nuclei/v2/pkg/catalog/loader/remote_loader.go

package loader

import (
	"bufio"
	"fmt"
	"net/url"
	"strings"

	"github.com/pkg/errors"

	"github.com/projectdiscovery/nuclei/v2/pkg/utils"
	"github.com/projectdiscovery/retryablehttp-go"
)

type ContentType string

const (
	Template ContentType = "Template"
	Workflow ContentType = "Workflow"
)

type RemoteContent struct {
	Content []string
	Type    ContentType
	Error   error
}

func getRemoteTemplatesAndWorkflows(templateURLs, workflowURLs, remoteTemplateDomainList []string) ([]string, []string, error) {
	remoteContentChannel := make(chan RemoteContent)

	for _, templateURL := range templateURLs {
		go getRemoteContent(templateURL, remoteTemplateDomainList, remoteContentChannel, Template)
	}
	for _, workflowURL := range workflowURLs {
		go getRemoteContent(workflowURL, remoteTemplateDomainList, remoteContentChannel, Workflow)
	}

	var remoteTemplateList []string
	var remoteWorkFlowList []string
	var err error
	for i := 0; i < (len(templateURLs) + len(workflowURLs)); i++ {
		remoteContent := <-remoteContentChannel
		if remoteContent.Error != nil {
			if err != nil {
				err = errors.New(remoteContent.Error.Error() + ": " + err.Error())
			} else {
				err = remoteContent.Error
			}
		} else {
			if remoteContent.Type == Template {
				remoteTemplateList = append(remoteTemplateList, remoteContent.Content...)
			} else if remoteContent.Type == Workflow {
				remoteWorkFlowList = append(remoteWorkFlowList, remoteContent.Content...)
			}
		}
	}

	return remoteTemplateList, remoteWorkFlowList, err
}

func getRemoteContent(URL string, remoteTemplateDomainList []string, remoteContentChannel chan<- RemoteContent, contentType ContentType) {
	if err := validateRemoteTemplateURL(URL, remoteTemplateDomainList); err != nil {
		remoteContentChannel <- RemoteContent{
			Error: err,
		}
		return
	}
	if strings.HasPrefix(URL, "http") && (strings.HasSuffix(URL, ".yaml") || strings.HasSuffix(URL, ".yml")) {
		remoteContentChannel <- RemoteContent{
			Content: []string{URL},
			Type:    contentType,
		}
		return
	}
	response, err := retryablehttp.DefaultClient().Get(URL)
	if err != nil {
		remoteContentChannel <- RemoteContent{
			Error: err,
		}
		return
	}
	defer response.Body.Close()
	if response.StatusCode < 200 || response.StatusCode > 299 {
		remoteContentChannel <- RemoteContent{
			Error: fmt.Errorf("get \"%s\": unexpect status %d", URL, response.StatusCode),
		}
		return
	}

	scanner := bufio.NewScanner(response.Body)
	var templateList []string
	for scanner.Scan() {
		text := strings.TrimSpace(scanner.Text())
		if text == "" {
			continue
		}
		if utils.IsURL(text) {
			if err := validateRemoteTemplateURL(text, remoteTemplateDomainList); err != nil {
				remoteContentChannel <- RemoteContent{
					Error: err,
				}
				return
			}
		}
		templateList = append(templateList, text)
	}

	if err := scanner.Err(); err != nil {
		remoteContentChannel <- RemoteContent{
			Error: errors.Wrap(err, "get \"%s\""),
		}
		return
	}

	remoteContentChannel <- RemoteContent{
		Content: templateList,
		Type:    contentType,
	}
}

func validateRemoteTemplateURL(inputURL string, remoteTemplateDomainList []string) error {
	parsedURL, err := url.Parse(inputURL)
	if err != nil {
		return err
	}
	if !utils.StringSliceContains(remoteTemplateDomainList, parsedURL.Host) {
		return errors.Errorf("Remote template URL host (%s) is not present in the `remote-template-domain` list in nuclei config", parsedURL.Host)
	}
	return nil
}
Implement `-template-url` and `-workflow-url` for retrieving lists of templates/workflows to run. 2021-10-14 23:30:37 +02:00			`package loader`

			`import (`
			`"bufio"`
			`"fmt"`
* Add support to run remote template * Add remote-template-domain config only flag to specify allowed domain list to load remote templates from 2022-01-12 18:33:17 +05:30			`"net/url"`
Implement `-template-url` and `-workflow-url` for retrieving lists of templates/workflows to run. 2021-10-14 23:30:37 +02:00			`"strings"`
Fixed rmeote url loader test cases 2021-11-05 17:24:23 +05:30
			`"github.com/pkg/errors"`
Typo fixes 2022-02-07 16:41:55 +02:00
rename few vars, extract duplicate functions to utils 2022-01-24 16:48:12 +05:30			`"github.com/projectdiscovery/nuclei/v2/pkg/utils"`
started move to retryablehttp 2023-03-02 14:54:01 +01:00			`"github.com/projectdiscovery/retryablehttp-go"`
Implement `-template-url` and `-workflow-url` for retrieving lists of templates/workflows to run. 2021-10-14 23:30:37 +02:00			`)`

			`type ContentType string`

			`const (`
			`Template ContentType = "Template"`
			`Workflow ContentType = "Workflow"`
			`)`

rename few vars, extract duplicate functions to utils 2022-01-24 16:48:12 +05:30			`type RemoteContent struct {`
Implement `-template-url` and `-workflow-url` for retrieving lists of templates/workflows to run. 2021-10-14 23:30:37 +02:00			`Content []string`
			`Type ContentType`
			`Error error`
			`}`

add unit test coverage for remote tempates 2022-01-21 20:14:50 +05:30			`func getRemoteTemplatesAndWorkflows(templateURLs, workflowURLs, remoteTemplateDomainList []string) ([]string, []string, error) {`
rename few vars, extract duplicate functions to utils 2022-01-24 16:48:12 +05:30			`remoteContentChannel := make(chan RemoteContent)`
Implement `-template-url` and `-workflow-url` for retrieving lists of templates/workflows to run. 2021-10-14 23:30:37 +02:00
			`for _, templateURL := range templateURLs {`
rename few vars, extract duplicate functions to utils 2022-01-24 16:48:12 +05:30			`go getRemoteContent(templateURL, remoteTemplateDomainList, remoteContentChannel, Template)`
Implement `-template-url` and `-workflow-url` for retrieving lists of templates/workflows to run. 2021-10-14 23:30:37 +02:00			`}`
			`for _, workflowURL := range workflowURLs {`
rename few vars, extract duplicate functions to utils 2022-01-24 16:48:12 +05:30			`go getRemoteContent(workflowURL, remoteTemplateDomainList, remoteContentChannel, Workflow)`
Implement `-template-url` and `-workflow-url` for retrieving lists of templates/workflows to run. 2021-10-14 23:30:37 +02:00			`}`

			`var remoteTemplateList []string`
			`var remoteWorkFlowList []string`
			`var err error`
			`for i := 0; i < (len(templateURLs) + len(workflowURLs)); i++ {`
rename few vars, extract duplicate functions to utils 2022-01-24 16:48:12 +05:30			`remoteContent := <-remoteContentChannel`
			`if remoteContent.Error != nil {`
Implement `-template-url` and `-workflow-url` for retrieving lists of templates/workflows to run. 2021-10-14 23:30:37 +02:00			`if err != nil {`
rename few vars, extract duplicate functions to utils 2022-01-24 16:48:12 +05:30			`err = errors.New(remoteContent.Error.Error() + ": " + err.Error())`
Implement `-template-url` and `-workflow-url` for retrieving lists of templates/workflows to run. 2021-10-14 23:30:37 +02:00			`} else {`
rename few vars, extract duplicate functions to utils 2022-01-24 16:48:12 +05:30			`err = remoteContent.Error`
Implement `-template-url` and `-workflow-url` for retrieving lists of templates/workflows to run. 2021-10-14 23:30:37 +02:00			`}`
			`} else {`
rename few vars, extract duplicate functions to utils 2022-01-24 16:48:12 +05:30			`if remoteContent.Type == Template {`
			`remoteTemplateList = append(remoteTemplateList, remoteContent.Content...)`
			`} else if remoteContent.Type == Workflow {`
			`remoteWorkFlowList = append(remoteWorkFlowList, remoteContent.Content...)`
Implement `-template-url` and `-workflow-url` for retrieving lists of templates/workflows to run. 2021-10-14 23:30:37 +02:00			`}`
			`}`
			`}`

			`return remoteTemplateList, remoteWorkFlowList, err`
			`}`

rename few vars, extract duplicate functions to utils 2022-01-24 16:48:12 +05:30			`func getRemoteContent(URL string, remoteTemplateDomainList []string, remoteContentChannel chan<- RemoteContent, contentType ContentType) {`
Typo fixes 2022-02-07 16:41:55 +02:00			`if err := validateRemoteTemplateURL(URL, remoteTemplateDomainList); err != nil {`
validate remote input list URL and it's contents against allowed remote template domain list 2022-01-27 13:45:03 +05:30			`remoteContentChannel <- RemoteContent{`
			`Error: err,`
* Add support to run remote template * Add remote-template-domain config only flag to specify allowed domain list to load remote templates from 2022-01-12 18:33:17 +05:30			`}`
validate remote input list URL and it's contents against allowed remote template domain list 2022-01-27 13:45:03 +05:30			`return`
			`}`
			`if strings.HasPrefix(URL, "http") && (strings.HasSuffix(URL, ".yaml") \|\| strings.HasSuffix(URL, ".yml")) {`
rename few vars, extract duplicate functions to utils 2022-01-24 16:48:12 +05:30			`remoteContentChannel <- RemoteContent{`
* Add support to run remote template * Add remote-template-domain config only flag to specify allowed domain list to load remote templates from 2022-01-12 18:33:17 +05:30			`Content: []string{URL},`
			`Type: contentType,`
			`}`
			`return`
			`}`
started move to retryablehttp 2023-03-02 14:54:01 +01:00			`response, err := retryablehttp.DefaultClient().Get(URL)`
Implement `-template-url` and `-workflow-url` for retrieving lists of templates/workflows to run. 2021-10-14 23:30:37 +02:00			`if err != nil {`
rename few vars, extract duplicate functions to utils 2022-01-24 16:48:12 +05:30			`remoteContentChannel <- RemoteContent{`
Implement `-template-url` and `-workflow-url` for retrieving lists of templates/workflows to run. 2021-10-14 23:30:37 +02:00			`Error: err,`
			`}`
			`return`
			`}`
			`defer response.Body.Close()`
			`if response.StatusCode < 200 \|\| response.StatusCode > 299 {`
rename few vars, extract duplicate functions to utils 2022-01-24 16:48:12 +05:30			`remoteContentChannel <- RemoteContent{`
Implement `-template-url` and `-workflow-url` for retrieving lists of templates/workflows to run. 2021-10-14 23:30:37 +02:00			`Error: fmt.Errorf("get \"%s\": unexpect status %d", URL, response.StatusCode),`
			`}`
			`return`
			`}`

			`scanner := bufio.NewScanner(response.Body)`
			`var templateList []string`
			`for scanner.Scan() {`
			`text := strings.TrimSpace(scanner.Text())`
			`if text == "" {`
			`continue`
			`}`
validate remote input list URL and it's contents against allowed remote template domain list 2022-01-27 13:45:03 +05:30			`if utils.IsURL(text) {`
Typo fixes 2022-02-07 16:41:55 +02:00			`if err := validateRemoteTemplateURL(text, remoteTemplateDomainList); err != nil {`
validate remote input list URL and it's contents against allowed remote template domain list 2022-01-27 13:45:03 +05:30			`remoteContentChannel <- RemoteContent{`
			`Error: err,`
			`}`
			`return`
			`}`
			`}`
Implement `-template-url` and `-workflow-url` for retrieving lists of templates/workflows to run. 2021-10-14 23:30:37 +02:00			`templateList = append(templateList, text)`
			`}`

			`if err := scanner.Err(); err != nil {`
rename few vars, extract duplicate functions to utils 2022-01-24 16:48:12 +05:30			`remoteContentChannel <- RemoteContent{`
Implement `-template-url` and `-workflow-url` for retrieving lists of templates/workflows to run. 2021-10-14 23:30:37 +02:00			`Error: errors.Wrap(err, "get \"%s\""),`
			`}`
			`return`
			`}`

rename few vars, extract duplicate functions to utils 2022-01-24 16:48:12 +05:30			`remoteContentChannel <- RemoteContent{`
Implement `-template-url` and `-workflow-url` for retrieving lists of templates/workflows to run. 2021-10-14 23:30:37 +02:00			`Content: templateList,`
			`Type: contentType,`
			`}`
			`}`
validate remote input list URL and it's contents against allowed remote template domain list 2022-01-27 13:45:03 +05:30
Typo fixes 2022-02-07 16:41:55 +02:00			`func validateRemoteTemplateURL(inputURL string, remoteTemplateDomainList []string) error {`
validate remote input list URL and it's contents against allowed remote template domain list 2022-01-27 13:45:03 +05:30			`parsedURL, err := url.Parse(inputURL)`
			`if err != nil {`
			`return err`
			`}`
			`if !utils.StringSliceContains(remoteTemplateDomainList, parsedURL.Host) {`
			return errors.Errorf("Remote template URL host (%s) is not present in the `remote-template-domain` list in nuclei config", parsedURL.Host)
			`}`
			`return nil`
			`}`