External/nuclei
1
0
Fork 0
mirror of https://github.com/projectdiscovery/nuclei.git synced 2025-12-17 17:05:25 +00:00
Code Issues Packages Projects Releases Wiki Activity
5,731 Commits 49 Branches 135 Tags
Commit Graph

5731 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
PDTeamX
42e884c19d fix(fuzz): restore proper ErrRuleNotApplicable error handling 
Fixes fuzzing regression introduced in commit 6a6fa4d3 where
fmt.Errorf was incorrectly used instead of fuzz.ErrRuleNotApplicable.

The issue caused pre-condition filters (like 'method == GET') to fail
because the error type detection was broken. This led to legitimate
fuzzing targets being incorrectly marked as 'not applicable for fuzzing'.

Changes:
- Restore fuzz.ErrRuleNotApplicable() call in executeAllFuzzingRules()
- Ensures proper error type checking with fuzz.IsErrRuleNotApplicable()
- Fixes path-based SQL injection fuzzing and other fuzz templates

Tested with: integration_tests/fuzz/fuzz-path-sqli.yaml
 2025-08-20 05:48:13 +05:30
Sandeep Singh
b4644af80a
Lint + test fixes after utils dep update (#6393) 
* fix: remove undefined errorutil.ShowStackTrace

* feat: add make lint support and integrate with test

* refactor: migrate errorutil to errkit across codebase

- Replace deprecated errorutil with modern errkit
- Convert error declarations from var to func for better compatibility
- Fix all SA1019 deprecation warnings
- Maintain error chain support and stack traces

* fix: improve DNS test reliability using Google DNS

- Configure test to use Google DNS (8.8.8.8) for stability
- Fix nil pointer issue in DNS client initialization
- Keep production defaults unchanged

* fixing logic

* removing unwanted branches in makefile

---------

Co-authored-by: Mzack9999 <mzack9999@protonmail.com>
 2025-08-20 05:28:23 +05:30
Dogan Can Bakir
44eeb5a60b
enable templates for template listing and displaying (#6343) 2025-08-17 01:50:22 +05:30
PDTeamX
e1f8a18d38 dep update + removed unused code 2025-08-16 15:51:32 +05:30
Dwi Siswanto
6a6fa4d38f
feat(fuzz): eval variables (#6358) 
* feat(fuzz): eval vars for rule keys & values

Signed-off-by: Dwi Siswanto <git@dw1.io>

* chore: re-fmt fuzzing/dast errors

Signed-off-by: Dwi Siswanto <git@dw1.io>

* test(fuzz): adds `TestEvaluateVariables`

Signed-off-by: Dwi Siswanto <git@dw1.io>

---------

Signed-off-by: Dwi Siswanto <git@dw1.io>
 2025-08-16 14:41:22 +05:30
Dwi Siswanto
9fcacd0f86
ci(tests): migrate to golangci-lint v2 (#6380) 
* chore: satisfy lints

Signed-off-by: Dwi Siswanto <git@dw1.io>

* ci(tests): migrate to golangci-lint v2

Signed-off-by: Dwi Siswanto <git@dw1.io>

---------

Signed-off-by: Dwi Siswanto <git@dw1.io>
 2025-08-16 13:20:09 +07:00
Dwi Siswanto
70eeb6c210
fix: prevent unnecessary template updates (#6379) 
* test(installer): adds `TestIsOutdatedVersionFix`

Signed-off-by: Dwi Siswanto <git@dw1.io>

* fix: prevent unnecessary template updates

when version API fails.

* fix `catalog/config.IsOutdatedVersion` logic for
  empty version strings
* add GitHub API fallback when PDTM API is unavail
* only show outdated msg for actual version
  mismatches

Signed-off-by: Dwi Siswanto <git@dw1.io>

---------

Signed-off-by: Dwi Siswanto <git@dw1.io>
 2025-08-16 04:50:20 +05:30
ysokolovsky
d569cfe864
fix(headless): merge extra headers (#6376) 
* headless: fix extra headers overwrite

* headless: set Accept-Language when no custom headers
 2025-08-16 04:48:34 +05:30
dependabot[bot]
89de8a5a59 chore(deps): bump the go_modules group across 1 directory with 2 updates 
Bumps the go_modules group with 2 updates in the / directory: [github.com/docker/docker](https://github.com/docker/docker) and [github.com/go-viper/mapstructure/v2](https://github.com/go-viper/mapstructure).


Updates `github.com/docker/docker` from 27.1.1+incompatible to 28.0.0+incompatible
- [Release notes](https://github.com/docker/docker/releases)
- [Commits](https://github.com/docker/docker/compare/v27.1.1...v28.0.0)

Updates `github.com/go-viper/mapstructure/v2` from 2.2.1 to 2.3.0
- [Release notes](https://github.com/go-viper/mapstructure/releases)
- [Changelog](https://github.com/go-viper/mapstructure/blob/main/CHANGELOG.md)
- [Commits](https://github.com/go-viper/mapstructure/compare/v2.2.1...v2.3.0)

---
updated-dependencies:
- dependency-name: github.com/docker/docker
  dependency-version: 28.0.0+incompatible
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: github.com/go-viper/mapstructure/v2
  dependency-version: 2.3.0
  dependency-type: indirect
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-08-15 20:52:01 +00:00
Dwi Siswanto
7e95d9a185
build(make): update template-validate cmds (#6385) 
Signed-off-by: Dwi Siswanto <git@dw1.io>
 2025-08-15 06:05:51 +05:30
Doğan Can Bakır
6996b4ab75
bump version 2025-08-13 19:22:34 -07:00
Ice3man
8ef3662634
Merge pull request #6364 from projectdiscovery/loading-performance-improvements-v2 
feat: loading templates performance improvements
 2025-08-06 01:58:03 +05:30
Ice3man
1b6ae44bb7 Merge branch 'dev' of https://github.com/projectdiscovery/nuclei into loading-performance-improvements-v2 2025-08-06 01:57:41 +05:30
Ice3man
bba2c3a576
Merge pull request #6368 from projectdiscovery/fix/waf-detector-nil-pointer 
fix: prevent nil pointer panic in WAF detector
 2025-08-06 01:53:14 +05:30
knakul853
b685d637f3 fix: prevent nil pointer panic in WAF detector 
- Add nil checks for detector and regexCache in DetectWAF()
- Add nil check for individual regex entries before MatchString()
- Add comprehensive unit tests for nil pointer scenarios
- Prevents runtime panic when WAF detector encounters nil pointers during regex matching
 2025-08-04 21:12:43 +05:30
Dwi Siswanto
cff86b5c98
fix(events): correct JSON encoder type in ScanStatsWorker (#6366) 
Signed-off-by: Dwi Siswanto <git@dw1.io>
 2025-08-02 21:49:48 -07:00
Ice3man
3d7f995ddc use bounded concurrency for templates loading 2025-08-03 03:53:34 +05:30
Ice3man
5ba21e272a feat: loading templates performance improvements 2025-08-02 15:58:18 +05:30
PDTeamX
b0fe565a8b Merge branch 'main' into dev 2025-08-02 02:06:03 -07:00
poning
3ac3146ef9
fix(offlinehttp): Replace "-" in headers with "_" for DSL variables (#6363) 
* Replace "-" in headers with "_" for DSL variables in passive mode

* test(offlinehttp): adjust haystack & needle in `TestHTTPOperatorExtract`

Signed-off-by: Dwi Siswanto <git@dw1.io>

---------

Signed-off-by: Dwi Siswanto <git@dw1.io>
Co-authored-by: Dwi Siswanto <git@dw1.io>
 2025-08-02 05:35:03 +07:00
Ice3man
06707ea76f
bugfix: preserve original transport for linear http client (#6357) 2025-07-30 21:38:07 +05:30
Štefan Baebler
91adfeb91c
Bump github.com/bytedance/sonic to v1.14.0 for Go 1.25 compatibility (#6348) 
* Bump github.com/bytedance/sonic to v1.14.0  for Go 1.25 compatibility

Fixes #6335
by using https://github.com/bytedance/sonic/releases/tag/v1.14.0

$ go get github.com/bytedance/sonic@v1.14.0 && go mod tidy
go: upgraded github.com/bytedance/sonic v1.13.3 => v1.14.0
go: upgraded github.com/bytedance/sonic/loader v0.2.4 => v0.3.0

* doc(json): update supported plats

Signed-off-by: Dwi Siswanto <git@dw1.io>

---------

Signed-off-by: Dwi Siswanto <git@dw1.io>
Co-authored-by: Dwi Siswanto <git@dw1.io>
 2025-07-28 19:46:44 +07:00
Dogan Can Bakir
5daf84dd6b
Merge pull request #6338 from jishudashen/dev 
chore: fix inconsistent function name in comment
 2025-07-21 11:02:48 +03:00
jishudashen
0337b33490 chore: fix inconsistent function name in comment 
Signed-off-by: jishudashen <jishudashen@foxmail.com>
 2025-07-21 14:13:22 +08:00
Dwi Siswanto
9133e0d2d0
feat(code): log unavail engines as an err while validating (#6326) 
* feat(code): log unavail engines as an err while validating

Signed-off-by: Dwi Siswanto <git@dw1.io>

* chore(chore): i meant highest level

Signed-off-by: Dwi Siswanto <git@dw1.io>

---------

Signed-off-by: Dwi Siswanto <git@dw1.io>
 2025-07-19 00:12:50 +05:30
Ice3man
05f69a6b24
feat: log event for template host skipped during scanning (#6324) 
* feat: log event for template host skipped during scanning

* misc changes
 2025-07-19 00:11:25 +05:30
HD Moore
5b89811b90
Support concurrent Nuclei engines in the same process (#6322) 
* support for concurrent nuclei engines

* clarify LfaAllowed race

* remove unused mutex

* update LfaAllowed logic to prevent races until it can be reworked for per-execution ID

* Update pkg/templates/parser.go

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* debug tests

* debug gh action

* fixig gh template test

* using atomic

* using synclockmap

* restore tests concurrency

* lint

* wiring executionId in js fs

---------

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Co-authored-by: Mzack9999 <mzack9999@protonmail.com>
 2025-07-19 00:10:58 +05:30
Mzack9999
3e9bee7400
Merge pull request #6321 from hdm/bug/various-race-conditions 
Address race conditions in http.Request and MemGuardian
 2025-07-15 15:19:02 +02:00
HD Moore
875941ce8d avoid data races using mutex for memguardian 2025-07-15 02:34:47 -05:00
HD Moore
6bf3f14798 avoid data races by using request clones 2025-07-15 02:34:29 -05:00
gopherorg
1079498182
refactor: use maps.Copy for cleaner map handling (#6283) 
Signed-off-by: gopherorg <gopherworld@icloud.com>
 2025-07-12 02:50:47 +05:30
Dwi Siswanto
a13ea39461
build(docker): bump builder image golang:1.23-alpine => golang:1.24-alpine (#6316) 
Signed-off-by: Dwi Siswanto <git@dw1.io>
 2025-07-12 02:16:35 +05:30
HD Moore
f26996cb89
Remove singletons from Nuclei engine (continuation of #6210) (#6296) 
* introducing execution id

* wip

* .

* adding separate execution context id

* lint

* vet

* fixing pg dialers

* test ignore

* fixing loader FD limit

* test

* fd fix

* wip: remove CloseProcesses() from dev merge

* wip: fix merge issue

* protocolstate: stop memguarding on last dialer delete

* avoid data race in dialers.RawHTTPClient

* use shared logger and avoid race conditions

* use shared logger and avoid race conditions

* go mod

* patch executionId into compiled template cache

* clean up comment in Parse

* go mod update

* bump echarts

* address merge issues

* fix use of gologger

* switch cmd/nuclei to options.Logger

* address merge issues with go.mod

* go vet: address copy of lock with new Copy function

* fixing tests

* disable speed control

* fix nil ExecuterOptions

* removing deprecated code

* fixing result print

* default logger

* cli default logger

* filter warning from results

* fix performance test

* hardcoding path

* disable upload

* refactor(runner): uses `Warning` instead of `Print` for `pdcpUploadErrMsg`

Signed-off-by: Dwi Siswanto <git@dw1.io>

* Revert "disable upload"

This reverts commit 114fbe6663361bf41cf8b2645fd2d57083d53682.

* Revert "hardcoding path"

This reverts commit cf12ca800e0a0e974bd9fd4826a24e51547f7c00.

---------

Signed-off-by: Dwi Siswanto <git@dw1.io>
Co-authored-by: Mzack9999 <mzack9999@protonmail.com>
Co-authored-by: Dwi Siswanto <git@dw1.io>
Co-authored-by: Dwi Siswanto <25837540+dwisiswant0@users.noreply.github.com>
 2025-07-10 01:17:26 +05:30
Jose De La O Hernandez
285c5e1442
fixing panic caused by uninitialized colorizer (#6315) 2025-07-09 04:34:05 +05:30
Dwi Siswanto
7e2ec686ae
fix(lib): scans didn't stop on ctx cancellation (#6310) 
* fix(lib): scans didn't stop on ctx cancellation

Signed-off-by: Dwi Siswanto <git@dw1.io>

* Update lib/sdk_test.go

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* fix(lib): wait resources to be released b4 return

Signed-off-by: Dwi Siswanto <git@dw1.io>

---------

Signed-off-by: Dwi Siswanto <git@dw1.io>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
 2025-07-09 01:04:16 +07:00
Mzack9999
3991cc6ec1
Merge pull request #6311 from projectdiscovery/dwisiswant0/chore/config/rm-deprecated-codes-and-calls 
chore(config): rm deprecated codes and calls
 2025-07-08 15:45:25 +02:00
dependabot[bot]
b756b2706f
chore(deps): bump the modules group with 3 updates (#6305) 
Bumps the modules group with 3 updates: [github.com/projectdiscovery/retryablehttp-go](https://github.com/projectdiscovery/retryablehttp-go), [github.com/projectdiscovery/wappalyzergo](https://github.com/projectdiscovery/wappalyzergo) and [github.com/projectdiscovery/cdncheck](https://github.com/projectdiscovery/cdncheck).


Updates `github.com/projectdiscovery/retryablehttp-go` from 1.0.116 to 1.0.117
- [Release notes](https://github.com/projectdiscovery/retryablehttp-go/releases)
- [Commits](https://github.com/projectdiscovery/retryablehttp-go/compare/v1.0.116...v1.0.117)

Updates `github.com/projectdiscovery/wappalyzergo` from 0.2.35 to 0.2.36
- [Release notes](https://github.com/projectdiscovery/wappalyzergo/releases)
- [Commits](https://github.com/projectdiscovery/wappalyzergo/compare/v0.2.35...v0.2.36)

Updates `github.com/projectdiscovery/cdncheck` from 1.1.15 to 1.1.26
- [Release notes](https://github.com/projectdiscovery/cdncheck/releases)
- [Changelog](https://github.com/projectdiscovery/cdncheck/blob/main/.goreleaser.yaml)
- [Commits](https://github.com/projectdiscovery/cdncheck/compare/v1.1.15...v1.1.26)

---
updated-dependencies:
- dependency-name: github.com/projectdiscovery/retryablehttp-go
  dependency-version: 1.0.117
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: modules
- dependency-name: github.com/projectdiscovery/wappalyzergo
  dependency-version: 0.2.36
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: modules
- dependency-name: github.com/projectdiscovery/cdncheck
  dependency-version: 1.1.26
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: modules
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-07-08 17:57:09 +07:00
Dwi Siswanto
bd5864dbb5
chore(config): rm deprecated codes and calls 
Signed-off-by: Dwi Siswanto <git@dw1.io>
 2025-07-08 17:35:55 +07:00
Mzack9999
13754956ff
Merge pull request #6307 from projectdiscovery/6297-bugfix-tablewriter-memory-leak 
bumping version + memory cleanup
 2025-07-07 20:13:59 +02:00
Mzack9999
87de71dee9 bumping version + memory cleanup 2025-07-07 18:12:50 +02:00
alban-stourbe-wmx
eccd90d53c
fix(headless): Variables are now available into headless template (#6301) 
* fix(headless): variables now available into simple headless template

* chore: erase debug logs
 2025-07-04 21:51:09 +07:00
sandeep
4190559e8d Merge remote-tracking branch 'origin' v3.4.7 2025-07-01 21:17:40 +07:00
sandeep
84a76b3d4e version bump 2025-07-01 21:17:21 +07:00
Dwi Siswanto
a18a386d12
build: downgraded github.com/zmap/zgrab2 v0.2.0 => v0.1.8 (#6295) 
Signed-off-by: Dwi Siswanto <git@dw1.io>
 2025-07-01 21:00:13 +07:00
dependabot[bot]
5f2082cf34 chore(deps): bump the go_modules group across 1 directory with 3 updates 
Bumps the go_modules group with 3 updates in the / directory: [github.com/gin-gonic/gin](https://github.com/gin-gonic/gin), [github.com/go-viper/mapstructure/v2](https://github.com/go-viper/mapstructure) and [github.com/golang-jwt/jwt/v4](https://github.com/golang-jwt/jwt).


Updates `github.com/gin-gonic/gin` from 1.9.0 to 1.9.1
- [Release notes](https://github.com/gin-gonic/gin/releases)
- [Changelog](https://github.com/gin-gonic/gin/blob/master/CHANGELOG.md)
- [Commits](https://github.com/gin-gonic/gin/compare/v1.9.0...v1.9.1)

Updates `github.com/go-viper/mapstructure/v2` from 2.2.1 to 2.3.0
- [Release notes](https://github.com/go-viper/mapstructure/releases)
- [Changelog](https://github.com/go-viper/mapstructure/blob/main/CHANGELOG.md)
- [Commits](https://github.com/go-viper/mapstructure/compare/v2.2.1...v2.3.0)

Updates `github.com/golang-jwt/jwt/v4` from 4.5.0 to 4.5.2
- [Release notes](https://github.com/golang-jwt/jwt/releases)
- [Changelog](https://github.com/golang-jwt/jwt/blob/main/VERSION_HISTORY.md)
- [Commits](https://github.com/golang-jwt/jwt/compare/v4.5.0...v4.5.2)

---
updated-dependencies:
- dependency-name: github.com/gin-gonic/gin
  dependency-version: 1.9.1
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: github.com/go-viper/mapstructure/v2
  dependency-version: 2.3.0
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: github.com/golang-jwt/jwt/v4
  dependency-version: 4.5.2
  dependency-type: indirect
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-07-01 13:14:02 +00:00
sandeep
ad7066133c Merge remote-tracking branch 'origin' v3.4.6 2025-07-01 00:48:57 +07:00
sandeep
db916199c2 Bump version to v3.4.6 2025-07-01 00:48:41 +07:00
Dwi Siswanto
87ed0b2bb9
build: bump all direct modules (#6290) 
* chore: fix non-constant fmt string in call

Signed-off-by: Dwi Siswanto <git@dw1.io>

* build: bump all direct modules

Signed-off-by: Dwi Siswanto <git@dw1.io>

* chore(hosterrorscache): update import path

Signed-off-by: Dwi Siswanto <git@dw1.io>

* fix(charts): break changes

Signed-off-by: Dwi Siswanto <git@dw1.io>

* build: pinned `github.com/zmap/zcrypto` to v0.0.0-20240512203510-0fef58d9a9db

Signed-off-by: Dwi Siswanto <git@dw1.io>

* chore: golangci-lint auto fixes

Signed-off-by: Dwi Siswanto <git@dw1.io>

* chore: satisfy lints

Signed-off-by: Dwi Siswanto <git@dw1.io>

* build: migrate `github.com/xanzy/go-gitlab` => `gitlab.com/gitlab-org/api/client-go`

Signed-off-by: Dwi Siswanto <git@dw1.io>

* feat(json): update build constraints

Signed-off-by: Dwi Siswanto <git@dw1.io>

* chore: dont panicking on close err

Signed-off-by: Dwi Siswanto <git@dw1.io>

---------

Signed-off-by: Dwi Siswanto <git@dw1.io>
 2025-07-01 00:40:44 +07:00
Tarun Koyalwar
2b729e4037
fix context leak in flow (#6282) 
* fix context leak in flow

* handle sizedwaitpool when not reused
 2025-06-30 16:43:00 +07:00
Cho hyun-sik
7b1a02710e
docs: refine Bug Bounty hunter section in Korean docs (#6287) 2025-06-28 02:08:44 +05:30