deletescan, nil
}

// StatusDataSource returns the status for a data source
func (c *Client) StatusDataSource(statusRequest StatusDataSourceRequest) (string, error) {
	var buf bytes.Buffer
	if err := jsoniter.NewEncoder(&buf).Encode(statusRequest); err != nil {
		return "", errors.Wrap(err, "could not encode request")
	}
	httpReq, err := retryablehttp.NewRequest(http.MethodPost, fmt.Sprintf("%s/datasources/status", c.baseURL), bytes.NewReader(buf.Bytes()))
	if err != nil {
		return "", errors.Wrap(err, "could not make request")
	}

	resp, err := c.sendRequest(httpReq)
	if err != nil {
		return "", errors.Wrap(err, "could not do request")
	}
	defer resp.Body.Close()

	var data map[string]interface{}
	if err := jsoniter.NewDecoder(resp.Body).Decode(&data); err != nil {
		return "", errors.Wrap(err, "could not decode resp")
	}
	id := data["id"].(string)
	return id, nil
}

// AddDataSource adds a new data source
func (c *Client) AddDataSource(req AddDataSourceRequest) (string, string, error) {
	var buf bytes.Buffer
	if err := jsoniter.NewEncoder(&buf).Encode(req); err != nil {
		return "", "", errors.Wrap(err, "could not encode request")
	}
	httpReq, err := retryablehttp.NewRequest(http.MethodPost, fmt.Sprintf("%s/datasources", c.baseURL), bytes.NewReader(buf.Bytes()))
	if err != nil {
		return "", "", errors.Wrap(err, "could not make request")
	}
	resp, err := c.sendRequest(httpReq)
	if err != nil {
		return "", "", errors.Wrap(err, "could not do request")
	}
	defer resp.Body.Close()

	var data map[string]interface{}
	if err := jsoniter.NewDecoder(resp.Body).Decode(&data); err != nil {
		return "", "", errors.Wrap(err, "could not decode resp")
	}
	id := data["id"].(string)
	secret, _ := data["secret"].(string)
	return id, secret, nil
}

// SyncDataSource syncs contents for a data source. The call blocks until
// update is completed.
func (c *Client) SyncDataSource(ID string) error {
	httpReq, err := retryablehttp.NewRequest(http.MethodGet, fmt.Sprintf("%s/datasources/%s/sync", c.baseURL, ID), nil)
	if err != nil {
		return errors.Wrap(err, "could not make request")
	}

	resp, err := c.sendRequest(httpReq)
	if err != nil {
		return errors.Wrap(err, "could not do request")
	}
	defer resp.Body.Close()
	_, _ = io.Copy(io.Discard, resp.Body)
	return nil
}

// ExistsDataSourceItem identifies whether data source item exist
func (c *Client) ExistsDataSourceItem(req ExistsDataSourceItemRequest) error {
	var buf bytes.Buffer
	if err := jsoniter.NewEncoder(&buf).Encode(req); err != nil {
		return errors.Wrap(err, "could not encode request")
	}
	httpReq, err := retryablehttp.NewRequest(http.MethodPost, fmt.Sprintf("%s/datasources/exists", c.baseURL), bytes.NewReader(buf.Bytes()))
	if err != nil {
		return errors.Wrap(err, "could not make request")
	}
	resp, err := c.sendRequest(httpReq)
	if err != nil {
		return errors.Wrap(err, "could not do request")
	}
	defer resp.Body.Close()
	_, _ = io.Copy(io.Discard, resp.Body)
	return nil
}

func (c *Client) ListDatasources() ([]GetDataSourceResponse, error) {
	var items []GetDataSourceResponse
	httpReq, err := retryablehttp.NewRequest(http.MethodGet, fmt.Sprintf("%s/datasources", c.baseURL), nil)
	if err != nil {
		return items, errors.Wrap(err, "could not make request")
	}

	resp, err := c.sendRequest(httpReq)
	if err != nil {
		return nil, errors.Wrap(err, "could not do request")
	}
	defer resp.Body.Close()

	if err := jsoniter.NewDecoder(resp.Body).Decode(&items); err != nil {
		return items, errors.Wrap(err, "could not decode results")
	}
	return items, nil
}

func (c *Client) ListTargets() ([]GetTargetResponse, error) {
	var items []GetTargetResponse
	httpReq, err := retryablehttp.NewRequest(http.MethodGet, fmt.Sprintf("%s/targets", c.baseURL), nil)
	if err != nil {
		return items, errors.Wrap(err, "could not make request")
	}

	resp, err := c.sendRequest(httpReq)
	if err != nil {
		return nil, errors.Wrap(err, "could not do request")
	}
	defer resp.Body.Close()

	if err := jsoniter.NewDecoder(resp.Body).Decode(&items); err != nil {
		return items, errors.Wrap(err, "could not decode results")
	}
	return items, nil
}

func (c *Client) ListTemplates() ([]GetTemplatesResponse, error) {
	var items []GetTemplatesResponse
	httpReq, err := retryablehttp.NewRequest(http.MethodGet, fmt.Sprintf("%s/templates", c.baseURL), nil)
	if err != nil {
		return items, errors.Wrap(err, "could not make request")
	}

	resp, err := c.sendRequest(httpReq)
	if err != nil {
		return nil, errors.Wrap(err, "could not do request")
	}
	defer resp.Body.Close()

	if err := jsoniter.NewDecoder(resp.Body).Decode(&items); err != nil {
		return items, errors.Wrap(err, "could not decode results")
	}
	return items, nil
}

const apiKeyParameter = "X-API-Key"

type errorResponse struct {
	Message string `json:"message"`
}

func (c *Client) sendRequest(req *retryablehttp.Request) (*http.Response, error) {
	req.Header.Set(apiKeyParameter, c.apiKey)

	resp, err := c.httpclient.Do(req)
	if err != nil {
		return nil, errors.Wrap(err, "could not do request")
	}
	if resp.StatusCode < http.StatusOK || resp.StatusCode >= http.StatusBadRequest {
		data, _ := io.ReadAll(resp.Body)
		resp.Body.Close()
		var errRes errorResponse
		if err = json.NewDecoder(bytes.NewReader(data)).Decode(&errRes); err == nil {
			return nil, errors.New(errRes.Message)
		}
		return nil, fmt.Errorf("unknown error, status code: %d=%s", resp.StatusCode, string(data))
	}
	return resp, nil
}