From 92d72866d405392c74cbaaaed834353db74cc0ed Mon Sep 17 00:00:00 2001 From: "alban.stourbe stourbe" Date: Mon, 18 Nov 2024 14:25:36 +0100 Subject: [PATCH 1/4] handle env variables in dynamic secret file --- internal/runner/lazy.go | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/internal/runner/lazy.go b/internal/runner/lazy.go index 900850b673..799ba92566 100644 --- a/internal/runner/lazy.go +++ b/internal/runner/lazy.go @@ -3,6 +3,8 @@ package runner import ( "context" "fmt" + "os" + "strings" "github.com/projectdiscovery/nuclei/v3/pkg/authprovider/authx" "github.com/projectdiscovery/nuclei/v3/pkg/catalog" @@ -75,7 +77,16 @@ func GetLazyAuthFetchCallback(opts *AuthLazyFetchOptions) authx.LazyFetchSecret vars := map[string]interface{}{} mainCtx := context.Background() ctx := scan.NewScanContext(mainCtx, contextargs.NewWithInput(mainCtx, d.Input)) + for _, v := range d.Variables { + // Check if the template has any env variables and expand them + if strings.HasPrefix(v.Value, "$") { + env := strings.TrimPrefix(v.Value, "$") + retrievedEnv := os.Getenv(env) + if retrievedEnv != "" { + v.Value = os.Getenv(env) + } + } vars[v.Key] = v.Value ctx.Input.Add(v.Key, v.Value) } From 6f83d453598899c2655200709af9ee059fc993aa Mon Sep 17 00:00:00 2001 From: Tarun Koyalwar Date: Wed, 20 Nov 2024 17:42:54 +0530 Subject: [PATCH 2/4] inject more variables from -v and -env-vars --- internal/runner/lazy.go | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/internal/runner/lazy.go b/internal/runner/lazy.go index 799ba92566..ba9f8ae678 100644 --- a/internal/runner/lazy.go +++ b/internal/runner/lazy.go @@ -12,6 +12,7 @@ import ( "github.com/projectdiscovery/nuclei/v3/pkg/output" "github.com/projectdiscovery/nuclei/v3/pkg/protocols" "github.com/projectdiscovery/nuclei/v3/pkg/protocols/common/contextargs" + "github.com/projectdiscovery/nuclei/v3/pkg/protocols/common/generators" "github.com/projectdiscovery/nuclei/v3/pkg/protocols/common/helpers/writer" "github.com/projectdiscovery/nuclei/v3/pkg/scan" "github.com/projectdiscovery/nuclei/v3/pkg/types" @@ -78,6 +79,12 @@ func GetLazyAuthFetchCallback(opts *AuthLazyFetchOptions) authx.LazyFetchSecret mainCtx := context.Background() ctx := scan.NewScanContext(mainCtx, contextargs.NewWithInput(mainCtx, d.Input)) + cliVars := map[string]interface{}{} + if opts.ExecOpts.Options != nil { + // gets variables passed from cli -v and -env-vars + cliVars = generators.BuildPayloadFromOptions(opts.ExecOpts.Options) + } + for _, v := range d.Variables { // Check if the template has any env variables and expand them if strings.HasPrefix(v.Value, "$") { @@ -87,6 +94,9 @@ func GetLazyAuthFetchCallback(opts *AuthLazyFetchOptions) authx.LazyFetchSecret v.Value = os.Getenv(env) } } + if val, ok := cliVars[v.Key]; ok && val != "" { + v.Value = types.ToString(val) + } vars[v.Key] = v.Value ctx.Input.Add(v.Key, v.Value) } From 4fb62df4a2f60669ae85d4a6917a2d63b86cebe3 Mon Sep 17 00:00:00 2001 From: Tarun Koyalwar Date: Wed, 20 Nov 2024 17:45:19 +0530 Subject: [PATCH 3/4] use expand with env --- internal/runner/lazy.go | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/internal/runner/lazy.go b/internal/runner/lazy.go index ba9f8ae678..5ce6743f0e 100644 --- a/internal/runner/lazy.go +++ b/internal/runner/lazy.go @@ -3,7 +3,6 @@ package runner import ( "context" "fmt" - "os" "strings" "github.com/projectdiscovery/nuclei/v3/pkg/authprovider/authx" @@ -16,6 +15,7 @@ import ( "github.com/projectdiscovery/nuclei/v3/pkg/protocols/common/helpers/writer" "github.com/projectdiscovery/nuclei/v3/pkg/scan" "github.com/projectdiscovery/nuclei/v3/pkg/types" + "github.com/projectdiscovery/utils/env" errorutil "github.com/projectdiscovery/utils/errors" ) @@ -88,11 +88,7 @@ func GetLazyAuthFetchCallback(opts *AuthLazyFetchOptions) authx.LazyFetchSecret for _, v := range d.Variables { // Check if the template has any env variables and expand them if strings.HasPrefix(v.Value, "$") { - env := strings.TrimPrefix(v.Value, "$") - retrievedEnv := os.Getenv(env) - if retrievedEnv != "" { - v.Value = os.Getenv(env) - } + env.ExpandWithEnv(&v.Value) } if val, ok := cliVars[v.Key]; ok && val != "" { v.Value = types.ToString(val) From 01c62c61776efa406ca92ba6464691197225d7cb Mon Sep 17 00:00:00 2001 From: Tarun Koyalwar Date: Wed, 20 Nov 2024 17:50:42 +0530 Subject: [PATCH 4/4] fix missing replacer --- internal/runner/lazy.go | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/internal/runner/lazy.go b/internal/runner/lazy.go index 5ce6743f0e..5cb91cfd09 100644 --- a/internal/runner/lazy.go +++ b/internal/runner/lazy.go @@ -13,6 +13,7 @@ import ( "github.com/projectdiscovery/nuclei/v3/pkg/protocols/common/contextargs" "github.com/projectdiscovery/nuclei/v3/pkg/protocols/common/generators" "github.com/projectdiscovery/nuclei/v3/pkg/protocols/common/helpers/writer" + "github.com/projectdiscovery/nuclei/v3/pkg/protocols/common/replacer" "github.com/projectdiscovery/nuclei/v3/pkg/scan" "github.com/projectdiscovery/nuclei/v3/pkg/types" "github.com/projectdiscovery/utils/env" @@ -90,8 +91,12 @@ func GetLazyAuthFetchCallback(opts *AuthLazyFetchOptions) authx.LazyFetchSecret if strings.HasPrefix(v.Value, "$") { env.ExpandWithEnv(&v.Value) } - if val, ok := cliVars[v.Key]; ok && val != "" { - v.Value = types.ToString(val) + if strings.Contains(v.Value, "{{") { + // if variables had value like {{username}}, then replace it with the value from cliVars + // variables: + // - key: username + // value: {{username}} + v.Value = replacer.Replace(v.Value, cliVars) } vars[v.Key] = v.Value ctx.Input.Add(v.Key, v.Value)