misc updates

projectdiscovery · Oct 10, 2023 · 751494a · 751494a
1 parent e34be57
commit 751494a
Show file tree

Hide file tree

Showing 6 changed files with 36 additions and 22 deletions.
diff --git a/docs/template-guide/code.mdx b/docs/template-guide/code.mdx
@@ -49,7 +49,7 @@ Simplest and recommended way to generate key-pair and signing/verfifying templat
 ```console
 $ ./nuclei -t my-template.yaml -sign -v
 [INF] Generating new key-pair for signing templates
-[*] Enter User/Organization Name (exit to abort) : ProjectDiscovery.io
+[*] Enter User/Organization Name (exit to abort) : projectdiscovery/nuclei-templates
 [*] Enter passphrase (exit to abort): 
 [*] Enter same passphrase again: 
 [INF] Successfully generated new key-pair for signing templates
@@ -75,11 +75,12 @@ When a template is signed, a digest is generated and added to the template. This
 
 It is in the format of `signature:fragment` where signature is digital signature of template which is used to verify integrity of template
 and fragment is a metadata generated by md5 hashing public key to disable re-signing of code templates not written by you.
+
 fragment is meant to act like a speed bump to prevent mass-signing of code protocol templates to prevent any unintended misuse.
 
 ### Where are keys stored ?
 
-key-pair generated by nuclei are stored in 2 files in $config/nuclei/keys directory where $config is system specific config directory
+key-pair generated by nuclei are stored in 2 files in `$config/nuclei/keys` directory where `$config` is system specific config directory
 
 ```
 $ la ~/.config/nuclei/keys 
@@ -115,8 +116,8 @@ Everytime `nuclei` is run, it loads user certificate (aka public key) from above
 `nuclei` also prints identifier of public key being used and warns user of unsigned custom templates
 
 ```
-[INF] Executing 6219 signed templates from 'ProjectDiscovery.io'
-[WRN] Executing 687 unsigned templates. Use with caution
+[INF] Executing 6219 signed templates from projectdiscovery/nuclei-templates
+[WRN] Executing 687 unsigned templates. Use with caution.
 ```
 
 ### Managing Private Key
@@ -303,10 +304,10 @@ For more examples, please refer to example [code-templates](https://github.com/p
 
 		projectdiscovery.io
 
-[WRN] Found 1 unverified templates (carefully examine the template before using it and use -sign flag to sign them)
+[WRN] Found 1 unsigned or tampered code template (carefully examine before using it & use -sign flag to sign them)
 [INF] Current nuclei version: v3.0.0-dev (development)
 [INF] Current nuclei-templates version: v9.6.4 (latest)
-[WRN] Executing 1 unsigned templates. Use with caution
+[WRN] Executing 1 unsigned templates. Use with caution.
 [INF] Targets loaded for current scan: 1
 [INF] No results found. Better luck next time!
 [FTL] Could not run nuclei: no templates provided for scan
@@ -315,14 +316,27 @@ For more examples, please refer to example [code-templates](https://github.com/p
 Here `simple-code.yaml` is a code protocol template which is not signed or content of template has been modified after signing which indicates loss of integrity of template.
 If you are template writer then you can go ahead and sign the template using `-sign` flag and if you are template consumer then you should carefully examine the template before signing it.
 
-### What does `fragment mismatch` error mean ?
+### What does `re-signing code templates are not allowed for security reasons` error mean?
 
-```
-./nuclei -u scanme.sh -t simple-code.yaml -v -sign                
-[ERR] could not sign 'simple-code.yaml': [signer:RUNTIME] fragment mismatch: expected '73812c4e0e52692225979bd2d5f05a3c' got '4a3eb6b4988d95847d4203be25ed1d46'
+```bash
+nuclei -u scanme.sh -t simple-code.yaml -sign
+
+[ERR] could not sign 'simple-code.yaml': [signer:RUNTIME] re-signing code templates are not allowed for security reasons.
 [INF] All templates signatures were elaborated success=0 failed=1
 ```
 
-This is a security speed bump implemented in nuclei to prevent accidentally signing untrusted templates and is only applicable to code protocol templates.
-This error indicates that someone originally signed the template and template content has been modified and hence the signature verification failed. and you are trying to sign it again in mass without examining the template.
-To fix this error you should open template and examine changes and manually remove signature from template and then sign it again.
+The error message `re-signing code templates are not allowed for security reasons` comes from the Nuclei engine. This error indicates that a code template initially signed by another user and someone is trying to re-sign it.
+
+This measure was implemented to prevent running untrusted templates unknowingly, which might lead to potential security issues.
+When you encounter this error, it suggests that you're dealing with a template that has been signed by another user Likely, the original signer is not you or the team from projectdiscovery.
+
+By default, Nuclei disallows executing code templates that are signed by anyone other than you or from the public templates provided by projectdiscovery/nuclei-templates.
+
+This is done to prevent potential security abuse using code templates.
+
+To resolve this error:
+  1.  Open and thoroughly examine the code template for any modifications.
+  2.  Manually remove the existing digest signature from the template.
+  3.  Sign the template again.
+
+This way, you can ensure that only templates verified and trusted by you (or projectdiscovery) are run, thus maintaining a secure environment.
diff --git a/v2/internal/runner/runner.go b/v2/internal/runner/runner.go
@@ -699,7 +699,7 @@ func (r *Runner) displayExecutionInfo(store *loader.Store) {
 	stats.Display(parsers.SyntaxWarningStats)
 	stats.Display(parsers.SyntaxErrorStats)
 	stats.Display(parsers.RuntimeWarningsStats)
-	stats.Display(parsers.VerifiedWarning)
+	stats.Display(parsers.UnsignedWarning)
 
 	cfg := config.DefaultConfig
 
@@ -716,9 +716,9 @@ func (r *Runner) displayExecutionInfo(store *loader.Store) {
 	for k, v := range templates.SignatureStats {
 		if v.Load() > 0 {
 			if k != templates.Unsigned {
-				gologger.Info().Msgf("Executing %d signed templates from '%s'", v.Load(), k)
+				gologger.Info().Msgf("Executing %d signed templates from %s", v.Load(), k)
 			} else if !r.options.Silent {
-				gologger.DefaultLogger.Print().Msgf("[%v] Executing %d unsigned templates. Use with caution", aurora.BrightYellow("WRN"), v.Load())
+				gologger.DefaultLogger.Print().Msgf("[%v] Executing %d unsigned templates. Use with caution.", aurora.BrightYellow("WRN"), v.Load())
 			}
 		}
 	}

diff --git a/v2/pkg/catalog/loader/loader.go b/v2/pkg/catalog/loader/loader.go
@@ -393,7 +393,7 @@ func (store *Store) LoadTemplatesWithTags(templatesList, tags []string) []*templ
 					gologger.Warning().Msgf("Headless flag is required for headless template '%s'\n", templatePath)
 				} else if len(parsed.RequestsCode) > 0 && !parsed.Verified {
 					// donot include unverified 'Code' protocol custom template in final list
-					stats.Increment(parsers.VerifiedWarning)
+					stats.Increment(parsers.UnsignedWarning)
 					if store.config.ExecutorOptions.Options.VerboseVerbose { // only shown in -vv
 						gologger.Verbose().Msgf("Skipping Unverified custom template %s", templatePath)
 					}

diff --git a/v2/pkg/parsers/parser.go b/v2/pkg/parsers/parser.go
@@ -142,7 +142,7 @@ const (
 	SyntaxWarningStats   = "syntax-warnings"
 	SyntaxErrorStats     = "syntax-errors"
 	RuntimeWarningsStats = "runtime-warnings"
-	VerifiedWarning      = "verified-warnings"
+	UnsignedWarning      = "unsigned-warnings"
 )
 
 func init() {
@@ -151,7 +151,7 @@ func init() {
 	stats.NewEntry(SyntaxWarningStats, "Found %d templates with syntax warning (use -validate flag for further examination)")
 	stats.NewEntry(SyntaxErrorStats, "Found %d templates with syntax error (use -validate flag for further examination)")
 	stats.NewEntry(RuntimeWarningsStats, "Found %d templates with runtime error (use -validate flag for further examination)")
-	stats.NewEntry(VerifiedWarning, "Found %d unverified templates (carefully examine the template before using it and use -sign flag to sign them)")
+	stats.NewEntry(UnsignedWarning, "Found %d unsigned or tampered code template (carefully examine before using it & use -sign flag to sign them)")
 }
 
 // ParseTemplate parses a template and returns a *templates.Template structure

diff --git a/v2/pkg/protocols/code/code.go b/v2/pkg/protocols/code/code.go
@@ -142,7 +142,7 @@ func (request *Request) ExecuteWithResults(input *contextargs.Context, dynamicVa
 	if err != nil {
 		return err
 	}
-	gologger.Verbose().Msgf("[%s] Executed Code on target %v", request.options.TemplateID, input.MetaInput.Input)
+	gologger.Verbose().Msgf("[%s] Executed code on local machine %v", request.options.TemplateID, input.MetaInput.Input)
 
 	if vardump.EnableVarDump {
 		gologger.Debug().Msgf("Code Protocol request variables: \n%s\n", vardump.DumpVariables(variables))

diff --git a/v2/pkg/templates/signer/tmpl_signer.go b/v2/pkg/templates/signer/tmpl_signer.go
@@ -77,13 +77,13 @@ func (t *TemplateSigner) Sign(data []byte, tmpl SignableTemplate) (string, error
 		arr := strings.SplitN(string(sig), ":", 3)
 		if len(arr) == 2 {
 			// signature has no fragment
-			return "", errorutil.NewWithTag("signer", "re-signing code protocol templates not allowed: no fragment found")
+			return "", errorutil.NewWithTag("signer", "re-signing code templates are not allowed for security reasons.")
 		}
 		if len(arr) == 3 {
 			// signature has fragment verify if it is equal to current fragment
 			fragment := t.GetUserFragment()
 			if fragment != arr[2] {
-				return "", errorutil.NewWithTag("signer", "fragment mismatch: expected '%v' got '%v'", fragment, arr[2])
+				return "", errorutil.NewWithTag("signer", "re-signing code templates are not allowed for security reasons.")
 			}
 		}
 	}