nuclei icon indicating copy to clipboard operation
nuclei copied to clipboard
verified publisher icon projectdiscovery

Handle DisableUnsignedTemplates option

Open p-l- opened this issue 2 months ago • 4 comments

Proposed changes

Option DisableUnsignedTemplates (CLI -dut) should "disable running unsigned templates or templates with mismatched signature" according to the documentation.

Checklist

  • [x] Pull request is created against the dev branch
  • [x] All checks passed (lint, unit/integration/regression tests etc.) with my changes
  • [x] I have added tests that prove my fix is effective or that my feature works
  • [x] I have added necessary documentation (if appropriate)

Summary by CodeRabbit

  • Bug Fixes
    • Template loading no longer force-skips certain unverified Code templates when they lack workflows; unverified templates are skipped only when the “Disable unsigned templates” setting is enabled.
  • Tests
    • Integration tests updated to adjust how code execution is invoked to better mirror runtime invocation.

p-l- avatar Oct 12 '25 20:10 p-l-

Walkthrough

Removed a conditional that previously skipped unverified Code-protocol templates when they had no workflows; those templates now continue through the remaining loader checks. Also updated two integration test invocations to prepend a -dut flag before -t.

Changes

Cohort / File(s) Change Summary
Catalog Loader
pkg/catalog/loader/loader.go		 Deleted the branch that logged tampered/unsigned and incremented skipped counters for unverified Code templates with zero workflows; such templates no longer get forcibly skipped at that check and proceed to subsequent validation branches.
Integration Tests (code)
cmd/integration-test/code.go		 Two test executions now insert "-dut" before "-t" when calling RunNucleiArgsWithEnvAndGetResults; other args and logic unchanged.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant Loader as CatalogLoader
  participant Meta as TemplateMeta
  participant Opts as Options

  Loader->>Meta: read metadata (RequestsCode, Verified, Workflows)
  Loader->>Opts: read DisableUnsignedTemplates
  alt Was: (RequestsCode && !Verified && no Workflows && DisableUnsignedTemplates)
    Note right of Loader: (this branch was removed)
    Loader-->>Meta: previously skipped template (logged & stats++)
  else
    Loader-->>Meta: continue to remaining checks (IsFuzzing, DAST, ...)
  end

sequenceDiagram
  autonumber
  participant Test as IntegrationTest
  participant Runner as RunNucleiArgsWithEnv...

  Test->>Runner: build args (now: "-dut", "-t", ...)
  Runner-->>Test: execute nuclei with args
  Note right of Runner: previously args omitted "-dut"

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

I twitch my whiskers at a tiny change,
A skipped branch hops away from the range.
Tests now bound with -dut in stride,
I nibble code carrots, happy inside. 🐇✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check ✅ Passed The pull request title "Handle DisableUnsignedTemplates option" directly aligns with the primary objective stated in the PR description: to ensure the DisableUnsignedTemplates CLI flag (-dut) properly disables running unsigned templates. The code changes support this—removing a conditional that was skipping unverified templates and adding test coverage with the -dut flag in integration tests. The title is specific enough that a reviewer scanning commit history would understand it concerns the DisableUnsignedTemplates feature, and it accurately reflects the main focus of the changeset.
Docstring Coverage ✅ Passed No functions found in the changes. Docstring coverage check skipped.
✨ Finishing touches
  • [ ] 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • [ ] Create PR with unit tests
  • [ ] Post copyable unit tests in a comment
📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 87cfdbd47cd2b362fbed0b51775a28532b2430bf and 389cb3aa333d5d6b58992a057991da001c1a17fa.

📒 Files selected for processing (1)
  • pkg/catalog/loader/loader.go (0 hunks)
💤 Files with no reviewable changes (1)
  • pkg/catalog/loader/loader.go
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: Lint

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot] avatar Oct 12 '25 20:10 coderabbitai[bot]

@Mzack9999 you're right, this code is now useless. I have updated the PR. Thanks!

p-l- avatar Oct 17 '25 21:10 p-l-

@p-l- Thanks for your PR. I reviewed the code and it seems that the code present in the dev branch already handles the cases correctly. At line https://github.com/projectdiscovery/nuclei/blob/361f87773067d00c593aad0be56003d6ff7c9782/pkg/catalog/loader/loader.go#L590 the unverified unsigned templates are already excluded. Could you help me spot if I'm missing something in the correct functioning of the exclude unsigned template flag? Thanks!

Mzack9999 avatar Oct 19 '25 15:10 Mzack9999

@Mzack9999 I don't think so: with the current code, if you call nuclei without -dut (hence, willing to run unsigned templates) and add an unsigned code template, that template will not run. With this patch, it would run (hence the change in the test).

p-l- avatar Oct 19 '25 20:10 p-l-