External/nuclei
1
0
Fork 0
mirror of https://github.com/projectdiscovery/nuclei.git synced 2025-12-17 16:05:26 +00:00
Code Issues Packages Projects Releases Wiki Activity
5,746 Commits 49 Branches 135 Tags
Commit Graph

5746 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Mzack9999
47f45d3301 bump go.mod 2025-08-27 17:45:54 +02:00
Mzack9999
7b0d9af632 Merge branch 'dev' into feat-6409-rsync-auth 2025-08-27 17:45:45 +02:00
Mzack9999
fd3c304136 adding rsync test 2025-08-27 17:43:46 +02:00
Lorenzo Susini
8194fabcf8
test(reporting/exporters/mongo): add mongo integration test with test… (#6237) 
* test(reporting/exporters/mongo): add mongo integration test with testcontainer-go module

Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>

* execute exportes only on linux

---------

Signed-off-by: Lorenzo Susini <susinilorenzo1@gmail.com>
Co-authored-by: Mzack9999 <mzack9999@protonmail.com>
 2025-08-27 04:25:31 +05:30
dependabot[bot]
5063af46b1 chore(deps): bump github.com/go-viper/mapstructure/v2 
Bumps the go_modules group with 1 update in the / directory: [github.com/go-viper/mapstructure/v2](https://github.com/go-viper/mapstructure).


Updates `github.com/go-viper/mapstructure/v2` from 2.3.0 to 2.4.0
- [Release notes](https://github.com/go-viper/mapstructure/releases)
- [Changelog](https://github.com/go-viper/mapstructure/blob/main/CHANGELOG.md)
- [Commits](https://github.com/go-viper/mapstructure/compare/v2.3.0...v2.4.0)

---
updated-dependencies:
- dependency-name: github.com/go-viper/mapstructure/v2
  dependency-version: 2.4.0
  dependency-type: indirect
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-08-26 07:08:27 +00:00
Mzack9999
36e7701833 Merge branch 'dev' into feat-6409-rsync-auth 2025-08-25 19:46:09 +02:00
PDTeamX
0f7b33cebf limited test, instead of all 2025-08-25 13:56:03 +05:30
Dwi Siswanto
a1b5a0ed99
fix(fuzz): handles duplicate multipart form field names (#6404) 
* fix: handle duplicate field names in multipart form encoding

* fix(fuzz): handles `[]any` type in `*MultiPartForm.Encode`

Signed-off-by: Dwi Siswanto <git@dw1.io>

* test(fuzz): adds panic recovery & display encoded out

Signed-off-by: Dwi Siswanto <git@dw1.io>

* fix(fuzz): incorrectly treated mixed type field

in `*MultiPartForm.Encode`

Signed-off-by: Dwi Siswanto <git@dw1.io>

* test(fuzz): refactor compare w decoded instead

Signed-off-by: Dwi Siswanto <git@dw1.io>

* chore(fuzz): prealloc for `[]any` type

Signed-off-by: Dwi Siswanto <git@dw1.io>

* fix(fuzz): treats nil value as empty string

Signed-off-by: Dwi Siswanto <git@dw1.io>

* chore(fuzz): rm early error return for non-array file

Signed-off-by: Dwi Siswanto <git@dw1.io>

* test(fuzz): adds `TestMultiPartFormFileUpload` test

Signed-off-by: Dwi Siswanto <git@dw1.io>

---------

Signed-off-by: Dwi Siswanto <git@dw1.io>
Co-authored-by: yusei-wy <31252054+yusei-wy@users.noreply.github.com>
 2025-08-25 13:42:51 +05:30
Tarun Koyalwar
19247ae74b
Path-Based Fuzzing SQL fix (#6400) 
* setup claude

* migrate to using errkit

* fix unused imports + lint errors

* update settings.json

* fix url encoding issue

* fix lint error

* fix the path fuzzing component

* fix lint error
 2025-08-25 13:36:58 +05:30
Dwi Siswanto
309018fbf4
fix: segfault in template caching logic (#6421) 
* fix: segfault in template caching logic

when templates had no executable requests after
option updates.

the cached templates could end up with 0 requests
and no flow execution path, resulting in a nil
engine pointer that was later derefer w/o
validation.

bug seq:
caching template (w/ valid requests) -> get cached
template -> `*ExecutorOptions.Options` copied and
modified (inconsistent) -> requests updated (with
new options -- some may be invalid, and without
recompile) -> template returned w/o validation ->
`compileProtocolRequests` -> `NewTemplateExecuter`
receive empty requests + empty flow = nil engine
-> `*TemplateExecuter.{Compile,Execute}` invoked
on nil engine = panic.

RCA:
1. `*ExecutorOptions.ApplyNewEngineOptions`
   overwriting many fields.
2. copy op pointless; create a copy of options and
   then immediately replace it with original
   pointer.
3. missing executable requests validation after
   cached templates is reconstructed with updated
   options.

Thus, this affected `--automatic-scan` mode where
tech detection templates often have conditional
requests that may be filtered based on runtime
options.

Fixes #6417

Signed-off-by: Dwi Siswanto <git@dw1.io>

* fix(templates): recompile workflow with `tplCopy.Options`

Signed-off-by: Dwi Siswanto <git@dw1.io>

* fix(templates): strengthen cache hit guard

Signed-off-by: Dwi Siswanto <git@dw1.io>

* fix(protocols): skips template-specific fields

Signed-off-by: Dwi Siswanto <git@dw1.io>

---------

Signed-off-by: Dwi Siswanto <git@dw1.io>
 2025-08-23 20:01:23 +05:30
PDTeamX
5e9ada23b2 Update constants.go 2025-08-23 19:51:23 +05:30
PDTeamX
00f4595f0b version update 2025-08-22 20:27:44 +05:30
Ice3man
30e520754b
feat: fixed output event for skipped hosts (#6415) 
* feat: fixed output event for skipped hosts

* misc
 2025-08-22 20:25:07 +05:30
Mzack9999
68605c210b example 2025-08-21 20:40:23 +02:00
Mzack9999
663a8e9d49 adding unauth list modules + auth list files in module 2025-08-21 20:05:14 +02:00
Mzack9999
7f5a141936 adding min auth support 2025-08-21 03:04:55 +02:00
Sandeep Singh
b4644af80a
Lint + test fixes after utils dep update (#6393) 
* fix: remove undefined errorutil.ShowStackTrace

* feat: add make lint support and integrate with test

* refactor: migrate errorutil to errkit across codebase

- Replace deprecated errorutil with modern errkit
- Convert error declarations from var to func for better compatibility
- Fix all SA1019 deprecation warnings
- Maintain error chain support and stack traces

* fix: improve DNS test reliability using Google DNS

- Configure test to use Google DNS (8.8.8.8) for stability
- Fix nil pointer issue in DNS client initialization
- Keep production defaults unchanged

* fixing logic

* removing unwanted branches in makefile

---------

Co-authored-by: Mzack9999 <mzack9999@protonmail.com>
 2025-08-20 05:28:23 +05:30
Dogan Can Bakir
44eeb5a60b
enable templates for template listing and displaying (#6343) 2025-08-17 01:50:22 +05:30
PDTeamX
e1f8a18d38 dep update + removed unused code 2025-08-16 15:51:32 +05:30
Dwi Siswanto
6a6fa4d38f
feat(fuzz): eval variables (#6358) 
* feat(fuzz): eval vars for rule keys & values

Signed-off-by: Dwi Siswanto <git@dw1.io>

* chore: re-fmt fuzzing/dast errors

Signed-off-by: Dwi Siswanto <git@dw1.io>

* test(fuzz): adds `TestEvaluateVariables`

Signed-off-by: Dwi Siswanto <git@dw1.io>

---------

Signed-off-by: Dwi Siswanto <git@dw1.io>
 2025-08-16 14:41:22 +05:30
Dwi Siswanto
9fcacd0f86
ci(tests): migrate to golangci-lint v2 (#6380) 
* chore: satisfy lints

Signed-off-by: Dwi Siswanto <git@dw1.io>

* ci(tests): migrate to golangci-lint v2

Signed-off-by: Dwi Siswanto <git@dw1.io>

---------

Signed-off-by: Dwi Siswanto <git@dw1.io>
 2025-08-16 13:20:09 +07:00
Dwi Siswanto
70eeb6c210
fix: prevent unnecessary template updates (#6379) 
* test(installer): adds `TestIsOutdatedVersionFix`

Signed-off-by: Dwi Siswanto <git@dw1.io>

* fix: prevent unnecessary template updates

when version API fails.

* fix `catalog/config.IsOutdatedVersion` logic for
  empty version strings
* add GitHub API fallback when PDTM API is unavail
* only show outdated msg for actual version
  mismatches

Signed-off-by: Dwi Siswanto <git@dw1.io>

---------

Signed-off-by: Dwi Siswanto <git@dw1.io>
 2025-08-16 04:50:20 +05:30
ysokolovsky
d569cfe864
fix(headless): merge extra headers (#6376) 
* headless: fix extra headers overwrite

* headless: set Accept-Language when no custom headers
 2025-08-16 04:48:34 +05:30
dependabot[bot]
89de8a5a59 chore(deps): bump the go_modules group across 1 directory with 2 updates 
Bumps the go_modules group with 2 updates in the / directory: [github.com/docker/docker](https://github.com/docker/docker) and [github.com/go-viper/mapstructure/v2](https://github.com/go-viper/mapstructure).


Updates `github.com/docker/docker` from 27.1.1+incompatible to 28.0.0+incompatible
- [Release notes](https://github.com/docker/docker/releases)
- [Commits](https://github.com/docker/docker/compare/v27.1.1...v28.0.0)

Updates `github.com/go-viper/mapstructure/v2` from 2.2.1 to 2.3.0
- [Release notes](https://github.com/go-viper/mapstructure/releases)
- [Changelog](https://github.com/go-viper/mapstructure/blob/main/CHANGELOG.md)
- [Commits](https://github.com/go-viper/mapstructure/compare/v2.2.1...v2.3.0)

---
updated-dependencies:
- dependency-name: github.com/docker/docker
  dependency-version: 28.0.0+incompatible
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: github.com/go-viper/mapstructure/v2
  dependency-version: 2.3.0
  dependency-type: indirect
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-08-15 20:52:01 +00:00
Dwi Siswanto
7e95d9a185
build(make): update template-validate cmds (#6385) 
Signed-off-by: Dwi Siswanto <git@dw1.io>
 2025-08-15 06:05:51 +05:30
Doğan Can Bakır
6996b4ab75
bump version 2025-08-13 19:22:34 -07:00
Ice3man
8ef3662634
Merge pull request #6364 from projectdiscovery/loading-performance-improvements-v2 
feat: loading templates performance improvements
 2025-08-06 01:58:03 +05:30
Ice3man
1b6ae44bb7 Merge branch 'dev' of https://github.com/projectdiscovery/nuclei into loading-performance-improvements-v2 2025-08-06 01:57:41 +05:30
Ice3man
bba2c3a576
Merge pull request #6368 from projectdiscovery/fix/waf-detector-nil-pointer 
fix: prevent nil pointer panic in WAF detector
 2025-08-06 01:53:14 +05:30
knakul853
b685d637f3 fix: prevent nil pointer panic in WAF detector 
- Add nil checks for detector and regexCache in DetectWAF()
- Add nil check for individual regex entries before MatchString()
- Add comprehensive unit tests for nil pointer scenarios
- Prevents runtime panic when WAF detector encounters nil pointers during regex matching
 2025-08-04 21:12:43 +05:30
Dwi Siswanto
cff86b5c98
fix(events): correct JSON encoder type in ScanStatsWorker (#6366) 
Signed-off-by: Dwi Siswanto <git@dw1.io>
 2025-08-02 21:49:48 -07:00
Ice3man
3d7f995ddc use bounded concurrency for templates loading 2025-08-03 03:53:34 +05:30
Ice3man
5ba21e272a feat: loading templates performance improvements 2025-08-02 15:58:18 +05:30
PDTeamX
b0fe565a8b Merge branch 'main' into dev 2025-08-02 02:06:03 -07:00
poning
3ac3146ef9
fix(offlinehttp): Replace "-" in headers with "_" for DSL variables (#6363) 
* Replace "-" in headers with "_" for DSL variables in passive mode

* test(offlinehttp): adjust haystack & needle in `TestHTTPOperatorExtract`

Signed-off-by: Dwi Siswanto <git@dw1.io>

---------

Signed-off-by: Dwi Siswanto <git@dw1.io>
Co-authored-by: Dwi Siswanto <git@dw1.io>
 2025-08-02 05:35:03 +07:00
Ice3man
06707ea76f
bugfix: preserve original transport for linear http client (#6357) 2025-07-30 21:38:07 +05:30
Štefan Baebler
91adfeb91c
Bump github.com/bytedance/sonic to v1.14.0 for Go 1.25 compatibility (#6348) 
* Bump github.com/bytedance/sonic to v1.14.0  for Go 1.25 compatibility

Fixes #6335
by using https://github.com/bytedance/sonic/releases/tag/v1.14.0

$ go get github.com/bytedance/sonic@v1.14.0 && go mod tidy
go: upgraded github.com/bytedance/sonic v1.13.3 => v1.14.0
go: upgraded github.com/bytedance/sonic/loader v0.2.4 => v0.3.0

* doc(json): update supported plats

Signed-off-by: Dwi Siswanto <git@dw1.io>

---------

Signed-off-by: Dwi Siswanto <git@dw1.io>
Co-authored-by: Dwi Siswanto <git@dw1.io>
 2025-07-28 19:46:44 +07:00
Dogan Can Bakir
5daf84dd6b
Merge pull request #6338 from jishudashen/dev 
chore: fix inconsistent function name in comment
 2025-07-21 11:02:48 +03:00
jishudashen
0337b33490 chore: fix inconsistent function name in comment 
Signed-off-by: jishudashen <jishudashen@foxmail.com>
 2025-07-21 14:13:22 +08:00
Dwi Siswanto
9133e0d2d0
feat(code): log unavail engines as an err while validating (#6326) 
* feat(code): log unavail engines as an err while validating

Signed-off-by: Dwi Siswanto <git@dw1.io>

* chore(chore): i meant highest level

Signed-off-by: Dwi Siswanto <git@dw1.io>

---------

Signed-off-by: Dwi Siswanto <git@dw1.io>
 2025-07-19 00:12:50 +05:30
Ice3man
05f69a6b24
feat: log event for template host skipped during scanning (#6324) 
* feat: log event for template host skipped during scanning

* misc changes
 2025-07-19 00:11:25 +05:30
HD Moore
5b89811b90
Support concurrent Nuclei engines in the same process (#6322) 
* support for concurrent nuclei engines

* clarify LfaAllowed race

* remove unused mutex

* update LfaAllowed logic to prevent races until it can be reworked for per-execution ID

* Update pkg/templates/parser.go

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* debug tests

* debug gh action

* fixig gh template test

* using atomic

* using synclockmap

* restore tests concurrency

* lint

* wiring executionId in js fs

---------

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Co-authored-by: Mzack9999 <mzack9999@protonmail.com>
 2025-07-19 00:10:58 +05:30
Mzack9999
3e9bee7400
Merge pull request #6321 from hdm/bug/various-race-conditions 
Address race conditions in http.Request and MemGuardian
 2025-07-15 15:19:02 +02:00
HD Moore
875941ce8d avoid data races using mutex for memguardian 2025-07-15 02:34:47 -05:00
HD Moore
6bf3f14798 avoid data races by using request clones 2025-07-15 02:34:29 -05:00
gopherorg
1079498182
refactor: use maps.Copy for cleaner map handling (#6283) 
Signed-off-by: gopherorg <gopherworld@icloud.com>
 2025-07-12 02:50:47 +05:30
Dwi Siswanto
a13ea39461
build(docker): bump builder image golang:1.23-alpine => golang:1.24-alpine (#6316) 
Signed-off-by: Dwi Siswanto <git@dw1.io>
 2025-07-12 02:16:35 +05:30
HD Moore
f26996cb89
Remove singletons from Nuclei engine (continuation of #6210) (#6296) 
* introducing execution id

* wip

* .

* adding separate execution context id

* lint

* vet

* fixing pg dialers

* test ignore

* fixing loader FD limit

* test

* fd fix

* wip: remove CloseProcesses() from dev merge

* wip: fix merge issue

* protocolstate: stop memguarding on last dialer delete

* avoid data race in dialers.RawHTTPClient

* use shared logger and avoid race conditions

* use shared logger and avoid race conditions

* go mod

* patch executionId into compiled template cache

* clean up comment in Parse

* go mod update

* bump echarts

* address merge issues

* fix use of gologger

* switch cmd/nuclei to options.Logger

* address merge issues with go.mod

* go vet: address copy of lock with new Copy function

* fixing tests

* disable speed control

* fix nil ExecuterOptions

* removing deprecated code

* fixing result print

* default logger

* cli default logger

* filter warning from results

* fix performance test

* hardcoding path

* disable upload

* refactor(runner): uses `Warning` instead of `Print` for `pdcpUploadErrMsg`

Signed-off-by: Dwi Siswanto <git@dw1.io>

* Revert "disable upload"

This reverts commit 114fbe6663361bf41cf8b2645fd2d57083d53682.

* Revert "hardcoding path"

This reverts commit cf12ca800e0a0e974bd9fd4826a24e51547f7c00.

---------

Signed-off-by: Dwi Siswanto <git@dw1.io>
Co-authored-by: Mzack9999 <mzack9999@protonmail.com>
Co-authored-by: Dwi Siswanto <git@dw1.io>
Co-authored-by: Dwi Siswanto <25837540+dwisiswant0@users.noreply.github.com>
 2025-07-10 01:17:26 +05:30
Jose De La O Hernandez
285c5e1442
fixing panic caused by uninitialized colorizer (#6315) 2025-07-09 04:34:05 +05:30
Dwi Siswanto
7e2ec686ae
fix(lib): scans didn't stop on ctx cancellation (#6310) 
* fix(lib): scans didn't stop on ctx cancellation

Signed-off-by: Dwi Siswanto <git@dw1.io>

* Update lib/sdk_test.go

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* fix(lib): wait resources to be released b4 return

Signed-off-by: Dwi Siswanto <git@dw1.io>

---------

Signed-off-by: Dwi Siswanto <git@dw1.io>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
 2025-07-09 01:04:16 +07:00