nuclei/v2/internal/runner/options.go

package runner

import (
	"errors"
	"flag"
	"net/url"
	"os"

	"github.com/projectdiscovery/gologger"
)

// ParseOptions parses the command line flags provided by a user
func ParseOptions() *Options {
	options := &Options{}

	flag.BoolVar(&options.Vhost, "vhost", false, "Input supplied is a comma-separated vhost list")
	flag.BoolVar(&options.Sandbox, "sandbox", false, "Run workflows in isolated sandbox mode")
	flag.BoolVar(&options.Metrics, "metrics", false, "Expose nuclei metrics on a port")
	flag.IntVar(&options.MetricsPort, "metrics-port", 9092, "Port to expose nuclei metrics on")
	flag.IntVar(&options.MaxWorkflowDuration, "workflow-duration", 10, "Max time for workflow run on single URL in minutes")
	flag.StringVar(&options.Target, "target", "", "Target is a single target to scan using template")
	flag.Var(&options.Templates, "t", "Template input dir/file/files to run on host. Can be used multiple times. Supports globbing.")
	flag.Var(&options.ExcludedTemplates, "exclude", "Template input dir/file/files to exclude. Can be used multiple times. Supports globbing.")
	flag.StringVar(&options.Severity, "severity", "", "Filter templates based on their severity and only run the matching ones. Comma-separated values can be used to specify multiple severities.")
	flag.StringVar(&options.Targets, "l", "", "List of URLs to run templates on")
	flag.StringVar(&options.Output, "o", "", "File to write output to (optional)")
	flag.StringVar(&options.ProxyURL, "proxy-url", "", "URL of the proxy server")
	flag.StringVar(&options.ProxySocksURL, "proxy-socks-url", "", "URL of the proxy socks server")
	flag.BoolVar(&options.Silent, "silent", false, "Show only results in output")
	flag.BoolVar(&options.Version, "version", false, "Show version of nuclei")
	flag.BoolVar(&options.Verbose, "v", false, "Show Verbose output")
	flag.BoolVar(&options.NoColor, "no-color", false, "Disable colors in output")
	flag.IntVar(&options.Timeout, "timeout", 5, "Time to wait in seconds before timeout")
	flag.IntVar(&options.Retries, "retries", 1, "Number of times to retry a failed request")
	flag.BoolVar(&options.RandomAgent, "random-agent", false, "Use randomly selected HTTP User-Agent header value")
	flag.Var(&options.CustomHeaders, "H", "Custom Header.")
	flag.BoolVar(&options.Debug, "debug", false, "Allow debugging of request/responses")
	flag.BoolVar(&options.UpdateTemplates, "update-templates", false, "Update Templates updates the installed templates (optional)")
	flag.StringVar(&options.TraceLogFile, "trace-log", "", "File to write sent requests trace log")
	flag.StringVar(&options.TemplatesDirectory, "update-directory", "", "Directory to use for storing nuclei-templates")
	flag.BoolVar(&options.JSON, "json", false, "Write json output to files")
	flag.BoolVar(&options.JSONRequests, "include-rr", false, "Write requests/responses for matches in JSON output")
	flag.BoolVar(&options.EnableProgressBar, "stats", false, "Display stats of the running scan")
	flag.BoolVar(&options.TemplateList, "tl", false, "List available templates")
	flag.IntVar(&options.RateLimit, "rate-limit", 150, "Rate-Limit (maximum requests/second")
	flag.BoolVar(&options.StopAtFirstMatch, "stop-at-first-match", false, "Stop processing http requests at first match (this may break template/workflow logic)")
	flag.IntVar(&options.BulkSize, "bulk-size", 25, "Maximum Number of hosts analyzed in parallel per template")
	flag.IntVar(&options.TemplateThreads, "c", 10, "Maximum Number of templates executed in parallel")
	flag.BoolVar(&options.Project, "project", false, "Use a project folder to avoid sending same request multiple times")
	flag.StringVar(&options.ProjectPath, "project-path", "", "Use a user defined project folder, temporary folder is used if not specified but enabled")
	flag.BoolVar(&options.NoMeta, "no-meta", false, "Don't display metadata for the matches")
	flag.BoolVar(&options.TemplatesVersion, "templates-version", false, "Shows the installed nuclei-templates version")
	flag.StringVar(&options.BurpCollaboratorBiid, "burp-collaborator-biid", "", "Burp Collaborator BIID")
	flag.Parse()

	// Check if stdin pipe was given
	options.Stdin = hasStdin()

	// Read the inputs and configure the logging
	options.configureOutput()

	// Show the user the banner
	showBanner()

	if options.Version {
		gologger.Infof("Current Version: %s\n", Version)
		os.Exit(0)
	}
	if options.TemplatesVersion {
		config, err := readConfiguration()
		if err != nil {
			gologger.Fatalf("Could not read template configuration: %s\n", err)
		}
		gologger.Infof("Current nuclei-templates version: %s (%s)\n", config.CurrentVersion, config.TemplatesDirectory)
		os.Exit(0)
	}

	// Validate the options passed by the user and if any
	// invalid options have been used, exit.
	err := options.validateOptions()
	if err != nil {
		gologger.Fatalf("Program exiting: %s\n", err)
	}

	return options
}

func hasStdin() bool {
	stat, err := os.Stdin.Stat()
	if err != nil {
		return false
	}

	isPipedFromChrDev := (stat.Mode() & os.ModeCharDevice) == 0
	isPipedFromFIFO := (stat.Mode() & os.ModeNamedPipe) != 0

	return isPipedFromChrDev || isPipedFromFIFO
}

// validateOptions validates the configuration options passed
func (options *Options) validateOptions() error {
	// Both verbose and silent flags were used
	if options.Verbose && options.Silent {
		return errors.New("both verbose and silent mode specified")
	}

	if !options.TemplateList {
		// Check if a list of templates was provided and it exists
		if len(options.Templates) == 0 && !options.UpdateTemplates {
			return errors.New("no template/templates provided")
		}

		if options.Targets == "" && !options.Stdin && options.Target == "" && !options.UpdateTemplates {
			return errors.New("no target input provided")
		}
	}

	// Validate proxy options if provided
	err := validateProxyURL(
		options.ProxyURL,
		"invalid http proxy format (It should be http://username:password@host:port)",
	)
	if err != nil {
		return err
	}

	err = validateProxyURL(
		options.ProxySocksURL,
		"invalid socks proxy format (It should be socks5://username:password@host:port)",
	)
	if err != nil {
		return err
	}

	return nil
}

func validateProxyURL(proxyURL, message string) error {
	if proxyURL != "" && !isValidURL(proxyURL) {
		return errors.New(message)
	}

	return nil
}

func isValidURL(urlString string) bool {
	_, err := url.Parse(urlString)

	return err == nil
}

// configureOutput configures the output on the screen
func (options *Options) configureOutput() {
	// If the user desires verbose output, show verbose output
	if options.Verbose {
		gologger.MaxLevel = gologger.Verbose
	}

	if options.NoColor {
		gologger.UseColors = false
	}

	if options.Silent {
		gologger.MaxLevel = gologger.Silent
	}
}
Started work on runner 2020-04-04 03:45:39 +05:30			`package runner`

			`import (`
Divide and conquer 2020-08-29 15:26:11 +02:00			`"errors"`
Started work on runner 2020-04-04 03:45:39 +05:30			`"flag"`
Divide and conquer 2020-08-29 15:26:11 +02:00			`"net/url"`
Started work on runner 2020-04-04 03:45:39 +05:30			`"os"`

			`"github.com/projectdiscovery/gologger"`
			`)`

			`// ParseOptions parses the command line flags provided by a user`
			`func ParseOptions() *Options {`
			`options := &Options{}`

Added vhost templating support 2020-12-19 00:10:58 +05:30			`flag.BoolVar(&options.Vhost, "vhost", false, "Input supplied is a comma-separated vhost list")`
Added flag to control workflow sandboxing 2020-12-13 14:04:58 +05:30			`flag.BoolVar(&options.Sandbox, "sandbox", false, "Run workflows in isolated sandbox mode")`
Added simple json based http metrics support 2020-12-17 20:33:42 +05:30			`flag.BoolVar(&options.Metrics, "metrics", false, "Expose nuclei metrics on a port")`
			`flag.IntVar(&options.MetricsPort, "metrics-port", 9092, "Port to expose nuclei metrics on")`
Max limit on execution of a workflow 2020-12-13 14:17:58 +05:30			`flag.IntVar(&options.MaxWorkflowDuration, "workflow-duration", 10, "Max time for workflow run on single URL in minutes")`
Added single target support with target flag 2020-06-25 21:40:20 +05:30			`flag.StringVar(&options.Target, "target", "", "Target is a single target to scan using template")`
Add support for template exclusions 2020-08-02 15:48:10 +02:00			`flag.Var(&options.Templates, "t", "Template input dir/file/files to run on host. Can be used multiple times. Supports globbing.")`
			`flag.Var(&options.ExcludedTemplates, "exclude", "Template input dir/file/files to exclude. Can be used multiple times. Supports globbing.")`
Add support for severity filtering 2020-08-02 18:33:55 +02:00			`flag.StringVar(&options.Severity, "severity", "", "Filter templates based on their severity and only run the matching ones. Comma-separated values can be used to specify multiple severities.")`
Misc + cmd + final 2020-04-04 17:24:31 +05:30			`flag.StringVar(&options.Targets, "l", "", "List of URLs to run templates on")`
Started work on runner 2020-04-04 03:45:39 +05:30			`flag.StringVar(&options.Output, "o", "", "File to write output to (optional)")`
Added proxy URL support 2020-04-27 23:49:53 +05:30			`flag.StringVar(&options.ProxyURL, "proxy-url", "", "URL of the proxy server")`
adding proxy socks support - untested 2020-04-28 04:01:25 +02:00			`flag.StringVar(&options.ProxySocksURL, "proxy-socks-url", "", "URL of the proxy socks server")`
Misc + cmd + final 2020-04-04 17:24:31 +05:30			`flag.BoolVar(&options.Silent, "silent", false, "Show only results in output")`
			`flag.BoolVar(&options.Version, "version", false, "Show version of nuclei")`
Started work on runner 2020-04-04 03:45:39 +05:30			`flag.BoolVar(&options.Verbose, "v", false, "Show Verbose output")`
flag updates! 2020-11-19 15:15:48 +05:30			`flag.BoolVar(&options.NoColor, "no-color", false, "Disable colors in output")`
Misc fixes 2020-04-04 18:10:26 +05:30			`flag.IntVar(&options.Timeout, "timeout", 5, "Time to wait in seconds before timeout")`
			`flag.IntVar(&options.Retries, "retries", 1, "Number of times to retry a failed request")`
:hammer: Add randomly User-Agent header request 2020-11-22 17:07:40 +07:00			`flag.BoolVar(&options.RandomAgent, "random-agent", false, "Use randomly selected HTTP User-Agent header value")`
custom header via cli 2020-05-22 00:23:38 +02:00			`flag.Var(&options.CustomHeaders, "H", "Custom Header.")`
Added better debug and verbose modes 2020-06-22 19:30:01 +05:30			`flag.BoolVar(&options.Debug, "debug", false, "Allow debugging of request/responses")`
Working on the auto-update feature 2020-06-25 03:53:37 +05:30			`flag.BoolVar(&options.UpdateTemplates, "update-templates", false, "Update Templates updates the installed templates (optional)")`
Added trace log feature to write execution log 2020-10-22 16:12:16 +05:30			`flag.StringVar(&options.TraceLogFile, "trace-log", "", "File to write sent requests trace log")`
Update flag name 2020-06-27 20:52:54 +05:30			`flag.StringVar(&options.TemplatesDirectory, "update-directory", "", "Directory to use for storing nuclei-templates")`
Added json output support 2020-06-27 20:19:43 +05:30			`flag.BoolVar(&options.JSON, "json", false, "Write json output to files")`
Flag updates! Updated "json-requests" with "include-rr" indicating that JSON response will also include request / response in the output. Updated "pbar" to "stats" that makes use of new lib "clistats" to display basis stats of the the running scan. 2020-11-19 13:06:43 +05:30			`flag.BoolVar(&options.JSONRequests, "include-rr", false, "Write requests/responses for matches in JSON output")`
			`flag.BoolVar(&options.EnableProgressBar, "stats", false, "Display stats of the running scan")`
Divide and conquer 2020-08-29 15:26:11 +02:00			`flag.BoolVar(&options.TemplateList, "tl", false, "List available templates")`
targets hmap + global rate limit + clistats windows compatibility 2020-11-16 00:40:32 +01:00			`flag.IntVar(&options.RateLimit, "rate-limit", 150, "Rate-Limit (maximum requests/second")`
adding stop at first http match cli option 2020-10-06 21:38:44 +02:00			`flag.BoolVar(&options.StopAtFirstMatch, "stop-at-first-match", false, "Stop processing http requests at first match (this may break template/workflow logic)")`
merging master 2020-10-20 19:21:11 +02:00			`flag.IntVar(&options.BulkSize, "bulk-size", 25, "Maximum Number of hosts analyzed in parallel per template")`
			`flag.IntVar(&options.TemplateThreads, "c", 10, "Maximum Number of templates executed in parallel")`
wip 2020-10-17 02:10:47 +02:00			`flag.BoolVar(&options.Project, "project", false, "Use a project folder to avoid sending same request multiple times")`
			`flag.StringVar(&options.ProjectPath, "project-path", "", "Use a user defined project folder, temporary folder is used if not specified but enabled")`
Added -no-meta flag to ignore meta 2020-10-20 01:57:38 +05:30			`flag.BoolVar(&options.NoMeta, "no-meta", false, "Don't display metadata for the matches")`
Added -templates-version flag to list template version 2020-10-20 02:14:44 +05:30			`flag.BoolVar(&options.TemplatesVersion, "templates-version", false, "Shows the installed nuclei-templates version")`
adding burp collaborator support 2020-10-23 10:13:34 +02:00			`flag.StringVar(&options.BurpCollaboratorBiid, "burp-collaborator-biid", "", "Burp Collaborator BIID")`
Started work on runner 2020-04-04 03:45:39 +05:30			`flag.Parse()`

			`// Check if stdin pipe was given`
			`options.Stdin = hasStdin()`

			`// Read the inputs and configure the logging`
			`options.configureOutput()`

			`// Show the user the banner`
			`showBanner()`

			`if options.Version {`
			`gologger.Infof("Current Version: %s\n", Version)`
			`os.Exit(0)`
			`}`
Added -templates-version flag to list template version 2020-10-20 02:14:44 +05:30			`if options.TemplatesVersion {`
			`config, err := readConfiguration()`
			`if err != nil {`
			`gologger.Fatalf("Could not read template configuration: %s\n", err)`
			`}`
			`gologger.Infof("Current nuclei-templates version: %s (%s)\n", config.CurrentVersion, config.TemplatesDirectory)`
			`os.Exit(0)`
			`}`
Fixed the issue with stdin input reading multiple times 2020-04-26 06:48:10 +05:30
Started work on runner 2020-04-04 03:45:39 +05:30			`// Validate the options passed by the user and if any`
			`// invalid options have been used, exit.`
			`err := options.validateOptions()`
			`if err != nil {`
			`gologger.Fatalf("Program exiting: %s\n", err)`
			`}`
Initial adoption of golangci-lint for CI 2020-08-25 23:24:31 +02:00
Started work on runner 2020-04-04 03:45:39 +05:30			`return options`
			`}`

			`func hasStdin() bool {`
Handle data from char device on stdin 2020-09-28 12:50:00 +02:00			`stat, err := os.Stdin.Stat()`
Started work on runner 2020-04-04 03:45:39 +05:30			`if err != nil {`
			`return false`
			`}`
Initial adoption of golangci-lint for CI 2020-08-25 23:24:31 +02:00
Handle data from char device on stdin 2020-09-28 12:50:00 +02:00			`isPipedFromChrDev := (stat.Mode() & os.ModeCharDevice) == 0`
			`isPipedFromFIFO := (stat.Mode() & os.ModeNamedPipe) != 0`
Initial adoption of golangci-lint for CI 2020-08-25 23:24:31 +02:00
Handle data from char device on stdin 2020-09-28 12:50:00 +02:00			`return isPipedFromChrDev \|\| isPipedFromFIFO`
Started work on runner 2020-04-04 03:45:39 +05:30			`}`
Divide and conquer 2020-08-29 15:26:11 +02:00
			`// validateOptions validates the configuration options passed`
			`func (options *Options) validateOptions() error {`
			`// Both verbose and silent flags were used`
			`if options.Verbose && options.Silent {`
			`return errors.New("both verbose and silent mode specified")`
			`}`

Implemented only "tl" to list available templates 2020-08-29 23:02:45 +02:00			`if !options.TemplateList {`
Divide and conquer 2020-08-29 15:26:11 +02:00			`// Check if a list of templates was provided and it exists`
			`if len(options.Templates) == 0 && !options.UpdateTemplates {`
			`return errors.New("no template/templates provided")`
			`}`

			`if options.Targets == "" && !options.Stdin && options.Target == "" && !options.UpdateTemplates {`
			`return errors.New("no target input provided")`
			`}`
			`}`

			`// Validate proxy options if provided`
Removed dup code 2020-08-29 16:25:30 +02:00			`err := validateProxyURL(`
			`options.ProxyURL,`
			`"invalid http proxy format (It should be http://username:password@host:port)",`
			`)`
			`if err != nil {`
			`return err`
			`}`

			`err = validateProxyURL(`
			`options.ProxySocksURL,`
			`"invalid socks proxy format (It should be socks5://username:password@host:port)",`
			`)`
			`if err != nil {`
			`return err`
Divide and conquer 2020-08-29 15:26:11 +02:00			`}`

Removed dup code 2020-08-29 16:25:30 +02:00			`return nil`
			`}`

			`func validateProxyURL(proxyURL, message string) error {`
			`if proxyURL != "" && !isValidURL(proxyURL) {`
			`return errors.New(message)`
Divide and conquer 2020-08-29 15:26:11 +02:00			`}`

			`return nil`
			`}`

Removed dup code 2020-08-29 16:25:30 +02:00			`func isValidURL(urlString string) bool {`
			`_, err := url.Parse(urlString)`
Divide and conquer 2020-08-29 15:26:11 +02:00
			`return err == nil`
			`}`

			`// configureOutput configures the output on the screen`
			`func (options *Options) configureOutput() {`
			`// If the user desires verbose output, show verbose output`
			`if options.Verbose {`
			`gologger.MaxLevel = gologger.Verbose`
			`}`

			`if options.NoColor {`
			`gologger.UseColors = false`
			`}`

			`if options.Silent {`
			`gologger.MaxLevel = gologger.Silent`
			`}`
			`}`