nuclei icon indicating copy to clipboard operation
nuclei copied to clipboard

Published 20 hours ago verified publisher icon projectdiscovery

Allow cli and enviroment variables to be substituted in the templates…

Open jturner opened this issue 2 years ago • 3 comments

… variables section

Proposed changes

I want to be able to have environment variables and cli variables substituted in the variables section of the template before the variables are evaluated. This allows us to pass env variables that contain sensitive information that will then go through the hmac filter in the variables section. This might be a lot of layers of substitution, but this simplifies things for us. See example below. Uppercase variables are those being based in via env vars.

$ nuclei -ev -V path=/api/v1/check -t check.yaml

variables:
  my_date: "{{date_time('Mon, 02 Jan 2006 15:04:05 -0700')}}"
  my_join: "{{join('\n', '{{my_date}}', 'GET', '{{HOST}}', '{{path}}', '')}}"
  my_hmac: "{{hmac('sha1', '{{my_join}}', '{{SKEY}}')}}"

requests:
  - method: GET
    path:
      - "https://{{HOST}}{{path}}"
    headers:
      Host: "{{HOST}}"
      Date: "{{my_date}}"
      Authorization: Basic {{base64('{{IKEY}}:{{my_hmac}}')}}

Checklist

  • [X] Pull request is created against the dev branch
  • [ ] All checks passed (lint, unit/integration/regression tests etc.) with my changes
  • [ ] I have added tests that prove my fix is effective or that my feature works
  • [ ] I have added necessary documentation (if appropriate)

jturner avatar Jul 18 '22 20:07 jturner

Hi @jturner,

Using env variables with variables is already supported, and confirmed the below template works with the current version of the project by using -ev and -V as you included in your example, could you please clarify the change required in this PR?

From what I can tell normally the env and cli substitution happens in the request section which is too late in the my_hmac: "{{hmac('sha1', '{{my_join}}', '{{SKEY}}')}}" example. From what I can tell when the template is unmarshelled and then the variables get unmarshelled they get evaluated right away and the hmac helper will be computed with the literal {{SKEY}} instead of it's value. With this PR {{SKEY}} will be available when the variables are unmarshelled and evaluated.

I hope that makes sense.

jturner avatar Jul 20 '22 16:07 jturner

Any additional details I can provide? Does this make sense? Thanks!

jturner avatar Aug 18 '22 20:08 jturner

@jturner Could you please create an associated issue detailing the problem we are fixing with this PR? thank you.

ehsandeep avatar Aug 19 '22 21:08 ehsandeep

@jturner I'm closing the PR due to lack of activity - Please let us know if there is anything we can do. Thanks!

Mzack9999 avatar Nov 24 '22 21:11 Mzack9999