mirror of https://github.com/daffainfo/nuclei.git
Merge pull request #442 from projectdiscovery/iceman-sandboxed-workflows
Added sandboxed workflows feature + max time limit on workflow executiondev
commit
019c61037c
|
@ -14,6 +14,8 @@ import (
|
|||
// the template requesting process.
|
||||
// nolint // false positive, options are allocated once and are necessary as is
|
||||
type Options struct {
|
||||
MaxWorkflowDuration int // MaxWorkflowDuration is the maximum time a workflow can run for a URL
|
||||
Sandbox bool // Sandbox mode allows users to run isolated workflows with system commands disabled
|
||||
Debug bool // Debug mode allows debugging request/responses for the engine
|
||||
Silent bool // Silent suppresses any extra text and only writes found URLs on screen.
|
||||
Version bool // Version specifies if we should just show version and exit
|
||||
|
@ -66,6 +68,8 @@ func (m *multiStringFlag) Set(value string) error {
|
|||
func ParseOptions() *Options {
|
||||
options := &Options{}
|
||||
|
||||
flag.BoolVar(&options.Sandbox, "sandbox", false, "Run workflows in isolated sandbox mode")
|
||||
flag.IntVar(&options.MaxWorkflowDuration, "workflow-duration", 10, "Max time for workflow run on single URL in minutes")
|
||||
flag.StringVar(&options.Target, "target", "", "Target is a single target to scan using template")
|
||||
flag.Var(&options.Templates, "t", "Template input dir/file/files to run on host. Can be used multiple times. Supports globbing.")
|
||||
flag.Var(&options.ExcludedTemplates, "exclude", "Template input dir/file/files to exclude. Can be used multiple times. Supports globbing.")
|
||||
|
|
|
@ -8,6 +8,7 @@ import (
|
|||
"path"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
tengo "github.com/d5/tengo/v2"
|
||||
"github.com/d5/tengo/v2/stdlib"
|
||||
|
@ -28,6 +29,8 @@ type workflowTemplates struct {
|
|||
Templates []*workflows.Template
|
||||
}
|
||||
|
||||
var sandboxedModules = []string{"math", "text", "rand", "fmt", "json", "base64", "hex", "enum"}
|
||||
|
||||
// processTemplateWithList processes a template and runs the enumeration on all the targets
|
||||
func (r *Runner) processTemplateWithList(p *progress.Progress, template *templates.Template, request interface{}) bool {
|
||||
var httpExecuter *executer.HTTPExecuter
|
||||
|
@ -128,13 +131,11 @@ func (r *Runner) processWorkflowWithList(p *progress.Progress, workflow *workflo
|
|||
workflowTemplatesList, err := r.preloadWorkflowTemplates(p, workflow)
|
||||
if err != nil {
|
||||
gologger.Warningf("Could not preload templates for workflow %s: %s\n", workflow.ID, err)
|
||||
return result
|
||||
return false
|
||||
}
|
||||
|
||||
logicBytes := []byte(workflow.Logic)
|
||||
|
||||
wg := sizedwaitgroup.New(r.options.BulkSize)
|
||||
|
||||
r.hm.Scan(func(k, _ []byte) error {
|
||||
targetURL := string(k)
|
||||
wg.Add()
|
||||
|
@ -143,10 +144,13 @@ func (r *Runner) processWorkflowWithList(p *progress.Progress, workflow *workflo
|
|||
defer wg.Done()
|
||||
|
||||
script := tengo.NewScript(logicBytes)
|
||||
if !r.options.Sandbox {
|
||||
script.SetImports(stdlib.GetModuleMap(stdlib.AllModuleNames()...))
|
||||
} else {
|
||||
script.SetImports(stdlib.GetModuleMap(sandboxedModules...))
|
||||
}
|
||||
|
||||
variables := make(map[string]*workflows.NucleiVar)
|
||||
|
||||
for _, workflowTemplate := range *workflowTemplatesList {
|
||||
name := workflowTemplate.Name
|
||||
variable := &workflows.NucleiVar{Templates: workflowTemplate.Templates, URL: targetURL}
|
||||
|
@ -158,7 +162,10 @@ func (r *Runner) processWorkflowWithList(p *progress.Progress, workflow *workflo
|
|||
variables[name] = variable
|
||||
}
|
||||
|
||||
_, err := script.RunContext(context.Background())
|
||||
ctx, cancel := context.WithTimeout(context.Background(), time.Duration(r.options.MaxWorkflowDuration)*time.Minute)
|
||||
defer cancel()
|
||||
|
||||
_, err := script.RunContext(ctx)
|
||||
if err != nil {
|
||||
gologger.Errorf("Could not execute workflow '%s': %s\n", workflow.ID, err)
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue