fixing payload load (#3927)

* fixing payload load

* Added tests for load payloads edge-case + fixed error

* Added separate flags for network and file sandbox

* Fixed tests for payload loader

* Fixed integration tests locally

* readme update

---------

Co-authored-by: Ice3man <nizamulrana@gmail.com>
Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com>

README.md

@@ -41,11 +41,6 @@ Nuclei is used to send requests across targets based on a template, leading to z
 
 We have a [dedicated repository](https://github.com/projectdiscovery/nuclei-templates) that houses various type of vulnerability templates contributed by **more than 300** security researchers and engineers.
 
-| :exclamation:  **Disclaimer**  |
-|---------------------------------|
-| **This project is in active development**. Expect breaking changes with releases. Review the release changelog before updating. |
-| This project was primarily built to be used as a standalone CLI tool. **Running nuclei as a service may pose security risks.** It's recommended to use with caution and additional security measures. |
-
 ## How it works
 
 
@@ -54,6 +49,11 @@ We have a [dedicated repository](https://github.com/projectdiscovery/nuclei-temp
 </h3>
 
 
+| :exclamation:  **Disclaimer**  |
+|---------------------------------|
+| **This project is in active development**. Expect breaking changes with releases. Review the release changelog before updating. |
+| This project was primarily built to be used as a standalone CLI tool. **Running nuclei as a service may pose security risks.** It's recommended to use with caution and additional security measures. |
+
 # Install Nuclei
 
 Nuclei requires **go1.20** to install successfully. Run the following command to install the latest version -
@@ -157,7 +157,7 @@ OUTPUT:
    -silent                       display findings only
    -nc, -no-color                disable output content coloring (ANSI escape codes)
    -j, -jsonl                    write output in JSONL(ines) format
-   -irr, -include-rr             include request/response pairs in the JSON, JSONL, and Markdown outputs (for findings only) [DEPRECATED]
+   -irr, -include-rr             include request/response pairs in the JSON, JSONL, and Markdown outputs (for findings only) [DEPRECATED use -omit-raw] (default true)
    -or, -omit-raw                omit request/response pairs in the JSON, JSONL, and Markdown outputs (for findings only)
    -nm, -no-meta                 disable printing result metadata in cli output
    -ts, -timestamp               enables printing timestamp in cli output
@@ -169,35 +169,36 @@ OUTPUT:
    -jle, -jsonl-export string    file to export results in JSONL(ine) format
 
 CONFIGURATIONS:
-   -config string                 path to the nuclei configuration file
+   -config string                        path to the nuclei configuration file
-   -fr, -follow-redirects         enable following redirects for http templates
+   -fr, -follow-redirects                enable following redirects for http templates
-   -fhr, -follow-host-redirects   follow redirects on the same host
+   -fhr, -follow-host-redirects          follow redirects on the same host
-   -mr, -max-redirects int        max number of redirects to follow for http templates (default 10)
+   -mr, -max-redirects int               max number of redirects to follow for http templates (default 10)
-   -dr, -disable-redirects        disable redirects for http templates
+   -dr, -disable-redirects               disable redirects for http templates
-   -rc, -report-config string     nuclei reporting module configuration file
+   -rc, -report-config string            nuclei reporting module configuration file
-   -H, -header string[]           custom header/cookie to include in all http request in header:value format (cli, file)
+   -H, -header string[]                  custom header/cookie to include in all http request in header:value format (cli, file)
-   -V, -var value                 custom vars in key=value format
+   -V, -var value                        custom vars in key=value format
-   -r, -resolvers string          file containing resolver list for nuclei
+   -r, -resolvers string                 file containing resolver list for nuclei
-   -sr, -system-resolvers         use system DNS resolving as error fallback
+   -sr, -system-resolvers                use system DNS resolving as error fallback
-   -dc, -disable-clustering       disable clustering of requests
+   -dc, -disable-clustering              disable clustering of requests
-   -passive                       enable passive HTTP response processing mode
+   -passive                              enable passive HTTP response processing mode
-   -fh2, -force-http2             force http2 connection on requests
+   -fh2, -force-http2                    force http2 connection on requests
-   -ev, -env-vars                 enable environment variables to be used in template
+   -ev, -env-vars                        enable environment variables to be used in template
-   -cc, -client-cert string       client certificate file (PEM-encoded) used for authenticating against scanned hosts
+   -cc, -client-cert string              client certificate file (PEM-encoded) used for authenticating against scanned hosts
-   -ck, -client-key string        client key file (PEM-encoded) used for authenticating against scanned hosts
+   -ck, -client-key string               client key file (PEM-encoded) used for authenticating against scanned hosts
-   -ca, -client-ca string         client certificate authority file (PEM-encoded) used for authenticating against scanned hosts
+   -ca, -client-ca string                client certificate authority file (PEM-encoded) used for authenticating against scanned hosts
-   -sml, -show-match-line         show match lines for file templates, works with extractors only
+   -sml, -show-match-line                show match lines for file templates, works with extractors only
-   -ztls                          use ztls library with autofallback to standard one for tls13
+   -ztls                                 use ztls library with autofallback to standard one for tls13 [Deprecated] autofallback to ztls is enabled by default
-   -sni string                    tls sni hostname to use (default: input domain name)
+   -sni string                           tls sni hostname to use (default: input domain name)
-   -sandbox                       sandbox nuclei for safe templates execution
+   -lfa, -allow-local-file-access        allows file (payload) access anywhere on the system
-   -i, -interface string          network interface to use for network scan
+   -lna, -restrict-local-network-access  blocks connections to the local / private network
-   -at, -attack-type string       type of payload combinations to perform (batteringram,pitchfork,clusterbomb)
+   -i, -interface string                 network interface to use for network scan
-   -sip, -source-ip string        source ip address to use for network scan
+   -at, -attack-type string              type of payload combinations to perform (batteringram,pitchfork,clusterbomb)
-   -config-directory string       override the default config path ($home/.config)
+   -sip, -source-ip string               source ip address to use for network scan
-   -rsr, -response-size-read int  max response size to read in bytes (default 10485760)
+   -config-directory string              override the default config path ($home/.config)
-   -rss, -response-size-save int  max response size to read in bytes (default 1048576)
+   -rsr, -response-size-read int         max response size to read in bytes (default 10485760)
-   -reset                         reset removes all nuclei configuration and data files (including nuclei-templates)
+   -rss, -response-size-save int         max response size to read in bytes (default 1048576)
-   -tlsi, -tls-impersonate        enable experimental client hello (ja3) tls randomization
+   -reset                                reset removes all nuclei configuration and data files (including nuclei-templates)
+   -tlsi, -tls-impersonate               enable experimental client hello (ja3) tls randomization
 
 INTERACTSH:
    -iserver, -interactsh-server string  interactsh server url for self-hosted instance (default: oast.pro,oast.live,oast.site,oast.online,oast.fun,oast.me)
@@ -215,10 +216,10 @@ FUZZING:
 UNCOVER:
    -uc, -uncover                  enable uncover engine
    -uq, -uncover-query string[]   uncover search query
-   -ue, -uncover-engine string[]  uncover search engine (shodan,shodan-idb,fofa,censys,quake,hunter,zoomeye,netlas,criminalip) (default shodan)
+   -ue, -uncover-engine string[]  uncover search engine (shodan,censys,fofa,shodan-idb,quake,hunter,zoomeye,netlas,criminalip,publicwww,hunterhow) (default shodan)
    -uf, -uncover-field string     uncover fields to return (ip,port,host) (default "ip:port")
    -ul, -uncover-limit int        uncover results to return (default 100)
-   -ucd, -uncover-delay int       delay between uncover query requests in seconds (0 to disable) (default 1)
+   -ur, -uncover-ratelimit int    override ratelimit of engines with unknown ratelimit (default 60 req/min) (default 60)
 
 RATE-LIMIT:
    -rl, -rate-limit int               maximum number of requests to send per second (default 150)

README_ID.md

@@ -90,13 +90,15 @@ Nuclei is a fast, template based vulnerability scanner focusing
 on extensive configurability, massive extensibility and ease of use.
 
 Usage:
-  nuclei [flags]
+  ./nuclei [flags]
 
 Flags:
 TARGET:
-   -u, -target string[]  target URLs/hosts to scan
+   -u, -target string[]       target URLs/hosts to scan
-   -l, -list string      path to file containing a list of target URLs/hosts to scan (one per line)
+   -l, -list string           path to file containing a list of target URLs/hosts to scan (one per line)
-   -resume string        Resume scan using resume.cfg (clustering will be disabled)
+   -resume string             resume scan using resume.cfg (clustering will be disabled)
+   -sa, -scan-all-ips         scan all the IP's associated with dns record
+   -iv, -ip-version string[]  IP version to scan of hostname (4,6) - (default 4)
 
 TEMPLATES:
    -nt, -new-templates                    run only new templates added in latest nuclei-templates release
@@ -107,7 +109,8 @@ TEMPLATES:
    -w, -workflows string[]                list of workflow or workflow directory to run (comma-separated, file)
    -wu, -workflow-url string[]            list of workflow urls to run (comma-separated, file)
    -validate                              validate the passed templates to nuclei
-   -nss, -no-strict-syntax                Disable strict syntax check on templates
+   -nss, -no-strict-syntax                disable strict syntax check on templates
+   -td, -template-display                 displays the templates content
    -tl                                    list all available templates
 
 FILTERING:
@@ -122,8 +125,8 @@ FILTERING:
    -em, -exclude-matchers string[]    template matchers to exclude in result
    -s, -severity value[]              templates to run based on severity. Possible values: info, low, medium, high, critical, unknown
    -es, -exclude-severity value[]     templates to exclude based on severity. Possible values: info, low, medium, high, critical, unknown
-   -pt, -type value[]                 templates to run based on protocol type. Possible values: dns, file, http, headless, network, workflow, ssl, websocket, whois
+   -pt, -type value[]                 templates to run based on protocol type. Possible values: dns, file, http, headless, tcp, workflow, ssl, websocket, whois
-   -ept, -exclude-type value[]        templates to exclude based on protocol type. Possible values: dns, file, http, headless, network, workflow, ssl, websocket, whois
+   -ept, -exclude-type value[]        templates to exclude based on protocol type. Possible values: dns, file, http, headless, tcp, workflow, ssl, websocket, whois
    -tc, -template-condition string[]  templates to run based on expression condition
 
 OUTPUT:
@@ -133,41 +136,48 @@ OUTPUT:
    -silent                       display findings only
    -nc, -no-color                disable output content coloring (ANSI escape codes)
    -j, -jsonl                    write output in JSONL(ines) format
-   -irr, -include-rr             include request/response pairs in the JSON, JSONL, and Markdown outputs (for findings only) [DEPRECATED]
+   -irr, -include-rr             include request/response pairs in the JSON, JSONL, and Markdown outputs (for findings only) [DEPRECATED use -omit-raw] (default true)
    -or, -omit-raw                omit request/response pairs in the JSON, JSONL, and Markdown outputs (for findings only)
    -nm, -no-meta                 disable printing result metadata in cli output
-   -nts, -no-timestamp           disable printing timestamp in cli output
+   -ts, -timestamp               enables printing timestamp in cli output
    -rdb, -report-db string       nuclei reporting database (always use this to persist report data)
    -ms, -matcher-status          display match failure status
    -me, -markdown-export string  directory to export results in markdown format
    -se, -sarif-export string     file to export results in SARIF format
-   -je, -json-export string      file to export results in JSON format as a JSON array. This can be memory intensive in larger scans
+   -je, -json-export string      file to export results in JSON format
-   -jle, -jsonl-export string    file to export results in JSONL(ine) format as a list of line-delimited JSON objects
+   -jle, -jsonl-export string    file to export results in JSONL(ine) format
 
 CONFIGURATIONS:
-   -config string                 path to the nuclei configuration file
+   -config string                        path to the nuclei configuration file
-   -fr, -follow-redirects         enable following redirects for http templates
+   -fr, -follow-redirects                enable following redirects for http templates
-   -fhr, -follow-host-redirects   follow redirects on the same host
+   -fhr, -follow-host-redirects          follow redirects on the same host
-   -mr, -max-redirects int        max number of redirects to follow for http templates (default 10)
+   -mr, -max-redirects int               max number of redirects to follow for http templates (default 10)
-   -dr, -disable-redirects        disable redirects for http templates
+   -dr, -disable-redirects               disable redirects for http templates
-   -rc, -report-config string     nuclei reporting module configuration file
+   -rc, -report-config string            nuclei reporting module configuration file
-   -H, -header string[]           custom header/cookie to include in all http request in header:value format (cli, file)
+   -H, -header string[]                  custom header/cookie to include in all http request in header:value format (cli, file)
-   -V, -var value                 custom vars in key=value format
+   -V, -var value                        custom vars in key=value format
-   -r, -resolvers string          file containing resolver list for nuclei
+   -r, -resolvers string                 file containing resolver list for nuclei
-   -sr, -system-resolvers         use system DNS resolving as error fallback
+   -sr, -system-resolvers                use system DNS resolving as error fallback
-   -passive                       enable passive HTTP response processing mode
+   -dc, -disable-clustering              disable clustering of requests
-   -ev, -env-vars                 enable environment variables to be used in template
+   -passive                              enable passive HTTP response processing mode
-   -cc, -client-cert string       client certificate file (PEM-encoded) used for authenticating against scanned hosts
+   -fh2, -force-http2                    force http2 connection on requests
-   -ck, -client-key string        client key file (PEM-encoded) used for authenticating against scanned hosts
+   -ev, -env-vars                        enable environment variables to be used in template
-   -ca, -client-ca string         client certificate authority file (PEM-encoded) used for authenticating against scanned hosts
+   -cc, -client-cert string              client certificate file (PEM-encoded) used for authenticating against scanned hosts
-   -sml, -show-match-line         show match lines for file templates, works with extractors only
+   -ck, -client-key string               client key file (PEM-encoded) used for authenticating against scanned hosts
-   -ztls                          use ztls library with autofallback to standard one for tls13
+   -ca, -client-ca string                client certificate authority file (PEM-encoded) used for authenticating against scanned hosts
-   -sni string                    tls sni hostname to use (default: input domain name)
+   -sml, -show-match-line                show match lines for file templates, works with extractors only
-   -i, -interface string          network interface to use for network scan
+   -ztls                                 use ztls library with autofallback to standard one for tls13 [Deprecated] autofallback to ztls is enabled by default
-   -sip, -source-ip string        source ip address to use for network scan
+   -sni string                           tls sni hostname to use (default: input domain name)
-   -config-directory string       Override the default config path ($home/.config)
+   -lfa, -allow-local-file-access        allows file (payload) access anywhere on the system
-   -rsr, -response-size-read int  max response size to read in bytes (default 10485760)
+   -lna, -restrict-local-network-access  blocks connections to the local / private network
-   -rss, -response-size-save int  max response size to save in bytes (default 10485760)
+   -i, -interface string                 network interface to use for network scan
+   -at, -attack-type string              type of payload combinations to perform (batteringram,pitchfork,clusterbomb)
+   -sip, -source-ip string               source ip address to use for network scan
+   -config-directory string              override the default config path ($home/.config)
+   -rsr, -response-size-read int         max response size to read in bytes (default 10485760)
+   -rss, -response-size-save int         max response size to read in bytes (default 1048576)
+   -reset                                reset removes all nuclei configuration and data files (including nuclei-templates)
+   -tlsi, -tls-impersonate               enable experimental client hello (ja3) tls randomization
 
 INTERACTSH:
    -iserver, -interactsh-server string  interactsh server url for self-hosted instance (default: oast.pro,oast.live,oast.site,oast.online,oast.fun,oast.me)
@@ -178,6 +188,18 @@ INTERACTSH:
    -interactions-cooldown-period int    extra time for interaction polling before exiting (default 5)
    -ni, -no-interactsh                  disable interactsh server for OAST testing, exclude OAST based templates
 
+FUZZING:
+   -ft, -fuzzing-type string  overrides fuzzing type set in template (replace, prefix, postfix, infix)
+   -fm, -fuzzing-mode string  overrides fuzzing mode set in template (multiple, single)
+
+UNCOVER:
+   -uc, -uncover                  enable uncover engine
+   -uq, -uncover-query string[]   uncover search query
+   -ue, -uncover-engine string[]  uncover search engine (shodan,censys,fofa,shodan-idb,quake,hunter,zoomeye,netlas,criminalip,publicwww,hunterhow) (default shodan)
+   -uf, -uncover-field string     uncover fields to return (ip,port,host) (default "ip:port")
+   -ul, -uncover-limit int        uncover results to return (default 100)
+   -ur, -uncover-ratelimit int    override ratelimit of engines with unknown ratelimit (default 60 req/min) (default 60)
+
 RATE-LIMIT:
    -rl, -rate-limit int               maximum number of requests to send per second (default 150)
    -rlm, -rate-limit-minute int       maximum number of requests to send per minute
@@ -189,22 +211,24 @@ RATE-LIMIT:
 OPTIMIZATIONS:
    -timeout int                        time to wait in seconds before timeout (default 10)
    -retries int                        number of times to retry a failed request (default 1)
-   -ldp, -leave-default-ports          leave default HTTP/HTTPS ports (eg. host:80,host:443
+   -ldp, -leave-default-ports          leave default HTTP/HTTPS ports (eg. host:80,host:443)
    -mhe, -max-host-error int           max errors for a host before skipping from scan (default 30)
    -te, -track-error string[]          adds given error to max-host-error watchlist (standard, file)
    -nmhe, -no-mhe                      disable skipping host from scan based on errors
    -project                            use a project folder to avoid sending same request multiple times
-   -project-path string                set a specific project path
+   -project-path string                set a specific project path (default "/tmp")
-   -spm, -stop-at-first-path           stop processing HTTP requests after the first match (may break template/workflow logic)
+   -spm, -stop-at-first-match          stop processing HTTP requests after the first match (may break template/workflow logic)
    -stream                             stream mode - start elaborating without sorting the input
+   -ss, -scan-strategy value           strategy to use while scanning(auto/host-spray/template-spray) (default auto)
    -irt, -input-read-timeout duration  timeout on input read (default 3m0s)
-   -no-stdin                           Disable Stdin processing
+   -nh, -no-httpx                      disable httpx probing for non-url input
+   -no-stdin                           disable stdin processing
 
 HEADLESS:
-   -headless                    enable templates that require headless browser support (root user on linux will disable sandbox)
+   -headless                    enable templates that require headless browser support (root user on Linux will disable sandbox)
    -page-timeout int            seconds to wait for each page in headless mode (default 20)
    -sb, -show-browser           show the browser on the screen when running templates with headless mode
-   -sc, -system-chrome          Use local installed chrome browser instead of nuclei installed
+   -sc, -system-chrome          use local installed Chrome browser instead of nuclei installed
    -lha, -list-headless-action  list available headless actions
 
 DEBUG:
@@ -221,22 +245,46 @@ DEBUG:
    -v, -verbose              show verbose output
    -profile-mem string       optional nuclei memory profile dump file
    -vv                       display templates loaded for scan
+   -svd, -show-var-dump      show variables dump for debugging
    -ep, -enable-pprof        enable pprof debugging server
    -tv, -templates-version   shows the version of the installed nuclei-templates
    -hc, -health-check        run diagnostic check up
 
 UPDATE:
-   -update                        update nuclei engine to the latest released version
+   -up, -update                      update nuclei engine to the latest released version
-   -ut, -update-templates         update nuclei-templates to latest released version
+   -ut, -update-templates            update nuclei-templates to latest released version
-   -ud, -update-directory string  overwrite the default directory to install nuclei-templates
+   -ud, -update-template-dir string  custom directory to install / update nuclei-templates
-   -duc, -disable-update-check    disable automatic nuclei/templates update check
+   -duc, -disable-update-check       disable automatic nuclei/templates update check
 
 STATISTICS:
    -stats                    display statistics about the running scan
-   -sj, -stats-json          dispaly statistics in JSONL(ines) format
+   -sj, -stats-json          display statistics in JSONL(ines) format
    -si, -stats-interval int  number of seconds to wait between showing a statistics update (default 5)
    -m, -metrics              expose nuclei metrics on a port
    -mp, -metrics-port int    port to expose nuclei metrics on (default 9092)
+
+CLOUD:
+   -cloud                              run scan on nuclei cloud
+   -ads, -add-datasource string        add specified data source (s3,github)
+   -atr, -add-target string            add target(s) to cloud
+   -atm, -add-template string          add template(s) to cloud
+   -lsn, -list-scan                    list previous cloud scans
+   -lso, -list-output string           list scan output by scan id
+   -ltr, -list-target                  list cloud target by id
+   -ltm, -list-template                list cloud template by id
+   -lds, -list-datasource              list cloud datasource by id
+   -lrs, -list-reportsource            list reporting sources
+   -dsn, -delete-scan string           delete cloud scan by id
+   -dtr, -delete-target string         delete target(s) from cloud
+   -dtm, -delete-template string       delete template(s) from cloud
+   -dds, -delete-datasource string     delete specified data source
+   -drs, -disable-reportsource string  disable specified reporting source
+   -ers, -enable-reportsource string   enable specified reporting source
+   -gtr, -get-target string            get target content by id
+   -gtm, -get-template string          get template content by id
+   -nos, -no-store                     disable scan/output storage on cloud
+   -no-tables                          do not display pretty-printed tables
+   -limit int                          limit the number of output to display (default 100)
 ```
 
 ### Menjalankan Nuclei

v2/cmd/nuclei/main.go

@@ -203,7 +203,8 @@ on extensive configurability, massive extensibility and ease of use.`)
 		flagSet.BoolVarP(&options.ShowMatchLine, "show-match-line", "sml", false, "show match lines for file templates, works with extractors only"),
 		flagSet.BoolVar(&options.ZTLS, "ztls", false, "use ztls library with autofallback to standard one for tls13 [Deprecated] autofallback to ztls is enabled by default"), //nolint:all
 		flagSet.StringVar(&options.SNI, "sni", "", "tls sni hostname to use (default: input domain name)"),
-		flagSet.BoolVar(&options.Sandbox, "sandbox", false, "sandbox nuclei for safe templates execution"),
+		flagSet.BoolVarP(&options.AllowLocalFileAccess, "allow-local-file-access", "lfa", false, "allows file (payload) access anywhere on the system"),
+		flagSet.BoolVarP(&options.RestrictLocalNetworkAccess, "restrict-local-network-access", "lna", false, "blocks connections to the local / private network"),
 		flagSet.StringVarP(&options.Interface, "interface", "i", "", "network interface to use for network scan"),
 		flagSet.StringVarP(&options.AttackType, "attack-type", "at", "", "type of payload combinations to perform (batteringram,pitchfork,clusterbomb)"),
 		flagSet.StringVarP(&options.SourceIP, "source-ip", "sip", "", "source ip address to use for network scan"),

v2/pkg/protocols/common/generators/generators.go

@@ -17,7 +17,7 @@ type PayloadGenerator struct {
 }
 
 // New creates a new generator structure for payload generation
-func New(payloads map[string]interface{}, attackType AttackType, templatePath string, sandbox bool, catalog catalog.Catalog, customAttackType string) (*PayloadGenerator, error) {
+func New(payloads map[string]interface{}, attackType AttackType, templatePath string, allowLocalFileAccess bool, catalog catalog.Catalog, customAttackType string) (*PayloadGenerator, error) {
 	if attackType.String() == "" {
 		attackType = BatteringRamAttack
 	}
@@ -43,7 +43,7 @@ func New(payloads map[string]interface{}, attackType AttackType, templatePath st
 		return nil, err
 	}
 
-	compiled, err := generator.loadPayloads(payloadsFinal, templatePath, config.DefaultConfig.TemplatesDirectory, sandbox)
+	compiled, err := generator.loadPayloads(payloadsFinal, templatePath, config.DefaultConfig.TemplatesDirectory, allowLocalFileAccess)
 	if err != nil {
 		return nil, err
 	}

v2/pkg/protocols/common/generators/load.go

@@ -11,7 +11,7 @@ import (
 )
 
 // loadPayloads loads the input payloads from a map to a data map
-func (generator *PayloadGenerator) loadPayloads(payloads map[string]interface{}, templatePath, templateDirectory string, sandbox bool) (map[string][]string, error) {
+func (generator *PayloadGenerator) loadPayloads(payloads map[string]interface{}, templatePath, templateDirectory string, allowLocalFileAccess bool) (map[string][]string, error) {
 	loadedPayloads := make(map[string][]string)
 
 	for name, payload := range payloads {
@@ -22,9 +22,13 @@ func (generator *PayloadGenerator) loadPayloads(payloads map[string]interface{},
 			if len(elements) >= 2 {
 				loadedPayloads[name] = elements
 			} else {
-				if sandbox {
+				if !allowLocalFileAccess {
 					pt = filepath.Clean(pt)
-					templatePathDir := filepath.Dir(templatePath)
+					templateAbsPath, err := filepath.Abs(templatePath)
+					if err != nil {
+						return nil, errors.Wrap(err, "could not get absolute path")
+					}
+					templatePathDir := filepath.Dir(templateAbsPath)
 					if !(templatePathDir != "/" && strings.HasPrefix(pt, templatePathDir)) && !strings.HasPrefix(pt, templateDirectory) {
 						return nil, errors.New("denied payload file path specified")
 					}

v2/pkg/protocols/common/generators/load_test.go

@@ -25,14 +25,20 @@ func TestLoadPayloads(t *testing.T) {
 	t.Run("templates-directory", func(t *testing.T) {
 		values, err := generator.loadPayloads(map[string]interface{}{
 			"new": fullpath,
-		}, "/test", tempdir, true)
+		}, "/test", tempdir, false)
 		require.NoError(t, err, "could not load payloads")
 		require.Equal(t, map[string][]string{"new": {"test", "another"}}, values, "could not get values")
 	})
+	t.Run("templates-path-relative", func(t *testing.T) {
+		_, err := generator.loadPayloads(map[string]interface{}{
+			"new": "../../../../../../../../../etc/passwd",
+		}, ".", tempdir, false)
+		require.Error(t, err, "could load payloads")
+	})
 	t.Run("template-directory", func(t *testing.T) {
 		values, err := generator.loadPayloads(map[string]interface{}{
 			"new": fullpath,
-		}, filepath.Join(tempdir, "test.yaml"), "/test", true)
+		}, filepath.Join(tempdir, "test.yaml"), "/test", false)
 		require.NoError(t, err, "could not load payloads")
 		require.Equal(t, map[string][]string{"new": {"test", "another"}}, values, "could not get values")
 	})
@@ -42,19 +48,19 @@ func TestLoadPayloads(t *testing.T) {
 		}
 		_, err := generator.loadPayloads(map[string]interface{}{
 			"new": "/etc/passwd",
-		}, "/random", "/test", false)
+		}, "/random", "/test", true)
 		require.NoError(t, err, "could load payloads")
 	})
 	t.Run("invalid", func(t *testing.T) {
 		values, err := generator.loadPayloads(map[string]interface{}{
 			"new": "/etc/passwd",
-		}, "/random", "/test", true)
+		}, "/random", "/test", false)
 		require.Error(t, err, "could load payloads")
 		require.Equal(t, 0, len(values), "could get values")
 
 		values, err = generator.loadPayloads(map[string]interface{}{
 			"new": fullpath,
-		}, "/random", "/test", true)
+		}, "/random", "/test", false)
 		require.Error(t, err, "could load payloads")
 		require.Equal(t, 0, len(values), "could get values")
 	})

v2/pkg/protocols/common/protocolstate/state.go

@@ -91,7 +91,7 @@ func Init(options *types.Options) error {
 	if options.ResolversFile != "" {
 		opts.BaseResolvers = options.InternalResolversList
 	}
-	if options.Sandbox {
+	if options.RestrictLocalNetworkAccess {
 		opts.Deny = append(networkpolicy.DefaultIPv4DenylistRanges, networkpolicy.DefaultIPv6DenylistRanges...)
 	}
 	opts.WithDialerHistory = true

v2/pkg/protocols/dns/dns.go

@@ -172,7 +172,7 @@ func (request *Request) Compile(options *protocols.ExecutorOptions) error {
 	}
 
 	if len(request.Payloads) > 0 {
-		request.generator, err = generators.New(request.Payloads, request.AttackType.Value, request.options.TemplatePath, request.options.Options.Sandbox, request.options.Catalog, request.options.Options.AttackType)
+		request.generator, err = generators.New(request.Payloads, request.AttackType.Value, request.options.TemplatePath, request.options.Options.AllowLocalFileAccess, request.options.Catalog, request.options.Options.AttackType)
 		if err != nil {
 			return errors.Wrap(err, "could not parse payloads")
 		}

v2/pkg/protocols/headless/headless.go

@@ -106,7 +106,7 @@ func (request *Request) Compile(options *protocols.ExecutorOptions) error {
 
 	if len(request.Payloads) > 0 {
 		var err error
-		request.generator, err = generators.New(request.Payloads, request.AttackType.Value, options.TemplatePath, options.Options.Sandbox, options.Catalog, options.Options.AttackType)
+		request.generator, err = generators.New(request.Payloads, request.AttackType.Value, options.TemplatePath, options.Options.AllowLocalFileAccess, options.Catalog, options.Options.AttackType)
 		if err != nil {
 			return errors.Wrap(err, "could not parse payloads")
 		}

v2/pkg/protocols/http/http.go

@@ -353,7 +353,7 @@ func (request *Request) Compile(options *protocols.ExecutorOptions) error {
 	}
 
 	if len(request.Payloads) > 0 {
-		request.generator, err = generators.New(request.Payloads, request.AttackType.Value, request.options.TemplatePath, request.options.Options.Sandbox, request.options.Catalog, request.options.Options.AttackType)
+		request.generator, err = generators.New(request.Payloads, request.AttackType.Value, request.options.TemplatePath, request.options.Options.AllowLocalFileAccess, request.options.Catalog, request.options.Options.AttackType)
 		if err != nil {
 			return errors.Wrap(err, "could not parse payloads")
 		}

v2/pkg/protocols/network/network.go

@@ -184,7 +184,7 @@ func (request *Request) Compile(options *protocols.ExecutorOptions) error {
 	}
 
 	if len(request.Payloads) > 0 {
-		request.generator, err = generators.New(request.Payloads, request.AttackType.Value, request.options.TemplatePath, request.options.Options.Sandbox, request.options.Catalog, request.options.Options.AttackType)
+		request.generator, err = generators.New(request.Payloads, request.AttackType.Value, request.options.TemplatePath, request.options.Options.AllowLocalFileAccess, request.options.Catalog, request.options.Options.AttackType)
 		if err != nil {
 			return errors.Wrap(err, "could not parse payloads")
 		}

v2/pkg/protocols/websocket/websocket.go

@@ -106,7 +106,7 @@ func (request *Request) Compile(options *protocols.ExecutorOptions) error {
 	request.dialer = client
 
 	if len(request.Payloads) > 0 {
-		request.generator, err = generators.New(request.Payloads, request.AttackType.Value, request.options.TemplatePath, request.options.Options.Sandbox, options.Catalog, options.Options.AttackType)
+		request.generator, err = generators.New(request.Payloads, request.AttackType.Value, request.options.TemplatePath, request.options.Options.AllowLocalFileAccess, options.Catalog, options.Options.AttackType)
 		if err != nil {
 			return errors.Wrap(err, "could not parse payloads")
 		}

v2/pkg/testutils/integration.go

@@ -52,6 +52,7 @@ func RunNucleiBareArgsAndGetResults(debug bool, extra ...string) ([]string, erro
 	cmd.Args = append(cmd.Args, "-duc") // disable auto updates
 	cmd.Args = append(cmd.Args, "-interactions-poll-duration", "1")
 	cmd.Args = append(cmd.Args, "-interactions-cooldown-period", "10")
+	cmd.Args = append(cmd.Args, "-allow-local-file-access")
 	if debug {
 		cmd.Args = append(cmd.Args, "-debug")
 		cmd.Stderr = os.Stderr

v2/pkg/types/types.go

@@ -285,8 +285,10 @@ type Options struct {
 	ClientCAFile string
 	// Deprecated: Use ZTLS library
 	ZTLS bool
-	// Sandbox enables sandboxed nuclei template execution
+	// AllowLocalFileAccess allows local file access from templates payloads
-	Sandbox bool
+	AllowLocalFileAccess bool
+	// RestrictLocalNetworkAccess restricts local network access from templates requests
+	RestrictLocalNetworkAccess bool
 	// ShowMatchLine enables display of match line number
 	ShowMatchLine bool
 	// EnablePprof enables exposing pprof runtime information with a webserver.