nuclei/pkg/protocols/common/generators/generators_test.go

package generators

import (
	"strings"
	"testing"

	"github.com/stretchr/testify/require"
	"gopkg.in/yaml.v2"

	"github.com/projectdiscovery/nuclei/v3/pkg/catalog/disk"
	"github.com/projectdiscovery/nuclei/v3/pkg/types"
)

func TestBatteringRamGenerator(t *testing.T) {
	usernames := []string{"admin", "password"}

	catalogInstance := disk.NewCatalog("")
	generator, err := New(map[string]interface{}{"username": usernames}, BatteringRamAttack, "", catalogInstance, "", getOptions(false))
	require.Nil(t, err, "could not create generator")

	iterator := generator.NewIterator()
	count := 0
	for {
		_, ok := iterator.Value()
		if !ok {
			break
		}
		count++
	}
	require.Equal(t, len(usernames), count, "could not get correct batteringram counts")
}

func TestPitchforkGenerator(t *testing.T) {
	usernames := []string{"admin", "token"}
	passwords := []string{"password1", "password2", "password3"}

	catalogInstance := disk.NewCatalog("")
	generator, err := New(map[string]interface{}{"username": usernames, "password": passwords}, PitchForkAttack, "", catalogInstance, "", getOptions(false))
	require.Nil(t, err, "could not create generator")

	iterator := generator.NewIterator()
	count := 0
	for {
		value, ok := iterator.Value()
		if !ok {
			break
		}
		count++
		require.Contains(t, usernames, value["username"], "Could not get correct pitchfork username")
		require.Contains(t, passwords, value["password"], "Could not get correct pitchfork password")
	}
	require.Equal(t, len(usernames), count, "could not get correct pitchfork counts")
}

func TestClusterbombGenerator(t *testing.T) {
	usernames := []string{"admin"}
	passwords := []string{"admin", "password", "token"}

	catalogInstance := disk.NewCatalog("")
	generator, err := New(map[string]interface{}{"username": usernames, "password": passwords}, ClusterBombAttack, "", catalogInstance, "", getOptions(false))
	require.Nil(t, err, "could not create generator")

	iterator := generator.NewIterator()
	count := 0
	for {
		value, ok := iterator.Value()
		if !ok {
			break
		}
		count++
		require.Contains(t, usernames, value["username"], "Could not get correct clusterbomb username")
		require.Contains(t, passwords, value["password"], "Could not get correct clusterbomb password")
	}
	require.Equal(t, 3, count, "could not get correct clusterbomb counts")

	iterator.Reset()
	count = 0
	for {
		value, ok := iterator.Value()
		if !ok {
			break
		}
		count++
		require.Contains(t, usernames, value["username"], "Could not get correct clusterbomb username")
		require.Contains(t, passwords, value["password"], "Could not get correct clusterbomb password")
	}
	require.Equal(t, 3, count, "could not get correct clusterbomb counts")
}

func getOptions(allowLocalFileAccess bool) *types.Options {
	opts := types.DefaultOptions()
	opts.AllowLocalFileAccess = allowLocalFileAccess
	return opts
}

func TestParsePayloadsWithAggression(t *testing.T) {
	testPayload := `linux_path:
  low:
    - /etc/passwd
  medium:
    - ../etc/passwd
    - ../../etc/passwd
  high:
    - ../../../etc/passwd
    - ../../../../etc/passwd
    - ../../../../../etc/passwd`

	var payloads map[string]interface{}
	err := yaml.NewDecoder(strings.NewReader(testPayload)).Decode(&payloads)
	require.Nil(t, err, "could not unmarshal yaml")

	aggressionsToValues := map[string][]string{
		"low": {
			"/etc/passwd",
		},
		"medium": {
			"/etc/passwd",
			"../etc/passwd",
			"../../etc/passwd",
		},
		"high": {
			"/etc/passwd",
			"../etc/passwd",
			"../../etc/passwd",
			"../../../etc/passwd",
			"../../../../etc/passwd",
			"../../../../../etc/passwd",
		},
	}

	for k, v := range payloads {
		for aggression, values := range aggressionsToValues {
			parsed, err := parsePayloadsWithAggression(k, v.(map[interface{}]interface{}), aggression)
			require.Nil(t, err, "could not parse payloads with aggression")

			gotValues := parsed[k].([]interface{})
			require.Equal(t, len(values), len(gotValues), "could not get correct number of values")
		}
	}
}
Added reworked generators package 2020-12-22 01:02:38 +05:30			`package generators`

			`import (`
Fuzzing additions & enhancements (#5139) * feat: added fuzzing output enhancements * changes as requested * misc * feat: added dfp flag to display fuzz points + misc additions * feat: added support for fuzzing nested path segments * feat: added parts to fuzzing requests * feat: added tracking for parameter occurence frequency in fuzzing * added cli flag for fuzz frequency * fixed broken tests * fixed path based sqli integration test * feat: added configurable fuzzing aggression level for payloads * fixed failing test 2024-06-11 04:43:46 +05:30			`"strings"`
Added reworked generators package 2020-12-22 01:02:38 +05:30			`"testing"`

			`"github.com/stretchr/testify/require"`
Fuzzing additions & enhancements (#5139) * feat: added fuzzing output enhancements * changes as requested * misc * feat: added dfp flag to display fuzz points + misc additions * feat: added support for fuzzing nested path segments * feat: added parts to fuzzing requests * feat: added tracking for parameter occurence frequency in fuzzing * added cli flag for fuzz frequency * fixed broken tests * fixed path based sqli integration test * feat: added configurable fuzzing aggression level for payloads * fixed failing test 2024-06-11 04:43:46 +05:30			`"gopkg.in/yaml.v2"`
refactor: uniformly sorted imports 2021-11-25 17:09:20 +02:00
nuclei v3 : misc updates (#4247) * use parsed options while signing * update project layout to v3 * fix .gitignore * remove example template * misc updates * bump tlsx version * hide template sig warning with env * js: retain value while using log * fix nil pointer derefernce * misc doc update --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-10-17 17:44:13 +05:30			`"github.com/projectdiscovery/nuclei/v3/pkg/catalog/disk"`
			`"github.com/projectdiscovery/nuclei/v3/pkg/types"`
Added reworked generators package 2020-12-22 01:02:38 +05:30			`)`

Removed sniper + made batteringram default + misc 2021-10-09 19:46:23 +05:30			`func TestBatteringRamGenerator(t *testing.T) {`
Added support for multiple sniper payloads 2020-12-30 13:57:15 +05:30			`usernames := []string{"admin", "password"}`
Fixed generator bugs, test cases 2020-12-22 01:21:05 +05:30
Added initial catalog interface implementation (#2318) * Added initial catalog interface implementation * Added OpenFile to Catalog + disk catalog implementation * Fixed merge issues Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2022-08-10 23:35:58 +05:30			`catalogInstance := disk.NewCatalog("")`
add `flow` support in template (i.e javascript scripting) (#4015) * add flow logic * progress * working POC * fix string slice normalization issue in variables * update * fix nil panic * remove poll() * load file with sandbox and more * fix failing integration tests * JS: log: print in vardump format * fix missing id in protocols * fix proto prefix in template context * flow: add unit tests * conditional flow support using flow * fix proto callbacks + more unit tests * adds integration test * conditional flow: check if req has any matchers * fix lint error * deprecate iterate-all+ missing multi-proto implementation * fix ip input in raw request * JS: feat dedupe object+ more builtin funcs * feat: hide protocol result using hide * feat: async execution * complete async execution support * fix condition-flow without any matchers * refactor: template executer package (tmplexec) * flow executor working * fix data race in templateCtx * templateCtx redesign * fix failing unit test * add multiprotocol support to deprecated syntax * fix race condition in utils & tlsx * add documentation in flow package * remove regions.txt file * fix minor issue with self contained templates * fix typos of copilot * dep + misc update * fix reqID: use req.Type instead of template.Type --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-08-31 18:03:01 +05:30			`generator, err := New(map[string]interface{}{"username": usernames}, BatteringRamAttack, "", catalogInstance, "", getOptions(false))`
Fixed generator bugs, test cases 2020-12-22 01:21:05 +05:30			`require.Nil(t, err, "could not create generator")`

			`iterator := generator.NewIterator()`
			`count := 0`
Fixed payload generators bug 2020-12-26 22:52:33 +05:30			`for {`
Added support for multiple sniper payloads 2020-12-30 13:57:15 +05:30			`_, ok := iterator.Value()`
Fixed payload generators bug 2020-12-26 22:52:33 +05:30			`if !ok {`
			`break`
			`}`
Fixed generator bugs, test cases 2020-12-22 01:21:05 +05:30			`count++`
			`}`
Removed sniper + made batteringram default + misc 2021-10-09 19:46:23 +05:30			`require.Equal(t, len(usernames), count, "could not get correct batteringram counts")`
Fixed generator bugs, test cases 2020-12-22 01:21:05 +05:30			`}`

			`func TestPitchforkGenerator(t *testing.T) {`
			`usernames := []string{"admin", "token"}`
remove pitchfork validation 2021-09-01 20:03:53 +05:30			`passwords := []string{"password1", "password2", "password3"}`
Fixed generator bugs, test cases 2020-12-22 01:21:05 +05:30
Added initial catalog interface implementation (#2318) * Added initial catalog interface implementation * Added OpenFile to Catalog + disk catalog implementation * Fixed merge issues Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2022-08-10 23:35:58 +05:30			`catalogInstance := disk.NewCatalog("")`
add `flow` support in template (i.e javascript scripting) (#4015) * add flow logic * progress * working POC * fix string slice normalization issue in variables * update * fix nil panic * remove poll() * load file with sandbox and more * fix failing integration tests * JS: log: print in vardump format * fix missing id in protocols * fix proto prefix in template context * flow: add unit tests * conditional flow support using flow * fix proto callbacks + more unit tests * adds integration test * conditional flow: check if req has any matchers * fix lint error * deprecate iterate-all+ missing multi-proto implementation * fix ip input in raw request * JS: feat dedupe object+ more builtin funcs * feat: hide protocol result using hide * feat: async execution * complete async execution support * fix condition-flow without any matchers * refactor: template executer package (tmplexec) * flow executor working * fix data race in templateCtx * templateCtx redesign * fix failing unit test * add multiprotocol support to deprecated syntax * fix race condition in utils & tlsx * add documentation in flow package * remove regions.txt file * fix minor issue with self contained templates * fix typos of copilot * dep + misc update * fix reqID: use req.Type instead of template.Type --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-08-31 18:03:01 +05:30			`generator, err := New(map[string]interface{}{"username": usernames, "password": passwords}, PitchForkAttack, "", catalogInstance, "", getOptions(false))`
Fixed generator bugs, test cases 2020-12-22 01:21:05 +05:30			`require.Nil(t, err, "could not create generator")`

			`iterator := generator.NewIterator()`
			`count := 0`
Fixed payload generators bug 2020-12-26 22:52:33 +05:30			`for {`
			`value, ok := iterator.Value()`
			`if !ok {`
			`break`
			`}`
Fixed generator bugs, test cases 2020-12-22 01:21:05 +05:30			`count++`
			`require.Contains(t, usernames, value["username"], "Could not get correct pitchfork username")`
			`require.Contains(t, passwords, value["password"], "Could not get correct pitchfork password")`
			`}`
remove pitchfork validation 2021-09-01 20:03:53 +05:30			`require.Equal(t, len(usernames), count, "could not get correct pitchfork counts")`
Fixed generator bugs, test cases 2020-12-22 01:21:05 +05:30			`}`

			`func TestClusterbombGenerator(t *testing.T) {`
			`usernames := []string{"admin"}`
			`passwords := []string{"admin", "password", "token"}`

Added initial catalog interface implementation (#2318) * Added initial catalog interface implementation * Added OpenFile to Catalog + disk catalog implementation * Fixed merge issues Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2022-08-10 23:35:58 +05:30			`catalogInstance := disk.NewCatalog("")`
add `flow` support in template (i.e javascript scripting) (#4015) * add flow logic * progress * working POC * fix string slice normalization issue in variables * update * fix nil panic * remove poll() * load file with sandbox and more * fix failing integration tests * JS: log: print in vardump format * fix missing id in protocols * fix proto prefix in template context * flow: add unit tests * conditional flow support using flow * fix proto callbacks + more unit tests * adds integration test * conditional flow: check if req has any matchers * fix lint error * deprecate iterate-all+ missing multi-proto implementation * fix ip input in raw request * JS: feat dedupe object+ more builtin funcs * feat: hide protocol result using hide * feat: async execution * complete async execution support * fix condition-flow without any matchers * refactor: template executer package (tmplexec) * flow executor working * fix data race in templateCtx * templateCtx redesign * fix failing unit test * add multiprotocol support to deprecated syntax * fix race condition in utils & tlsx * add documentation in flow package * remove regions.txt file * fix minor issue with self contained templates * fix typos of copilot * dep + misc update * fix reqID: use req.Type instead of template.Type --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-08-31 18:03:01 +05:30			`generator, err := New(map[string]interface{}{"username": usernames, "password": passwords}, ClusterBombAttack, "", catalogInstance, "", getOptions(false))`
Added reworked generators package 2020-12-22 01:02:38 +05:30			`require.Nil(t, err, "could not create generator")`

			`iterator := generator.NewIterator()`
Fixed generator bugs, test cases 2020-12-22 01:21:05 +05:30			`count := 0`
Fixed payload generators bug 2020-12-26 22:52:33 +05:30			`for {`
			`value, ok := iterator.Value()`
			`if !ok {`
			`break`
			`}`
			`count++`
			`require.Contains(t, usernames, value["username"], "Could not get correct clusterbomb username")`
			`require.Contains(t, passwords, value["password"], "Could not get correct clusterbomb password")`
			`}`
			`require.Equal(t, 3, count, "could not get correct clusterbomb counts")`

			`iterator.Reset()`
			`count = 0`
			`for {`
			`value, ok := iterator.Value()`
			`if !ok {`
			`break`
			`}`
Fixed generator bugs, test cases 2020-12-22 01:21:05 +05:30			`count++`
			`require.Contains(t, usernames, value["username"], "Could not get correct clusterbomb username")`
			`require.Contains(t, passwords, value["password"], "Could not get correct clusterbomb password")`
Added reworked generators package 2020-12-22 01:02:38 +05:30			`}`
Fixed generator bugs, test cases 2020-12-22 01:21:05 +05:30			`require.Equal(t, 3, count, "could not get correct clusterbomb counts")`
Added reworked generators package 2020-12-22 01:02:38 +05:30			`}`
add `flow` support in template (i.e javascript scripting) (#4015) * add flow logic * progress * working POC * fix string slice normalization issue in variables * update * fix nil panic * remove poll() * load file with sandbox and more * fix failing integration tests * JS: log: print in vardump format * fix missing id in protocols * fix proto prefix in template context * flow: add unit tests * conditional flow support using flow * fix proto callbacks + more unit tests * adds integration test * conditional flow: check if req has any matchers * fix lint error * deprecate iterate-all+ missing multi-proto implementation * fix ip input in raw request * JS: feat dedupe object+ more builtin funcs * feat: hide protocol result using hide * feat: async execution * complete async execution support * fix condition-flow without any matchers * refactor: template executer package (tmplexec) * flow executor working * fix data race in templateCtx * templateCtx redesign * fix failing unit test * add multiprotocol support to deprecated syntax * fix race condition in utils & tlsx * add documentation in flow package * remove regions.txt file * fix minor issue with self contained templates * fix typos of copilot * dep + misc update * fix reqID: use req.Type instead of template.Type --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-08-31 18:03:01 +05:30
			`func getOptions(allowLocalFileAccess bool) *types.Options {`
			`opts := types.DefaultOptions()`
			`opts.AllowLocalFileAccess = allowLocalFileAccess`
			`return opts`
			`}`
Fuzzing additions & enhancements (#5139) * feat: added fuzzing output enhancements * changes as requested * misc * feat: added dfp flag to display fuzz points + misc additions * feat: added support for fuzzing nested path segments * feat: added parts to fuzzing requests * feat: added tracking for parameter occurence frequency in fuzzing * added cli flag for fuzz frequency * fixed broken tests * fixed path based sqli integration test * feat: added configurable fuzzing aggression level for payloads * fixed failing test 2024-06-11 04:43:46 +05:30
			`func TestParsePayloadsWithAggression(t *testing.T) {`
			testPayload := `linux_path:
			`low:`
			`- /etc/passwd`
			`medium:`
			`- ../etc/passwd`
			`- ../../etc/passwd`
			`high:`
			`- ../../../etc/passwd`
			`- ../../../../etc/passwd`
			- ../../../../../etc/passwd`

			`var payloads map[string]interface{}`
			`err := yaml.NewDecoder(strings.NewReader(testPayload)).Decode(&payloads)`
			`require.Nil(t, err, "could not unmarshal yaml")`

			`aggressionsToValues := map[string][]string{`
			`"low": {`
			`"/etc/passwd",`
			`},`
			`"medium": {`
			`"/etc/passwd",`
			`"../etc/passwd",`
			`"../../etc/passwd",`
			`},`
			`"high": {`
			`"/etc/passwd",`
			`"../etc/passwd",`
			`"../../etc/passwd",`
			`"../../../etc/passwd",`
			`"../../../../etc/passwd",`
			`"../../../../../etc/passwd",`
			`},`
			`}`

			`for k, v := range payloads {`
			`for aggression, values := range aggressionsToValues {`
			`parsed, err := parsePayloadsWithAggression(k, v.(map[interface{}]interface{}), aggression)`
			`require.Nil(t, err, "could not parse payloads with aggression")`

			`gotValues := parsed[k].([]interface{})`
			`require.Equal(t, len(values), len(gotValues), "could not get correct number of values")`
			`}`
			`}`
			`}`