Added flag to control workflow sandboxing

2025-12-29 00:35:24 +00:00 · 2020-12-13 14:04:58 +05:30 · 2020-12-13 14:04:58 +05:30 · cf2a98b03d
commit cf2a98b03d
parent 96049a32fa
2 changed files with 9 additions and 11 deletions
--- a/v2/internal/runner/options.go
+++ b/v2/internal/runner/options.go
@ -14,6 +14,7 @@ import (
 // the template requesting process.
 // nolint // false positive, options are allocated once and are necessary as is
 type Options struct {
+	Sandbox bool // Sandbox mode allows users to run isolated workflows with system commands disabled
 	Debug                bool                   // Debug mode allows debugging request/responses for the engine
 	Silent               bool                   // Silent suppresses any extra text and only writes found URLs on screen.
 	Version              bool                   // Version specifies if we should just show version and exit
@ -66,6 +67,7 @@ func (m *multiStringFlag) Set(value string) error {
 func ParseOptions() *Options {
 	options := &Options{}

+	flag.BoolVar(&options.Sandbox, "sandbox", false, "Run workflows in isolated sandbox mode")
 	flag.StringVar(&options.Target, "target", "", "Target is a single target to scan using template")
 	flag.Var(&options.Templates, "t", "Template input dir/file/files to run on host. Can be used multiple times. Supports globbing.")
 	flag.Var(&options.ExcludedTemplates, "exclude", "Template input dir/file/files to exclude. Can be used multiple times. Supports globbing.")
--- a/v2/internal/runner/processor.go
+++ b/v2/internal/runner/processor.go
@ -28,6 +28,8 @@ type workflowTemplates struct {
 	Templates []*workflows.Template
 }

+var sandboxedModules = []string{"math", "text", "rand", "fmt", "json", "base64", "hex", "enum"}
+
 // processTemplateWithList processes a template and runs the enumeration on all the targets
 func (r *Runner) processTemplateWithList(p *progress.Progress, template *templates.Template, request interface{}) bool {
 	var httpExecuter *executer.HTTPExecuter
@ -128,7 +130,7 @@ func (r *Runner) processWorkflowWithList(p *progress.Progress, workflow *workflo
 	workflowTemplatesList, err := r.preloadWorkflowTemplates(p, workflow)
 	if err != nil {
 		gologger.Warningf("Could not preload templates for workflow %s: %s\n", workflow.ID, err)
-		return result
+		return false
 	}

 	logicBytes := []byte(workflow.Logic)
@ -143,17 +145,11 @@ func (r *Runner) processWorkflowWithList(p *progress.Progress, workflow *workflo
 			defer wg.Done()

 			script := tengo.NewScript(logicBytes)
-			var moduleNames = []string{
-				"math",
-				"text",
-				"rand",
-				"fmt",
-				"json",
-				"base64",
-				"hex",
-				"enum",
+			if !r.options.Sandbox {
+				script.SetImports(stdlib.GetModuleMap(stdlib.AllModuleNames()...))
+			} else {
+				script.SetImports(stdlib.GetModuleMap(sandboxedModules...))
 			}
-			script.SetImports(stdlib.GetModuleMap(moduleNames...))

 			variables := make(map[string]*workflows.NucleiVar)
 			for _, workflowTemplate := range *workflowTemplatesList {