-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Extending deny list to support filenames and folders #1260
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Mzack9999 it took some time but here are all the details we required related to file/folder exclusion for the file templates, currently, the 2nd and 5th rules are supported, and others need to be supported.
denylist:
- /Users/xx/nuclei-templates/cves/ # excludes all the directory / subdirectory under "/Users/xx/nuclei-templates/cves/*"
- /Users/xx/nuclei-templates/vulnerabilities/jira/jira-unauthenticated-projects.yaml # excludes specfic file /Users/xx/nuclei-templates/vulnerabilities/jira/jira-unauthenticated-projects.yaml
- dns/ # excludes $INPUT_PATH/dns/*
- exposed-panels/cortex-xsoar-login.yaml # excludes $INPUT_PATH/exposed-panels/cortex-xsoar-login.yaml
- .txt # excludes all the files with TXT extesioin
# $INPUT_PATH is what we receive as an input directory/path to perform file scan using "-u" or "list" flag.
# nuclei -t file/ -u http_data/, here "http_data" is $INPUT_PATH
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Test fails are expected due to the use of old version of nuclei.
We might want to move the hard-coded nuclei/v2/pkg/protocols/file/file.go Line 70 in c4d1b03
to the default configuration as well. |
Proposed changes
This PR extends the deny list functionality in file requests in order to support file and directory exclusions
Checklist