projectdiscovery · dogancanbakir · Jul 4, 2024 · Jul 4, 2024 · Jul 4, 2024 · Jul 5, 2024
diff --git a/cmd/integration-test/code.go b/cmd/integration-test/code.go
@@ -99,7 +99,7 @@ type codePreCondition struct{}
 
 // Execute executes a test case and returns an error if occurred
 func (h *codePreCondition) Execute(filePath string) error {
-	results, err := testutils.RunNucleiArgsWithEnvAndGetResults(debug, getEnvValues(), "-t", filePath, "-u", "input", "-code")
+	results, err := testutils.RunNucleiArgsWithEnvAndGetResults(debug, getEnvValues(), "-t", filePath, "-u", "input", "-code", "-var", "foo=bar")
 	if err != nil {
 		return err
 	}

diff --git a/cmd/integration-test/http.go b/cmd/integration-test/http.go
@@ -952,7 +952,7 @@ func (h *httpRequestSelfContained) Execute(filePath string) error {
 	}()
 	defer server.Close()
 
-	results, err := testutils.RunNucleiTemplateAndGetResults(filePath, "", debug)
+	results, err := testutils.RunNucleiTemplateAndGetResults(filePath, "", debug, "-var foo=bar")
 	if err != nil {
 		return err
 	}
@@ -988,7 +988,7 @@ func (h *httpRequestSelfContainedWithParams) Execute(filePath string) error {
 	}()
 	defer server.Close()
 
-	results, err := testutils.RunNucleiTemplateAndGetResults(filePath, "", debug)
+	results, err := testutils.RunNucleiTemplateAndGetResults(filePath, "", debug, "-var foo=bar")
 	if err != nil {
 		return err
 	}

diff --git a/cmd/integration-test/network.go b/cmd/integration-test/network.go
@@ -119,7 +119,7 @@ func (h *networkRequestSelContained) Execute(filePath string) error {
 		_, _ = conn.Write([]byte("Authentication successful"))
 	})
 	defer ts.Close()
-	results, err := testutils.RunNucleiTemplateAndGetResults(filePath, "", debug)
+	results, err := testutils.RunNucleiTemplateAndGetResults(filePath, "", debug, "-var foo=bar")
 	if err != nil {
 		return err
 	}

diff --git a/go.mod b/go.mod
@@ -206,6 +206,7 @@ require (
 	github.com/projectdiscovery/ldapserver v1.0.2-0.20240219154113-dcc758ebc0cb // indirect
 	github.com/projectdiscovery/machineid v0.0.0-20240226150047-2e2c51e35983 // indirect
 	github.com/refraction-networking/utls v1.6.6 // indirect
+	github.com/samber/lo v1.44.0 // indirect
 	github.com/sashabaranov/go-openai v1.15.3 // indirect
 	github.com/shirou/gopsutil v3.21.11+incompatible // indirect
 	github.com/shoenig/go-m1cpu v0.1.6 // indirect

diff --git a/go.sum b/go.sum
@@ -948,6 +948,8 @@ github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQD
 github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
 github.com/saintfish/chardet v0.0.0-20230101081208-5e3ef4b5456d h1:hrujxIzL1woJ7AwssoOcM/tq5JjjG2yYOc8odClEiXA=
 github.com/saintfish/chardet v0.0.0-20230101081208-5e3ef4b5456d/go.mod h1:uugorj2VCxiV1x+LzaIdVa9b4S4qGAcH6cbhh4qVxOU=
+github.com/samber/lo v1.44.0 h1:5il56KxRE+GHsm1IR+sZ/6J42NODigFiqCWpSc2dybA=
+github.com/samber/lo v1.44.0/go.mod h1:RmDH9Ct32Qy3gduHQuKJ3gW1fMHAnE/fAzQuf6He5cU=
 github.com/samuel/go-zookeeper v0.0.0-20190923202752-2cc03de413da/go.mod h1:gi+0XIa01GRL2eRQVjQkKGqKF3SF9vZR/HnPullcV2E=
 github.com/sashabaranov/go-openai v1.15.3 h1:rzoNK9n+Cak+PM6OQ9puxDmFllxfnVea9StlmhglXqA=
 github.com/sashabaranov/go-openai v1.15.3/go.mod h1:lj5b/K+zjTSFxVLijLSTDZuP7adOgerWeFyZLUhAKRg=

diff --git a/internal/runner/runner.go b/internal/runner/runner.go
@@ -26,6 +26,7 @@ import (
 	fileutil "github.com/projectdiscovery/utils/file"
 	permissionutil "github.com/projectdiscovery/utils/permission"
 	updateutils "github.com/projectdiscovery/utils/update"
+	"github.com/samber/lo"
 
 	"github.com/logrusorgru/aurora"
 	"github.com/pkg/errors"
@@ -519,6 +520,15 @@ func (r *Runner) RunEnumeration() error {
 		// if input type is not list (implicitly enable fuzzing)
 		r.options.DAST = true
 	}
+
+	if lo.NoneBy(r.options.Targets, func(target string) bool { return fileutil.FileOrFolderExists(target) }) {
+		loaderConfig.ExcludeFileProtocol = true
+	}
+
+	if r.options.Vars.IsEmpty() && !r.options.EnvironmentVariables {
+		loaderConfig.ExcludeSelfContained = true
+	}
+
 	store, err := loader.New(loaderConfig)
 	if err != nil {
 		return errors.Wrap(err, "Could not create loader.")
@@ -727,6 +737,8 @@ func (r *Runner) displayExecutionInfo(store *loader.Store) {
 	stats.DisplayAsWarning(httpProtocol.SetThreadToCountZero)
 	stats.ForceDisplayWarning(templates.SkippedUnsignedStats)
 	stats.ForceDisplayWarning(templates.SkippedRequestSignatureStats)
+	stats.ForceDisplayWarning(templates.SkippedSelfContainedStats)
+	stats.ForceDisplayWarning(templates.SkippedFileStats)
 
 	cfg := config.DefaultConfig
 

diff --git a/pkg/catalog/loader/loader.go b/pkg/catalog/loader/loader.go
@@ -60,8 +60,10 @@ type Config struct {
 	ExcludeIds        []string
 	IncludeConditions []string
 
-	Catalog         catalog.Catalog
-	ExecutorOptions protocols.ExecutorOptions
+	Catalog              catalog.Catalog
+	ExecutorOptions      protocols.ExecutorOptions
+	ExcludeSelfContained bool
+	ExcludeFileProtocol  bool
 }
 
 // Store is a storage for loaded nuclei templates
@@ -465,6 +467,17 @@ func (store *Store) LoadTemplatesWithTags(templatesList, tags []string) []*templ
 						stats.Increment(templates.SkippedUnsignedStats)
 						return
 					}
+
+					if parsed.SelfContained && store.config.ExcludeSelfContained {
+						stats.Increment(templates.SkippedSelfContainedStats)
+						return
+					}
+
+					if parsed.HasFileProtocol() && store.config.ExcludeFileProtocol {
+						stats.Increment(templates.SkippedFileStats)
+						return
+					}
+
 					// if template has request signature like aws then only signed and verified templates are allowed
 					if parsed.UsesRequestSignature() && !parsed.Verified {
 						stats.Increment(templates.SkippedRequestSignatureStats)

diff --git a/pkg/templates/parser_stats.go b/pkg/templates/parser_stats.go
@@ -11,4 +11,6 @@ const (
 	ExludedDastTmplStats         = "fuzz-flag-missing-warnings"
 	SkippedUnsignedStats         = "skipped-unsigned-stats" // tracks loading of unsigned templates
 	SkippedRequestSignatureStats = "skipped-request-signature-stats"
+	SkippedSelfContainedStats    = "skipped-self-contained-stats"
+	SkippedFileStats             = "skipped-file-stats"
 )
diff --git a/pkg/templates/stats.go b/pkg/templates/stats.go
@@ -13,4 +13,6 @@ func init() {
 	stats.NewEntry(ExludedDastTmplStats, "Excluded %d dast template[s] (disabled as default), use -dast option to run dast templates.")
 	stats.NewEntry(SkippedUnsignedStats, "Skipping %d unsigned template[s]")
 	stats.NewEntry(SkippedRequestSignatureStats, "Skipping %d templates, HTTP Request signatures can only be used in Signed & Verified templates.")
+	stats.NewEntry(SkippedSelfContainedStats, "Skipping %d self-contained template[s], use  -var or -env-vars flag to run them")
+	stats.NewEntry(SkippedFileStats, "Skipping %d file template[s], use file or directory as an input to run file templates")
 }
diff --git a/pkg/templates/templates.go b/pkg/templates/templates.go
@@ -227,6 +227,11 @@ func (template *Template) HasCodeProtocol() bool {
 	return len(template.RequestsCode) > 0
 }
 
+// HasFileProtocol returns true if the template has a file protocol section
+func (template *Template) HasFileProtocol() bool {
+	return len(template.RequestsFile) > 0
+}
+
 // validateAllRequestIDs check if that protocol already has given id if not
 // then is is manually set to proto_index
 func (template *Template) validateAllRequestIDs() {