mirror of
https://github.com/projectdiscovery/nuclei.git
synced 2025-12-17 19:25:26 +00:00
disable self-contained and file protocol templates as default (#5825)
* disable self-contained and file protocol templates as default * make excluding default * add config funcs * fix wrn display * fix integration tests * enable self-contained templates when code templates are enabled --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com>
This commit is contained in:
Dogan Can Bakir
GitHub
parent
abfd43268a
commit
63687c2ce0
@ -99,7 +99,7 @@ type codePreCondition struct{}
|
|||||||
|
|
||||||
// Execute executes a test case and returns an error if occurred
|
// Execute executes a test case and returns an error if occurred
|
||||||
func (h *codePreCondition) Execute(filePath string) error {
|
func (h *codePreCondition) Execute(filePath string) error {
|
||||||
results, err := testutils.RunNucleiArgsWithEnvAndGetResults(debug, getEnvValues(), "-t", filePath, "-u", "input", "-code")
|
results, err := testutils.RunNucleiArgsWithEnvAndGetResults(debug, getEnvValues(), "-t", filePath, "-u", "input", "-code", "-esc")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|||||||
@ -15,7 +15,7 @@ type fileWithOrMatcher struct{}
|
|||||||
|
|
||||||
// Execute executes a test case and returns an error if occurred
|
// Execute executes a test case and returns an error if occurred
|
||||||
func (h *fileWithOrMatcher) Execute(filePath string) error {
|
func (h *fileWithOrMatcher) Execute(filePath string) error {
|
||||||
results, err := testutils.RunNucleiTemplateAndGetResults(filePath, "protocols/file/data/", debug)
|
results, err := testutils.RunNucleiTemplateAndGetResults(filePath, "protocols/file/data/", debug, "-file")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -27,7 +27,7 @@ type fileWithAndMatcher struct{}
|
|||||||
|
|
||||||
// Execute executes a test case and returns an error if occurred
|
// Execute executes a test case and returns an error if occurred
|
||||||
func (h *fileWithAndMatcher) Execute(filePath string) error {
|
func (h *fileWithAndMatcher) Execute(filePath string) error {
|
||||||
results, err := testutils.RunNucleiTemplateAndGetResults(filePath, "protocols/file/data/", debug)
|
results, err := testutils.RunNucleiTemplateAndGetResults(filePath, "protocols/file/data/", debug, "-file")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -39,7 +39,7 @@ type fileWithExtractor struct{}
|
|||||||
|
|
||||||
// Execute executes a test case and returns an error if occurred
|
// Execute executes a test case and returns an error if occurred
|
||||||
func (h *fileWithExtractor) Execute(filePath string) error {
|
func (h *fileWithExtractor) Execute(filePath string) error {
|
||||||
results, err := testutils.RunNucleiTemplateAndGetResults(filePath, "protocols/file/data/", debug)
|
results, err := testutils.RunNucleiTemplateAndGetResults(filePath, "protocols/file/data/", debug, "-file")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|||||||
@ -952,7 +952,7 @@ func (h *httpRequestSelfContained) Execute(filePath string) error {
|
|||||||
}()
|
}()
|
||||||
defer server.Close()
|
defer server.Close()
|
||||||
|
|
||||||
results, err := testutils.RunNucleiTemplateAndGetResults(filePath, "", debug)
|
results, err := testutils.RunNucleiTemplateAndGetResults(filePath, "", debug, "-esc")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -988,7 +988,7 @@ func (h *httpRequestSelfContainedWithParams) Execute(filePath string) error {
|
|||||||
}()
|
}()
|
||||||
defer server.Close()
|
defer server.Close()
|
||||||
|
|
||||||
results, err := testutils.RunNucleiTemplateAndGetResults(filePath, "", debug)
|
results, err := testutils.RunNucleiTemplateAndGetResults(filePath, "", debug, "-esc")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -1031,7 +1031,7 @@ func (h *httpRequestSelfContainedFileInput) Execute(filePath string) error {
|
|||||||
}
|
}
|
||||||
defer FileLoc.Close()
|
defer FileLoc.Close()
|
||||||
|
|
||||||
results, err := testutils.RunNucleiTemplateAndGetResults(filePath, "", debug, "-V", "test="+FileLoc.Name())
|
results, err := testutils.RunNucleiTemplateAndGetResults(filePath, "", debug, "-V", "test="+FileLoc.Name(), "-esc")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|||||||
@ -119,7 +119,7 @@ func (h *networkRequestSelContained) Execute(filePath string) error {
|
|||||||
_, _ = conn.Write([]byte("Authentication successful"))
|
_, _ = conn.Write([]byte("Authentication successful"))
|
||||||
})
|
})
|
||||||
defer ts.Close()
|
defer ts.Close()
|
||||||
results, err := testutils.RunNucleiTemplateAndGetResults(filePath, "", debug)
|
results, err := testutils.RunNucleiTemplateAndGetResults(filePath, "", debug, "-esc")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|||||||
@ -263,6 +263,8 @@ on extensive configurability, massive extensibility and ease of use.`)
|
|||||||
flagSet.BoolVar(&options.SignTemplates, "sign", false, "signs the templates with the private key defined in NUCLEI_SIGNATURE_PRIVATE_KEY env variable"),
|
flagSet.BoolVar(&options.SignTemplates, "sign", false, "signs the templates with the private key defined in NUCLEI_SIGNATURE_PRIVATE_KEY env variable"),
|
||||||
flagSet.BoolVar(&options.EnableCodeTemplates, "code", false, "enable loading code protocol-based templates"),
|
flagSet.BoolVar(&options.EnableCodeTemplates, "code", false, "enable loading code protocol-based templates"),
|
||||||
flagSet.BoolVarP(&options.DisableUnsignedTemplates, "disable-unsigned-templates", "dut", false, "disable running unsigned templates or templates with mismatched signature"),
|
flagSet.BoolVarP(&options.DisableUnsignedTemplates, "disable-unsigned-templates", "dut", false, "disable running unsigned templates or templates with mismatched signature"),
|
||||||
|
flagSet.BoolVarP(&options.EnableSelfContainedTemplates, "enable-self-contained", "esc", false, "enable loading self-contained templates"),
|
||||||
|
flagSet.BoolVar(&options.EnableFileTemplates, "file", false, "enable loading file templates"),
|
||||||
)
|
)
|
||||||
|
|
||||||
flagSet.CreateGroup("filters", "Filtering",
|
flagSet.CreateGroup("filters", "Filtering",
|
||||||
@ -492,6 +494,11 @@ Additional documentation is available at: https://docs.nuclei.sh/getting-started
|
|||||||
options.DAST = true
|
options.DAST = true
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// All cloud-based templates depend on both code and self-contained templates.
|
||||||
|
if options.EnableCodeTemplates {
|
||||||
|
options.EnableSelfContainedTemplates = true
|
||||||
|
}
|
||||||
|
|
||||||
// api key hierarchy: cli flag > env var > .pdcp/credential file
|
// api key hierarchy: cli flag > env var > .pdcp/credential file
|
||||||
if pdcpauth == "true" {
|
if pdcpauth == "true" {
|
||||||
runner.AuthWithPDCP()
|
runner.AuthWithPDCP()
|
||||||
|
|||||||
@ -69,6 +69,7 @@ func init() {
|
|||||||
// need to set headless to true for headless templates
|
// need to set headless to true for headless templates
|
||||||
defaultOpts.Headless = true
|
defaultOpts.Headless = true
|
||||||
defaultOpts.EnableCodeTemplates = true
|
defaultOpts.EnableCodeTemplates = true
|
||||||
|
defaultOpts.EnableSelfContainedTemplates = true
|
||||||
if err := protocolstate.Init(defaultOpts); err != nil {
|
if err := protocolstate.Init(defaultOpts); err != nil {
|
||||||
gologger.Fatal().Msgf("Could not initialize protocol state: %s\n", err)
|
gologger.Fatal().Msgf("Could not initialize protocol state: %s\n", err)
|
||||||
}
|
}
|
||||||
|
|||||||
@ -730,6 +730,8 @@ func (r *Runner) displayExecutionInfo(store *loader.Store) {
|
|||||||
stats.ForceDisplayWarning(templates.ExcludedCodeTmplStats)
|
stats.ForceDisplayWarning(templates.ExcludedCodeTmplStats)
|
||||||
stats.ForceDisplayWarning(templates.ExludedDastTmplStats)
|
stats.ForceDisplayWarning(templates.ExludedDastTmplStats)
|
||||||
stats.ForceDisplayWarning(templates.TemplatesExcludedStats)
|
stats.ForceDisplayWarning(templates.TemplatesExcludedStats)
|
||||||
|
stats.ForceDisplayWarning(templates.ExcludedFileStats)
|
||||||
|
stats.ForceDisplayWarning(templates.ExcludedSelfContainedStats)
|
||||||
}
|
}
|
||||||
|
|
||||||
if tmplCount == 0 && workflowCount == 0 {
|
if tmplCount == 0 && workflowCount == 0 {
|
||||||
|
|||||||
@ -380,6 +380,23 @@ func WithSandboxOptions(allowLocalFileAccess bool, restrictLocalNetworkAccess bo
|
|||||||
func EnableCodeTemplates() NucleiSDKOptions {
|
func EnableCodeTemplates() NucleiSDKOptions {
|
||||||
return func(e *NucleiEngine) error {
|
return func(e *NucleiEngine) error {
|
||||||
e.opts.EnableCodeTemplates = true
|
e.opts.EnableCodeTemplates = true
|
||||||
|
e.opts.EnableSelfContainedTemplates = true
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// EnableSelfContainedTemplates allows loading/executing self-contained templates
|
||||||
|
func EnableSelfContainedTemplates() NucleiSDKOptions {
|
||||||
|
return func(e *NucleiEngine) error {
|
||||||
|
e.opts.EnableSelfContainedTemplates = true
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// EnableFileTemplates allows loading/executing file protocol templates
|
||||||
|
func EnableFileTemplates() NucleiSDKOptions {
|
||||||
|
return func(e *NucleiEngine) error {
|
||||||
|
e.opts.EnableFileTemplates = true
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -3,11 +3,12 @@ package nuclei
|
|||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
"fmt"
|
"fmt"
|
||||||
"github.com/projectdiscovery/nuclei/v3/pkg/input"
|
|
||||||
"strings"
|
"strings"
|
||||||
"sync"
|
"sync"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
"github.com/projectdiscovery/nuclei/v3/pkg/input"
|
||||||
|
|
||||||
"github.com/logrusorgru/aurora"
|
"github.com/logrusorgru/aurora"
|
||||||
"github.com/pkg/errors"
|
"github.com/pkg/errors"
|
||||||
"github.com/projectdiscovery/gologger"
|
"github.com/projectdiscovery/gologger"
|
||||||
|
|||||||
@ -144,6 +144,7 @@ func TestWithVarsNuclei(t *testing.T) {
|
|||||||
}()
|
}()
|
||||||
ne, err := nuclei.NewNucleiEngineCtx(
|
ne, err := nuclei.NewNucleiEngineCtx(
|
||||||
context.TODO(),
|
context.TODO(),
|
||||||
|
nuclei.EnableSelfContainedTemplates(),
|
||||||
nuclei.WithTemplatesOrWorkflows(nuclei.TemplateSources{Templates: []string{"http/token-spray/api-1forge.yaml"}}),
|
nuclei.WithTemplatesOrWorkflows(nuclei.TemplateSources{Templates: []string{"http/token-spray/api-1forge.yaml"}}),
|
||||||
nuclei.WithVars([]string{"token=foobar"}),
|
nuclei.WithVars([]string{"token=foobar"}),
|
||||||
nuclei.WithVerbosity(nuclei.VerbosityOptions{Debug: true}),
|
nuclei.WithVerbosity(nuclei.VerbosityOptions{Debug: true}),
|
||||||
|
|||||||
@ -489,6 +489,17 @@ func (store *Store) LoadTemplatesWithTags(templatesList, tags []string) []*templ
|
|||||||
stats.Increment(templates.SkippedUnsignedStats)
|
stats.Increment(templates.SkippedUnsignedStats)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if parsed.SelfContained && !store.config.ExecutorOptions.Options.EnableSelfContainedTemplates {
|
||||||
|
stats.Increment(templates.ExcludedSelfContainedStats)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
if parsed.HasFileProtocol() && !store.config.ExecutorOptions.Options.EnableFileTemplates {
|
||||||
|
stats.Increment(templates.ExcludedFileStats)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
// if template has request signature like aws then only signed and verified templates are allowed
|
// if template has request signature like aws then only signed and verified templates are allowed
|
||||||
if parsed.UsesRequestSignature() && !parsed.Verified {
|
if parsed.UsesRequestSignature() && !parsed.Verified {
|
||||||
stats.Increment(templates.SkippedRequestSignatureStats)
|
stats.Increment(templates.SkippedRequestSignatureStats)
|
||||||
|
|||||||
@ -10,5 +10,7 @@ const (
|
|||||||
ExcludedCodeTmplStats = "code-flag-missing-warnings"
|
ExcludedCodeTmplStats = "code-flag-missing-warnings"
|
||||||
ExludedDastTmplStats = "fuzz-flag-missing-warnings"
|
ExludedDastTmplStats = "fuzz-flag-missing-warnings"
|
||||||
SkippedUnsignedStats = "skipped-unsigned-stats" // tracks loading of unsigned templates
|
SkippedUnsignedStats = "skipped-unsigned-stats" // tracks loading of unsigned templates
|
||||||
|
ExcludedSelfContainedStats = "excluded-self-contained-stats"
|
||||||
|
ExcludedFileStats = "excluded-file-stats"
|
||||||
SkippedRequestSignatureStats = "skipped-request-signature-stats"
|
SkippedRequestSignatureStats = "skipped-request-signature-stats"
|
||||||
)
|
)
|
||||||
|
|||||||
@ -9,6 +9,8 @@ func init() {
|
|||||||
stats.NewEntry(SkippedCodeTmplTamperedStats, "Found %d unsigned or tampered code template (carefully examine before using it & use -sign flag to sign them)")
|
stats.NewEntry(SkippedCodeTmplTamperedStats, "Found %d unsigned or tampered code template (carefully examine before using it & use -sign flag to sign them)")
|
||||||
stats.NewEntry(ExcludedHeadlessTmplStats, "Excluded %d headless template[s] (disabled as default), use -headless option to run headless templates.")
|
stats.NewEntry(ExcludedHeadlessTmplStats, "Excluded %d headless template[s] (disabled as default), use -headless option to run headless templates.")
|
||||||
stats.NewEntry(ExcludedCodeTmplStats, "Excluded %d code template[s] (disabled as default), use -code option to run code templates.")
|
stats.NewEntry(ExcludedCodeTmplStats, "Excluded %d code template[s] (disabled as default), use -code option to run code templates.")
|
||||||
|
stats.NewEntry(ExcludedSelfContainedStats, "Excluded %d self-contained template[s] (disabled as default), use -esc option to run self-contained templates.")
|
||||||
|
stats.NewEntry(ExcludedFileStats, "Excluded %d file template[s] (disabled as default), use -file option to run file templates.")
|
||||||
stats.NewEntry(TemplatesExcludedStats, "Excluded %d template[s] with known weak matchers / tags excluded from default run using .nuclei-ignore")
|
stats.NewEntry(TemplatesExcludedStats, "Excluded %d template[s] with known weak matchers / tags excluded from default run using .nuclei-ignore")
|
||||||
stats.NewEntry(ExludedDastTmplStats, "Excluded %d dast template[s] (disabled as default), use -dast option to run dast templates.")
|
stats.NewEntry(ExludedDastTmplStats, "Excluded %d dast template[s] (disabled as default), use -dast option to run dast templates.")
|
||||||
stats.NewEntry(SkippedUnsignedStats, "Skipping %d unsigned template[s]")
|
stats.NewEntry(SkippedUnsignedStats, "Skipping %d unsigned template[s]")
|
||||||
|
|||||||
@ -555,3 +555,8 @@ func (template *Template) UnmarshalJSON(data []byte) error {
|
|||||||
}
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// HasFileProtocol returns true if the template has a file protocol section
|
||||||
|
func (template *Template) HasFileProtocol() bool {
|
||||||
|
return len(template.RequestsFile) > 0
|
||||||
|
}
|
||||||
|
|||||||
@ -383,6 +383,10 @@ type Options struct {
|
|||||||
EnableCodeTemplates bool
|
EnableCodeTemplates bool
|
||||||
// DisableUnsignedTemplates disables processing of unsigned templates
|
// DisableUnsignedTemplates disables processing of unsigned templates
|
||||||
DisableUnsignedTemplates bool
|
DisableUnsignedTemplates bool
|
||||||
|
// EnableSelfContainedTemplates disables processing of self-contained templates
|
||||||
|
EnableSelfContainedTemplates bool
|
||||||
|
// EnableFileTemplates enables file templates
|
||||||
|
EnableFileTemplates bool
|
||||||
// Disables cloud upload
|
// Disables cloud upload
|
||||||
EnableCloudUpload bool
|
EnableCloudUpload bool
|
||||||
// ScanID is the scan ID to use for cloud upload
|
// ScanID is the scan ID to use for cloud upload
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user