Merge pull request #442 from projectdiscovery/iceman-sandboxed-workflows

Added sandboxed workflows feature + max time limit on workflow execution
dev
PD-Team 2020-12-14 21:00:27 +05:30 committed by GitHub
commit 019c61037c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 17 additions and 6 deletions

View File

@ -14,6 +14,8 @@ import (
// the template requesting process.
// nolint // false positive, options are allocated once and are necessary as is
type Options struct {
MaxWorkflowDuration int // MaxWorkflowDuration is the maximum time a workflow can run for a URL
Sandbox bool // Sandbox mode allows users to run isolated workflows with system commands disabled
Debug bool // Debug mode allows debugging request/responses for the engine
Silent bool // Silent suppresses any extra text and only writes found URLs on screen.
Version bool // Version specifies if we should just show version and exit
@ -66,6 +68,8 @@ func (m *multiStringFlag) Set(value string) error {
func ParseOptions() *Options {
options := &Options{}
flag.BoolVar(&options.Sandbox, "sandbox", false, "Run workflows in isolated sandbox mode")
flag.IntVar(&options.MaxWorkflowDuration, "workflow-duration", 10, "Max time for workflow run on single URL in minutes")
flag.StringVar(&options.Target, "target", "", "Target is a single target to scan using template")
flag.Var(&options.Templates, "t", "Template input dir/file/files to run on host. Can be used multiple times. Supports globbing.")
flag.Var(&options.ExcludedTemplates, "exclude", "Template input dir/file/files to exclude. Can be used multiple times. Supports globbing.")

View File

@ -8,6 +8,7 @@ import (
"path"
"path/filepath"
"strings"
"time"
tengo "github.com/d5/tengo/v2"
"github.com/d5/tengo/v2/stdlib"
@ -28,6 +29,8 @@ type workflowTemplates struct {
Templates []*workflows.Template
}
var sandboxedModules = []string{"math", "text", "rand", "fmt", "json", "base64", "hex", "enum"}
// processTemplateWithList processes a template and runs the enumeration on all the targets
func (r *Runner) processTemplateWithList(p *progress.Progress, template *templates.Template, request interface{}) bool {
var httpExecuter *executer.HTTPExecuter
@ -128,13 +131,11 @@ func (r *Runner) processWorkflowWithList(p *progress.Progress, workflow *workflo
workflowTemplatesList, err := r.preloadWorkflowTemplates(p, workflow)
if err != nil {
gologger.Warningf("Could not preload templates for workflow %s: %s\n", workflow.ID, err)
return result
return false
}
logicBytes := []byte(workflow.Logic)
wg := sizedwaitgroup.New(r.options.BulkSize)
r.hm.Scan(func(k, _ []byte) error {
targetURL := string(k)
wg.Add()
@ -143,10 +144,13 @@ func (r *Runner) processWorkflowWithList(p *progress.Progress, workflow *workflo
defer wg.Done()
script := tengo.NewScript(logicBytes)
if !r.options.Sandbox {
script.SetImports(stdlib.GetModuleMap(stdlib.AllModuleNames()...))
} else {
script.SetImports(stdlib.GetModuleMap(sandboxedModules...))
}
variables := make(map[string]*workflows.NucleiVar)
for _, workflowTemplate := range *workflowTemplatesList {
name := workflowTemplate.Name
variable := &workflows.NucleiVar{Templates: workflowTemplate.Templates, URL: targetURL}
@ -158,7 +162,10 @@ func (r *Runner) processWorkflowWithList(p *progress.Progress, workflow *workflo
variables[name] = variable
}
_, err := script.RunContext(context.Background())
ctx, cancel := context.WithTimeout(context.Background(), time.Duration(r.options.MaxWorkflowDuration)*time.Minute)
defer cancel()
_, err := script.RunContext(ctx)
if err != nil {
gologger.Errorf("Could not execute workflow '%s': %s\n", workflow.ID, err)
}