From ba3804107ed22a8554bfe1c3bf25943593328b6c Mon Sep 17 00:00:00 2001
From: Ice3man543 <nizamulrana@gmail.com>
Date: Thu, 1 Jul 2021 16:16:23 +0530
Subject: [PATCH] Fix some exclude conditions for tags

---
 v2/pkg/catalog/loader/filter.go      | 24 +++++++++++++--------
 v2/pkg/catalog/loader/filter_test.go | 31 +++++++++++++++++++---------
 v2/pkg/catalog/loader/loader.go      | 10 ++++++---
 3 files changed, 43 insertions(+), 22 deletions(-)

diff --git a/v2/pkg/catalog/loader/filter.go b/v2/pkg/catalog/loader/filter.go
index 0f3caf44..742b9dcd 100644
--- a/v2/pkg/catalog/loader/filter.go
+++ b/v2/pkg/catalog/loader/filter.go
@@ -1,6 +1,9 @@
 package loader
 
-import "strings"
+import (
+	"errors"
+	"strings"
+)
 
 // tagFilter is used to filter nuclei tag based execution
 type tagFilter struct {
@@ -11,6 +14,9 @@ type tagFilter struct {
 	matchAllows map[string]struct{}
 }
 
+// ErrExcluded is returned for execluded templates
+var ErrExcluded = errors.New("the template was excluded")
+
 // match takes a tag and whether the template was matched from user
 // input and returns true or false using a tag filter.
 //
@@ -19,40 +25,40 @@ type tagFilter struct {
 // matchAllows section.
 //
 // It returns true if the tag is specified, or false.
-func (t *tagFilter) match(tag, author, severity string, templateMatched bool) bool {
+func (t *tagFilter) match(tag, author, severity string, templateMatched bool) (bool, error) {
 	_, ok := t.block[tag]
 	if ok {
 		if _, allowOk := t.matchAllows[tag]; allowOk && templateMatched {
-			return true
+			return true, nil
 		}
-		return false
+		return false, ErrExcluded
 	}
 	matchedAny := false
 	if len(t.allowedTags) > 0 {
 		_, ok = t.allowedTags[tag]
 		if !ok {
-			return false
+			return false, nil
 		}
 		matchedAny = true
 	}
 	if len(t.authors) > 0 {
 		_, ok = t.authors[author]
 		if !ok {
-			return false
+			return false, nil
 		}
 		matchedAny = true
 	}
 	if len(t.severities) > 0 {
 		_, ok = t.severities[severity]
 		if !ok {
-			return false
+			return false, nil
 		}
 		matchedAny = true
 	}
 	if len(t.allowedTags) == 0 && len(t.authors) == 0 && len(t.severities) == 0 {
-		return true
+		return true, nil
 	}
-	return matchedAny
+	return matchedAny, nil
 }
 
 // createTagFilter returns a tag filter for nuclei tag based execution
diff --git a/v2/pkg/catalog/loader/filter_test.go b/v2/pkg/catalog/loader/filter_test.go
index 2535d112..4e9c6c2e 100644
--- a/v2/pkg/catalog/loader/filter_test.go
+++ b/v2/pkg/catalog/loader/filter_test.go
@@ -13,10 +13,12 @@ func TestTagBasedFilter(t *testing.T) {
 	filter := config.createTagFilter()
 
 	t.Run("true", func(t *testing.T) {
-		require.True(t, filter.match("jira", "pdteam", "low", false), "could not get correct match")
+		matched, _ := filter.match("jira", "pdteam", "low", false)
+		require.True(t, matched, "could not get correct match")
 	})
 	t.Run("false", func(t *testing.T) {
-		require.False(t, filter.match("consul", "pdteam", "low", false), "could not get correct match")
+		matched, _ := filter.match("consul", "pdteam", "low", false)
+		require.False(t, matched, "could not get correct match")
 	})
 	t.Run("not-match-excludes", func(t *testing.T) {
 		config := &Config{
@@ -24,7 +26,9 @@ func TestTagBasedFilter(t *testing.T) {
 			ExcludeTags: []string{"dos"},
 		}
 		filter := config.createTagFilter()
-		require.False(t, filter.match("jira", "pdteam", "low", false), "could not get correct match")
+		matched, err := filter.match("dos", "pdteam", "low", false)
+		require.False(t, matched, "could not get correct match")
+		require.Equal(t, ErrExcluded, err, "could not get correct error")
 	})
 	t.Run("match-includes", func(t *testing.T) {
 		config := &Config{
@@ -34,21 +38,24 @@ func TestTagBasedFilter(t *testing.T) {
 		}
 
 		filter := config.createTagFilter()
-		require.False(t, filter.match("fuzz", "pdteam", "low", false), "could not get correct match")
+		matched, _ := filter.match("fuzz", "pdteam", "low", false)
+		require.False(t, matched, "could not get correct match")
 	})
 	t.Run("match-author", func(t *testing.T) {
 		config := &Config{
 			Authors: []string{"pdteam"},
 		}
 		filter := config.createTagFilter()
-		require.True(t, filter.match("fuzz", "pdteam", "low", false), "could not get correct match")
+		matched, _ := filter.match("fuzz", "pdteam", "low", false)
+		require.True(t, matched, "could not get correct match")
 	})
 	t.Run("match-severity", func(t *testing.T) {
 		config := &Config{
 			Severities: []string{"high"},
 		}
 		filter := config.createTagFilter()
-		require.True(t, filter.match("fuzz", "pdteam", "high", false), "could not get correct match")
+		matched, _ := filter.match("fuzz", "pdteam", "high", false)
+		require.True(t, matched, "could not get correct match")
 	})
 	t.Run("match-conditions", func(t *testing.T) {
 		config := &Config{
@@ -57,9 +64,13 @@ func TestTagBasedFilter(t *testing.T) {
 			Severities: []string{"high"},
 		}
 		filter := config.createTagFilter()
-		require.True(t, filter.match("jira", "pdteam", "high", false), "could not get correct match")
-		require.False(t, filter.match("jira", "pdteam", "low", false), "could not get correct match")
-		require.False(t, filter.match("jira", "random", "low", false), "could not get correct match")
-		require.False(t, filter.match("consul", "random", "low", false), "could not get correct match")
+		matched, _ := filter.match("jira", "pdteam", "high", false)
+		require.True(t, matched, "could not get correct match")
+		matched, _ = filter.match("jira", "pdteam", "low", false)
+		require.False(t, matched, "could not get correct match")
+		matched, _ = filter.match("jira", "random", "low", false)
+		require.False(t, matched, "could not get correct match")
+		matched, _ = filter.match("consul", "random", "low", false)
+		require.False(t, matched, "could not get correct match")
 	})
 }
diff --git a/v2/pkg/catalog/loader/loader.go b/v2/pkg/catalog/loader/loader.go
index eed2f90c..561426bd 100644
--- a/v2/pkg/catalog/loader/loader.go
+++ b/v2/pkg/catalog/loader/loader.go
@@ -129,6 +129,7 @@ func (s *Store) Load() {
 		if err != nil {
 			gologger.Warning().Msgf("Could not load workflow %s: %s\n", k, err)
 		}
+
 		if loaded {
 			parsed, err := templates.Parse(k, s.config.ExecutorOptions)
 			if err != nil {
@@ -181,12 +182,15 @@ func (s *Store) loadTemplateParseMetadata(templatePath string, workflow bool) (b
 	authors := strings.Split(types.ToString(author), ",")
 
 	matched := false
-mainLoop:
+
 	for _, tag := range tags {
 		for _, author := range authors {
-			if !matched && s.tagFilter.match(strings.TrimSpace(tag), strings.TrimSpace(author), severityStr, s.templateMatched) {
+			match, err := s.tagFilter.match(strings.TrimSpace(tag), strings.TrimSpace(author), severityStr, s.templateMatched)
+			if err == ErrExcluded {
+				return false, ErrExcluded
+			}
+			if !matched && match && err == nil {
 				matched = true
-				break mainLoop
 			}
 		}
 	}