disable re-signing code protocol templates

projectdiscovery · Oct 1, 2023 · c1dbb8e · c1dbb8e
1 parent 894879c
commit c1dbb8e
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 4 deletions.
diff --git a/v2/cmd/nuclei/main.go b/v2/cmd/nuclei/main.go
@@ -59,23 +59,28 @@ func main() {
 			gologger.Fatal().Msgf("couldn't initialize signer crypto engine: %s\n", err)
 		}
 
+		successCounter := 0
+		errorCounter := 0
 		for _, item := range options.Templates {
 			err := filepath.WalkDir(item, func(iterItem string, d fs.DirEntry, err error) error {
 				if err != nil || d.IsDir() {
 					return nil
 				}
 
 				if err := templates.SignTemplate(sign, iterItem); err != nil {
-					gologger.Warning().Msgf("could not sign '%s': %s\n", iterItem, err)
+					errorCounter++
+					gologger.Error().Msgf("could not sign '%s': %s\n", iterItem, err)
+				} else {
+					successCounter++
 				}
 
 				return nil
 			})
 			if err != nil {
 				gologger.Error().Msgf("%s\n", err)
 			}
-			gologger.Info().Msgf("All templates signatures were elaborated\n")
 		}
+		gologger.Info().Msgf("All templates signatures were elaborated success=%d failed=%d\n", successCounter, errorCounter)
 		return
 	}
 

diff --git a/v2/pkg/parsers/parser.go b/v2/pkg/parsers/parser.go
@@ -178,6 +178,9 @@ func ParseTemplate(templatePath string, catalog catalog.Catalog) (*templates.Tem
 	default:
 		err = fmt.Errorf("failed to identify template format expected JSON or YAML but got %v", templatePath)
 	}
+	if err != nil {
+		return nil, err
+	}
 
 	parsedTemplatesCache.Store(templatePath, template, nil)
 	return template, nil

diff --git a/v2/pkg/templates/signer/util.go b/v2/pkg/templates/signer/util.go
@@ -23,6 +23,10 @@ func RemoveSignatureFromData(data []byte) []byte {
 	return bytes.Trim(ReDigest.ReplaceAll(data, []byte("")), "\n")
 }
 
+func GetSignatureFromData(data []byte) []byte {
+	return ReDigest.Find(data)
+}
+
 func Sign(sign *Signer, data []byte, tmpl SignableTemplate) (string, error) {
 	if sign == nil {
 		return "", errors.New("invalid nil signer")

diff --git a/v2/pkg/templates/template_sign.go b/v2/pkg/templates/template_sign.go
@@ -2,6 +2,7 @@ package templates
 
 import (
 	"bytes"
+	"fmt"
 	"os"
 	"path/filepath"
 	"sync"
@@ -39,7 +40,8 @@ func VerifyTemplateSignature(templatePath string) (bool, error) {
 
 // SignTemplate signs the tempalate using custom signer
 func SignTemplate(templateSigner *signer.Signer, templatePath string) error {
-	// sign templates is individual process so we need to initialize
+	// sign templates requires code files such as javsacript bash command to be included
+	// in template hence we first load template and append such resolved file references to content
 	initOnce()
 
 	template, bin, err := getTemplate(templatePath)
@@ -48,7 +50,15 @@ func SignTemplate(templateSigner *signer.Signer, templatePath string) error {
 	}
 	if !template.Verified {
 		// if template not verified then sign it
-		// TODO: do not allow re-signing templates having code protocol
+
+		if len(template.RequestsCode) > 0 {
+			// if template contains code protocol and digest then re-signing is not allowed
+			digestData := signer.GetSignatureFromData(bin)
+			if len(digestData) != 0 {
+				return fmt.Errorf("re-signing of code protocol templates is not supported")
+			}
+		}
+
 		signatureData, err := signer.Sign(templateSigner, bin, template)
 		if err != nil {
 			return err