mirror of
https://github.com/projectdiscovery/nuclei.git
synced 2025-12-17 21:35:26 +00:00
0c7bade615
* introducing execution id * wip * . * adding separate execution context id * lint * vet * fixing pg dialers * test ignore * fixing loader FD limit * test * fd fix * wip: remove CloseProcesses() from dev merge * wip: fix merge issue * protocolstate: stop memguarding on last dialer delete * avoid data race in dialers.RawHTTPClient * use shared logger and avoid race conditions * use shared logger and avoid race conditions * go mod * patch executionId into compiled template cache * clean up comment in Parse * go mod update * bump echarts * address merge issues * fix use of gologger * switch cmd/nuclei to options.Logger * address merge issues with go.mod * go vet: address copy of lock with new Copy function * fixing tests * disable speed control * fix nil ExecuterOptions * removing deprecated code * fixing result print * default logger * cli default logger * filter warning from results * fix performance test * hardcoding path * disable upload * refactor(runner): uses `Warning` instead of `Print` for `pdcpUploadErrMsg` Signed-off-by: Dwi Siswanto <git@dw1.io> * Revert "disable upload" This reverts commit 114fbe6663361bf41cf8b2645fd2d57083d53682. * Revert "hardcoding path" This reverts commit cf12ca800e0a0e974bd9fd4826a24e51547f7c00. --------- Signed-off-by: Dwi Siswanto <git@dw1.io> Co-authored-by: Mzack9999 <mzack9999@protonmail.com> Co-authored-by: Dwi Siswanto <git@dw1.io> Co-authored-by: Dwi Siswanto <25837540+dwisiswant0@users.noreply.github.com>
107 lines
3.5 KiB
Go
107 lines
3.5 KiB
Go
package templates
|
|
|
|
import (
|
|
"bytes"
|
|
"os"
|
|
"path/filepath"
|
|
"strings"
|
|
"sync"
|
|
|
|
"github.com/projectdiscovery/nuclei/v3/pkg/catalog/disk"
|
|
"github.com/projectdiscovery/nuclei/v3/pkg/protocols"
|
|
"github.com/projectdiscovery/nuclei/v3/pkg/protocols/common/protocolinit"
|
|
"github.com/projectdiscovery/nuclei/v3/pkg/protocols/common/protocolstate"
|
|
"github.com/projectdiscovery/nuclei/v3/pkg/templates/extensions"
|
|
"github.com/projectdiscovery/nuclei/v3/pkg/templates/signer"
|
|
"github.com/projectdiscovery/nuclei/v3/pkg/types"
|
|
errorutil "github.com/projectdiscovery/utils/errors"
|
|
)
|
|
|
|
// Due to file references in sensitive fields of template
|
|
// ex: javascript code in flow or bash command in code.Source etc
|
|
// signing / verifying template is only possible after loading the template
|
|
// with these fields resolved
|
|
|
|
var (
|
|
defaultOpts *types.Options = types.DefaultOptions()
|
|
initOnce = sync.OnceFunc(func() {
|
|
_ = protocolstate.Init(defaultOpts)
|
|
_ = protocolinit.Init(defaultOpts)
|
|
})
|
|
ErrNotATemplate = errorutil.NewWithTag("signer", "given filePath is not a template")
|
|
)
|
|
|
|
// UseOptionsForSigner sets the options to use for signing templates
|
|
// instead of default options
|
|
func UseOptionsForSigner(opts *types.Options) {
|
|
defaultOpts = opts
|
|
}
|
|
|
|
// New Signer/Verification logic requires it to load content of file references
|
|
// and this is done respecting sandbox restrictions to avoid any security issues
|
|
// AllowLocalFileAccess is a function that allows local file access by disabling sandbox restrictions
|
|
// and **MUST** be called before signing / verifying any templates for intialization
|
|
func TemplateSignerLFA() {
|
|
defaultOpts.AllowLocalFileAccess = true
|
|
}
|
|
|
|
// VerifyTemplateSignature verifies the signature of the template
|
|
// using default signers
|
|
func VerifyTemplateSignature(templatePath string) (bool, error) {
|
|
template, _, err := getTemplate(templatePath)
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
return template.Verified, nil
|
|
}
|
|
|
|
// SignTemplate signs the tempalate using custom signer
|
|
func SignTemplate(templateSigner *signer.TemplateSigner, templatePath string) error {
|
|
// sign templates requires code files such as javsacript bash command to be included
|
|
// in template hence we first load template and append such resolved file references to content
|
|
initOnce()
|
|
|
|
// signing is only supported on yaml nuclei templates
|
|
if !strings.HasSuffix(templatePath, extensions.YAML) {
|
|
return ErrNotATemplate
|
|
}
|
|
|
|
template, bin, err := getTemplate(templatePath)
|
|
if err != nil {
|
|
return errorutil.NewWithErr(err).Msgf("failed to get template from disk")
|
|
}
|
|
if len(template.Workflows) > 0 {
|
|
// signing workflows is not supported at least yet
|
|
return ErrNotATemplate
|
|
}
|
|
if !template.Verified {
|
|
_, content := signer.ExtractSignatureAndContent(bin)
|
|
signatureData, err := templateSigner.Sign(bin, template)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
buff := bytes.NewBuffer(content)
|
|
buff.WriteString("\n" + signatureData)
|
|
return os.WriteFile(templatePath, buff.Bytes(), 0644)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func getTemplate(templatePath string) (*Template, []byte, error) {
|
|
catalog := disk.NewCatalog(filepath.Dir(templatePath))
|
|
executerOpts := &protocols.ExecutorOptions{
|
|
Catalog: catalog,
|
|
Options: defaultOpts,
|
|
TemplatePath: templatePath,
|
|
}
|
|
bin, err := os.ReadFile(templatePath)
|
|
if err != nil {
|
|
return nil, bin, err
|
|
}
|
|
template, err := ParseTemplateFromReader(bytes.NewReader(bin), nil, executerOpts)
|
|
if err != nil {
|
|
return nil, bin, errorutil.NewWithErr(err).Msgf("failed to parse template")
|
|
}
|
|
return template, bin, nil
|
|
}
|