From c9ef70f349299576ae8e6a7eef2075059eaab6e7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Do=C4=9Fan=20Can=20Bak=C4=B1r?= Date: Thu, 22 Jun 2023 15:47:33 +0300 Subject: [PATCH 1/5] add no-sandbox flag --- README.md | 2 +- v2/cmd/nuclei/main.go | 2 +- v2/pkg/protocols/common/protocolstate/state.go | 3 ++- v2/pkg/protocols/dns/dns.go | 2 +- v2/pkg/protocols/headless/headless.go | 2 +- v2/pkg/protocols/http/http.go | 2 +- v2/pkg/protocols/network/network.go | 2 +- v2/pkg/protocols/websocket/websocket.go | 2 +- v2/pkg/types/types.go | 2 +- 9 files changed, 10 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 12457a7040..0a6805295f 100644 --- a/README.md +++ b/README.md @@ -185,7 +185,7 @@ CONFIGURATIONS: -sml, -show-match-line show match lines for file templates, works with extractors only -ztls use ztls library with autofallback to standard one for tls13 -sni string tls sni hostname to use (default: input domain name) - -sandbox sandbox nuclei for safe templates execution + -no-sandbox disables sandbox(default) mode of nuclei for safe templates execution -i, -interface string network interface to use for network scan -at, -attack-type string type of payload combinations to perform (batteringram,pitchfork,clusterbomb) -sip, -source-ip string source ip address to use for network scan diff --git a/v2/cmd/nuclei/main.go b/v2/cmd/nuclei/main.go index 28d1d534f1..f07a89f955 100644 --- a/v2/cmd/nuclei/main.go +++ b/v2/cmd/nuclei/main.go @@ -202,7 +202,7 @@ on extensive configurability, massive extensibility and ease of use.`) flagSet.BoolVarP(&options.ShowMatchLine, "show-match-line", "sml", false, "show match lines for file templates, works with extractors only"), flagSet.BoolVar(&options.ZTLS, "ztls", false, "use ztls library with autofallback to standard one for tls13"), flagSet.StringVar(&options.SNI, "sni", "", "tls sni hostname to use (default: input domain name)"), - flagSet.BoolVar(&options.Sandbox, "sandbox", false, "sandbox nuclei for safe templates execution"), + flagSet.BoolVar(&options.NoSandbox, "no-sandbox", false, "disables sandbox(default) mode of nuclei for safe templates execution"), flagSet.StringVarP(&options.Interface, "interface", "i", "", "network interface to use for network scan"), flagSet.StringVarP(&options.AttackType, "attack-type", "at", "", "type of payload combinations to perform (batteringram,pitchfork,clusterbomb)"), flagSet.StringVarP(&options.SourceIP, "source-ip", "sip", "", "source ip address to use for network scan"), diff --git a/v2/pkg/protocols/common/protocolstate/state.go b/v2/pkg/protocols/common/protocolstate/state.go index b4662aedab..dc67ee2631 100644 --- a/v2/pkg/protocols/common/protocolstate/state.go +++ b/v2/pkg/protocols/common/protocolstate/state.go @@ -91,9 +91,10 @@ func Init(options *types.Options) error { if options.ResolversFile != "" { opts.BaseResolvers = options.InternalResolversList } - if options.Sandbox { + if !options.NoSandbox { opts.Deny = append(networkpolicy.DefaultIPv4DenylistRanges, networkpolicy.DefaultIPv6DenylistRanges...) } + opts.WithDialerHistory = true opts.WithZTLS = options.ZTLS opts.SNIName = options.SNI diff --git a/v2/pkg/protocols/dns/dns.go b/v2/pkg/protocols/dns/dns.go index dad2ef7501..2ff89ab1e3 100644 --- a/v2/pkg/protocols/dns/dns.go +++ b/v2/pkg/protocols/dns/dns.go @@ -172,7 +172,7 @@ func (request *Request) Compile(options *protocols.ExecutorOptions) error { } if len(request.Payloads) > 0 { - request.generator, err = generators.New(request.Payloads, request.AttackType.Value, request.options.TemplatePath, request.options.Options.Sandbox, request.options.Catalog, request.options.Options.AttackType) + request.generator, err = generators.New(request.Payloads, request.AttackType.Value, request.options.TemplatePath, !request.options.Options.NoSandbox, request.options.Catalog, request.options.Options.AttackType) if err != nil { return errors.Wrap(err, "could not parse payloads") } diff --git a/v2/pkg/protocols/headless/headless.go b/v2/pkg/protocols/headless/headless.go index d4ba60b4fc..d261d94097 100644 --- a/v2/pkg/protocols/headless/headless.go +++ b/v2/pkg/protocols/headless/headless.go @@ -102,7 +102,7 @@ func (request *Request) Compile(options *protocols.ExecutorOptions) error { if len(request.Payloads) > 0 { var err error - request.generator, err = generators.New(request.Payloads, request.AttackType.Value, options.TemplatePath, options.Options.Sandbox, options.Catalog, options.Options.AttackType) + request.generator, err = generators.New(request.Payloads, request.AttackType.Value, options.TemplatePath, !options.Options.NoSandbox, options.Catalog, options.Options.AttackType) if err != nil { return errors.Wrap(err, "could not parse payloads") } diff --git a/v2/pkg/protocols/http/http.go b/v2/pkg/protocols/http/http.go index 99afe8c49c..5ac104da05 100644 --- a/v2/pkg/protocols/http/http.go +++ b/v2/pkg/protocols/http/http.go @@ -353,7 +353,7 @@ func (request *Request) Compile(options *protocols.ExecutorOptions) error { } if len(request.Payloads) > 0 { - request.generator, err = generators.New(request.Payloads, request.AttackType.Value, request.options.TemplatePath, request.options.Options.Sandbox, request.options.Catalog, request.options.Options.AttackType) + request.generator, err = generators.New(request.Payloads, request.AttackType.Value, request.options.TemplatePath, !request.options.Options.NoSandbox, request.options.Catalog, request.options.Options.AttackType) if err != nil { return errors.Wrap(err, "could not parse payloads") } diff --git a/v2/pkg/protocols/network/network.go b/v2/pkg/protocols/network/network.go index 86292a16c2..51019944ec 100644 --- a/v2/pkg/protocols/network/network.go +++ b/v2/pkg/protocols/network/network.go @@ -184,7 +184,7 @@ func (request *Request) Compile(options *protocols.ExecutorOptions) error { } if len(request.Payloads) > 0 { - request.generator, err = generators.New(request.Payloads, request.AttackType.Value, request.options.TemplatePath, request.options.Options.Sandbox, request.options.Catalog, request.options.Options.AttackType) + request.generator, err = generators.New(request.Payloads, request.AttackType.Value, request.options.TemplatePath, !request.options.Options.NoSandbox, request.options.Catalog, request.options.Options.AttackType) if err != nil { return errors.Wrap(err, "could not parse payloads") } diff --git a/v2/pkg/protocols/websocket/websocket.go b/v2/pkg/protocols/websocket/websocket.go index e5f03696f7..0c98e499e8 100644 --- a/v2/pkg/protocols/websocket/websocket.go +++ b/v2/pkg/protocols/websocket/websocket.go @@ -106,7 +106,7 @@ func (request *Request) Compile(options *protocols.ExecutorOptions) error { request.dialer = client if len(request.Payloads) > 0 { - request.generator, err = generators.New(request.Payloads, request.AttackType.Value, request.options.TemplatePath, request.options.Options.Sandbox, options.Catalog, options.Options.AttackType) + request.generator, err = generators.New(request.Payloads, request.AttackType.Value, request.options.TemplatePath, !request.options.Options.NoSandbox, options.Catalog, options.Options.AttackType) if err != nil { return errors.Wrap(err, "could not parse payloads") } diff --git a/v2/pkg/types/types.go b/v2/pkg/types/types.go index 0e9bacf656..e587d8ddbb 100644 --- a/v2/pkg/types/types.go +++ b/v2/pkg/types/types.go @@ -277,7 +277,7 @@ type Options struct { // Use ZTLS library ZTLS bool // Sandbox enables sandboxed nuclei template execution - Sandbox bool + NoSandbox bool // ShowMatchLine enables display of match line number ShowMatchLine bool // EnablePprof enables exposing pprof runtime information with a webserver. From 94f543f86ab4dae7d3b51f472d2762007d247325 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Do=C4=9Fan=20Can=20Bak=C4=B1r?= Date: Thu, 22 Jun 2023 16:48:16 +0300 Subject: [PATCH 2/5] run tests with no-sandbox mode --- v2/pkg/testutils/testutils.go | 1 + 1 file changed, 1 insertion(+) diff --git a/v2/pkg/testutils/testutils.go b/v2/pkg/testutils/testutils.go index 93a2e4c7b8..fcc5c2e54d 100644 --- a/v2/pkg/testutils/testutils.go +++ b/v2/pkg/testutils/testutils.go @@ -66,6 +66,7 @@ var DefaultOptions = &types.Options{ InteractionsPollDuration: 5, GithubTemplateRepo: []string{}, GithubToken: "", + NoSandbox: true, } // TemplateInfo contains info for a mock executed template. From 39745248143a9670833c88f21e1d6a0213266a76 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Do=C4=9Fan=20Can=20Bak=C4=B1r?= Date: Mon, 3 Jul 2023 08:54:26 +0000 Subject: [PATCH 3/5] fix failing integration tests --- v2/cmd/integration-test/code.go | 1 + v2/pkg/testutils/integration.go | 1 + 2 files changed, 2 insertions(+) diff --git a/v2/cmd/integration-test/code.go b/v2/cmd/integration-test/code.go index 6835f86b24..4c27eca614 100644 --- a/v2/cmd/integration-test/code.go +++ b/v2/cmd/integration-test/code.go @@ -82,6 +82,7 @@ func executeNucleiAsCode(templatePath, templateURL string) ([]string, error) { } defaultOpts := types.DefaultOptions() + defaultOpts.NoSandbox = true _ = protocolstate.Init(defaultOpts) _ = protocolinit.Init(defaultOpts) diff --git a/v2/pkg/testutils/integration.go b/v2/pkg/testutils/integration.go index b3a90c5d0c..a602ada89a 100644 --- a/v2/pkg/testutils/integration.go +++ b/v2/pkg/testutils/integration.go @@ -52,6 +52,7 @@ func RunNucleiBareArgsAndGetResults(debug bool, extra ...string) ([]string, erro cmd.Args = append(cmd.Args, "-duc") // disable auto updates cmd.Args = append(cmd.Args, "-interactions-poll-duration", "1") cmd.Args = append(cmd.Args, "-interactions-cooldown-period", "10") + cmd.Args = append(cmd.Args, "-no-sandbox", "true") if debug { cmd.Args = append(cmd.Args, "-debug") cmd.Stderr = os.Stderr From 9603039418f3dcdcc6962f9a0510e4ad158dbd3a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Do=C4=9Fan=20Can=20Bak=C4=B1r?= Date: Mon, 3 Jul 2023 09:47:53 +0000 Subject: [PATCH 4/5] fix failing tests --- v2/pkg/protocols/headless/engine/page_actions_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/v2/pkg/protocols/headless/engine/page_actions_test.go b/v2/pkg/protocols/headless/engine/page_actions_test.go index 78602b4aca..73bdbae788 100644 --- a/v2/pkg/protocols/headless/engine/page_actions_test.go +++ b/v2/pkg/protocols/headless/engine/page_actions_test.go @@ -551,9 +551,9 @@ func testHeadlessSimpleResponse(t *testing.T, response string, actions []*Action func testHeadless(t *testing.T, actions []*Action, timeout time.Duration, handler func(w http.ResponseWriter, r *http.Request), assert func(page *Page, pageErr error, extractedData map[string]string)) { t.Helper() - _ = protocolstate.Init(&types.Options{}) + _ = protocolstate.Init(&types.Options{NoSandbox: true}) - browser, err := New(&types.Options{ShowBrowser: false, UseInstalledChrome: testheadless.HeadlessLocal}) + browser, err := New(&types.Options{ShowBrowser: false, UseInstalledChrome: testheadless.HeadlessLocal, NoSandbox: true}) require.Nil(t, err, "could not create browser") defer browser.Close() From 50aebf0ee4386f41218386fc1612540f824b586d Mon Sep 17 00:00:00 2001 From: Mzack9999 Date: Mon, 3 Jul 2023 14:52:28 +0200 Subject: [PATCH 5/5] fixing comment --- v2/pkg/types/types.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/v2/pkg/types/types.go b/v2/pkg/types/types.go index e587d8ddbb..ac4b59284c 100644 --- a/v2/pkg/types/types.go +++ b/v2/pkg/types/types.go @@ -276,7 +276,7 @@ type Options struct { ClientCAFile string // Use ZTLS library ZTLS bool - // Sandbox enables sandboxed nuclei template execution + // Disable sandboxed nuclei template execution NoSandbox bool // ShowMatchLine enables display of match line number ShowMatchLine bool