Disable include directive preprocessing by default (#3045)

* adding strict syntax check

* returning error on disabled preprocessing

* adding check on matchers

v2/internal/runner/runner.go

@@ -54,6 +54,7 @@ import (
 	"github.com/projectdiscovery/nuclei/v2/pkg/types"
 	"github.com/projectdiscovery/nuclei/v2/pkg/utils"
 	"github.com/projectdiscovery/nuclei/v2/pkg/utils/stats"
+	"github.com/projectdiscovery/nuclei/v2/pkg/utils/yaml"
 	yamlwrapper "github.com/projectdiscovery/nuclei/v2/pkg/utils/yaml"
 	"github.com/projectdiscovery/retryablehttp-go"
 	stringsutil "github.com/projectdiscovery/utils/strings"
@@ -109,7 +110,10 @@ func New(options *types.Options) (*Runner, error) {
 		// Does not update the templates when validate flag is used
 		options.NoUpdateTemplates = true
 	}
+
+	// TODO: refactor to pass options reference globally without cycles
 	parsers.NoStrictSyntax = options.NoStrictSyntax
+	yaml.StrictSyntax = !options.NoStrictSyntax
 
 	// parse the runner.options.GithubTemplateRepo and store the valid repos in runner.customTemplateRepos
 	runner.customTemplates = customtemplates.ParseCustomTemplates(runner.options)

v2/pkg/utils/yaml/preprocess.go

@@ -2,6 +2,7 @@ package yaml
 
 import (
 	"bytes"
+	"errors"
 	"os"
 	"regexp"
 	"strings"
@@ -12,10 +13,18 @@ import (
 
 var reImportsPattern = regexp.MustCompile(`(?m)# !include:(.+.yaml)`)
 
+// StrictSyntax determines if pre-processing directives should be observed
+var StrictSyntax bool
+
 // PreProcess all include directives
 func PreProcess(data []byte) ([]byte, error) {
 	// find all matches like !include:path\n
 	importMatches := reImportsPattern.FindAllSubmatch(data, -1)
+	hasImportDirectives := len(importMatches) > 0
+
+	if hasImportDirectives && StrictSyntax {
+		return data, errors.New("include directive preprocessing is disabled")
+	}
 
 	var replaceItems []string