CoCalc -- file.go

GitHub Repository: projectdiscovery/nuclei
Path: blob/dev/pkg/protocols/common/protocolstate/file.go
²⁰⁷² views
1
package protocolstate
2

3
import (
4
	"strings"
5

6
	"github.com/projectdiscovery/nuclei/v3/pkg/catalog/config"
7
	"github.com/projectdiscovery/nuclei/v3/pkg/types"
8
	"github.com/projectdiscovery/utils/errkit"
9
	fileutil "github.com/projectdiscovery/utils/file"
10
	mapsutil "github.com/projectdiscovery/utils/maps"
11
)
12

13
var (
14
	// LfaAllowed means local file access is allowed
15
	LfaAllowed *mapsutil.SyncLockMap[string, bool]
16
)
17

18
func init() {
19
	LfaAllowed = mapsutil.NewSyncLockMap[string, bool]()
20
}
21

22
// IsLfaAllowed returns whether local file access is allowed
23
func IsLfaAllowed(options *types.Options) bool {
24
	if GetLfaAllowed(options) {
25
		return true
26
	}
27

28
	// Otherwise look into dialers
29
	dialers, ok := dialers.Get(options.ExecutionId)
30
	if ok && dialers != nil {
31
		dialers.Lock()
32
		defer dialers.Unlock()
33

34
		return dialers.LocalFileAccessAllowed
35
	}
36

37
	// otherwise just return option value
38
	return options.AllowLocalFileAccess
39
}
40

41
func SetLfaAllowed(options *types.Options) {
42
	_ = LfaAllowed.Set(options.ExecutionId, options.AllowLocalFileAccess)
43
}
44

45
func GetLfaAllowed(options *types.Options) bool {
46
	allowed, ok := LfaAllowed.Get(options.ExecutionId)
47

48
	return ok && allowed
49
}
50

51
func NormalizePathWithExecutionId(executionId string, filePath string) (string, error) {
52
	options := &types.Options{
53
		ExecutionId: executionId,
54
	}
55
	return NormalizePath(options, filePath)
56
}
57

58
// Normalizepath normalizes path and returns absolute path
59
// it returns error if path is not allowed
60
// this respects the sandbox rules and only loads files from
61
// allowed directories
62
func NormalizePath(options *types.Options, filePath string) (string, error) {
63
	// TODO: this should be tied to executionID using *types.Options
64
	if IsLfaAllowed(options) {
65
		// if local file access is allowed, we can return the absolute path
66
		return filePath, nil
67
	}
68
	cleaned, err := fileutil.ResolveNClean(filePath, config.DefaultConfig.GetTemplateDir())
69
	if err != nil {
70
		return "", errkit.Wrapf(err, "could not resolve and clean path %v", filePath)
71
	}
72
	// only allow files inside nuclei-templates directory
73
	// even current working directory is not allowed
74
	if strings.HasPrefix(cleaned, config.DefaultConfig.GetTemplateDir()) {
75
		return cleaned, nil
76
	}
77
	return "", errkit.Newf("path %v is outside nuclei-template directory and -lfa is not enabled", filePath)
78
}
79

80
Product

Resources

Company
