mirror of
https://github.com/projectdiscovery/nuclei.git
synced 2025-12-17 17:25:28 +00:00
f26996cb89
* introducing execution id * wip * . * adding separate execution context id * lint * vet * fixing pg dialers * test ignore * fixing loader FD limit * test * fd fix * wip: remove CloseProcesses() from dev merge * wip: fix merge issue * protocolstate: stop memguarding on last dialer delete * avoid data race in dialers.RawHTTPClient * use shared logger and avoid race conditions * use shared logger and avoid race conditions * go mod * patch executionId into compiled template cache * clean up comment in Parse * go mod update * bump echarts * address merge issues * fix use of gologger * switch cmd/nuclei to options.Logger * address merge issues with go.mod * go vet: address copy of lock with new Copy function * fixing tests * disable speed control * fix nil ExecuterOptions * removing deprecated code * fixing result print * default logger * cli default logger * filter warning from results * fix performance test * hardcoding path * disable upload * refactor(runner): uses `Warning` instead of `Print` for `pdcpUploadErrMsg` Signed-off-by: Dwi Siswanto <git@dw1.io> * Revert "disable upload" This reverts commit 114fbe6663361bf41cf8b2645fd2d57083d53682. * Revert "hardcoding path" This reverts commit cf12ca800e0a0e974bd9fd4826a24e51547f7c00. --------- Signed-off-by: Dwi Siswanto <git@dw1.io> Co-authored-by: Mzack9999 <mzack9999@protonmail.com> Co-authored-by: Dwi Siswanto <git@dw1.io> Co-authored-by: Dwi Siswanto <25837540+dwisiswant0@users.noreply.github.com>
36 lines
1.1 KiB
Go
36 lines
1.1 KiB
Go
package protocolstate
|
|
|
|
import (
|
|
"strings"
|
|
|
|
"github.com/projectdiscovery/nuclei/v3/pkg/catalog/config"
|
|
errorutil "github.com/projectdiscovery/utils/errors"
|
|
fileutil "github.com/projectdiscovery/utils/file"
|
|
)
|
|
|
|
var (
|
|
// LfaAllowed means local file access is allowed
|
|
LfaAllowed bool
|
|
)
|
|
|
|
// Normalizepath normalizes path and returns absolute path
|
|
// it returns error if path is not allowed
|
|
// this respects the sandbox rules and only loads files from
|
|
// allowed directories
|
|
func NormalizePath(filePath string) (string, error) {
|
|
// TODO: this should be tied to executionID
|
|
if LfaAllowed {
|
|
return filePath, nil
|
|
}
|
|
cleaned, err := fileutil.ResolveNClean(filePath, config.DefaultConfig.GetTemplateDir())
|
|
if err != nil {
|
|
return "", errorutil.NewWithErr(err).Msgf("could not resolve and clean path %v", filePath)
|
|
}
|
|
// only allow files inside nuclei-templates directory
|
|
// even current working directory is not allowed
|
|
if strings.HasPrefix(cleaned, config.DefaultConfig.GetTemplateDir()) {
|
|
return cleaned, nil
|
|
}
|
|
return "", errorutil.New("path %v is outside nuclei-template directory and -lfa is not enabled", filePath)
|
|
}
|