daffainfo
/
nuclei
mirror of https://github.com/daffainfo/nuclei.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix some exclude conditions for tags

dev
Ice3man543 2021-07-01 16:16:23 +05:30
parent dff76e9cd2
commit ba3804107e
3 changed files with 43 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
v2/pkg/catalog/loader/filter.go
View File

@ -1,6 +1,9 @@
package loader
import "strings"
import (
"errors"
"strings"
)
// tagFilter is used to filter nuclei tag based execution
type tagFilter struct {
@ -11,6 +14,9 @@ type tagFilter struct {
matchAllows map[string]struct{}
}
// ErrExcluded is returned for execluded templates
var ErrExcluded = errors.New("the template was excluded")
// match takes a tag and whether the template was matched from user
// input and returns true or false using a tag filter.
//
@ -19,40 +25,40 @@ type tagFilter struct {
// matchAllows section.
//
// It returns true if the tag is specified, or false.
func (t *tagFilter) match(tag, author, severity string, templateMatched bool) bool {
func (t *tagFilter) match(tag, author, severity string, templateMatched bool) (bool, error) {
_, ok := t.block[tag]
if ok {
if _, allowOk := t.matchAllows[tag]; allowOk && templateMatched {
return true
return true, nil
}
return false
return false, ErrExcluded
}
matchedAny := false
if len(t.allowedTags) > 0 {
_, ok = t.allowedTags[tag]
if !ok {
return false
return false, nil
}
matchedAny = true
}
if len(t.authors) > 0 {
_, ok = t.authors[author]
if !ok {
return false
return false, nil
}
matchedAny = true
}
if len(t.severities) > 0 {
_, ok = t.severities[severity]
if !ok {
return false
return false, nil
}
matchedAny = true
}
if len(t.allowedTags) == 0 && len(t.authors) == 0 && len(t.severities) == 0 {
return true
return true, nil
}
return matchedAny
return matchedAny, nil
}
// createTagFilter returns a tag filter for nuclei tag based execution

31
v2/pkg/catalog/loader/filter_test.go
View File

@ -13,10 +13,12 @@ func TestTagBasedFilter(t *testing.T) {
filter := config.createTagFilter()
t.Run("true", func(t *testing.T) {
require.True(t, filter.match("jira", "pdteam", "low", false), "could not get correct match")
matched, _ := filter.match("jira", "pdteam", "low", false)
require.True(t, matched, "could not get correct match")
})
t.Run("false", func(t *testing.T) {
require.False(t, filter.match("consul", "pdteam", "low", false), "could not get correct match")
matched, _ := filter.match("consul", "pdteam", "low", false)
require.False(t, matched, "could not get correct match")
})
t.Run("not-match-excludes", func(t *testing.T) {
config := &Config{
@ -24,7 +26,9 @@ func TestTagBasedFilter(t *testing.T) {
ExcludeTags: []string{"dos"},
}
filter := config.createTagFilter()
require.False(t, filter.match("jira", "pdteam", "low", false), "could not get correct match")
matched, err := filter.match("dos", "pdteam", "low", false)
require.False(t, matched, "could not get correct match")
require.Equal(t, ErrExcluded, err, "could not get correct error")
})
t.Run("match-includes", func(t *testing.T) {
config := &Config{
@ -34,21 +38,24 @@ func TestTagBasedFilter(t *testing.T) {
}
filter := config.createTagFilter()
require.False(t, filter.match("fuzz", "pdteam", "low", false), "could not get correct match")
matched, _ := filter.match("fuzz", "pdteam", "low", false)
require.False(t, matched, "could not get correct match")
})
t.Run("match-author", func(t *testing.T) {
config := &Config{
Authors: []string{"pdteam"},
}
filter := config.createTagFilter()
require.True(t, filter.match("fuzz", "pdteam", "low", false), "could not get correct match")
matched, _ := filter.match("fuzz", "pdteam", "low", false)
require.True(t, matched, "could not get correct match")
})
t.Run("match-severity", func(t *testing.T) {
config := &Config{
Severities: []string{"high"},
}
filter := config.createTagFilter()
require.True(t, filter.match("fuzz", "pdteam", "high", false), "could not get correct match")
matched, _ := filter.match("fuzz", "pdteam", "high", false)
require.True(t, matched, "could not get correct match")
})
t.Run("match-conditions", func(t *testing.T) {
config := &Config{
@ -57,9 +64,13 @@ func TestTagBasedFilter(t *testing.T) {
Severities: []string{"high"},
}
filter := config.createTagFilter()
require.True(t, filter.match("jira", "pdteam", "high", false), "could not get correct match")
require.False(t, filter.match("jira", "pdteam", "low", false), "could not get correct match")
require.False(t, filter.match("jira", "random", "low", false), "could not get correct match")
require.False(t, filter.match("consul", "random", "low", false), "could not get correct match")
matched, _ := filter.match("jira", "pdteam", "high", false)
require.True(t, matched, "could not get correct match")
matched, _ = filter.match("jira", "pdteam", "low", false)
require.False(t, matched, "could not get correct match")
matched, _ = filter.match("jira", "random", "low", false)
require.False(t, matched, "could not get correct match")
matched, _ = filter.match("consul", "random", "low", false)
require.False(t, matched, "could not get correct match")
})
}

10
v2/pkg/catalog/loader/loader.go
View File

@ -129,6 +129,7 @@ func (s *Store) Load() {
if err != nil {
gologger.Warning().Msgf("Could not load workflow %s: %s\n", k, err)
}
if loaded {
parsed, err := templates.Parse(k, s.config.ExecutorOptions)
if err != nil {
@ -181,12 +182,15 @@ func (s *Store) loadTemplateParseMetadata(templatePath string, workflow bool) (b
authors := strings.Split(types.ToString(author), ",")
matched := false
mainLoop:
for _, tag := range tags {
for _, author := range authors {
if !matched && s.tagFilter.match(strings.TrimSpace(tag), strings.TrimSpace(author), severityStr, s.templateMatched) {
match, err := s.tagFilter.match(strings.TrimSpace(tag), strings.TrimSpace(author), severityStr, s.templateMatched)
if err == ErrExcluded {
return false, ErrExcluded
}
if !matched && match && err == nil {
matched = true
break mainLoop
}
}
}