Skip to content

fix(config): template exclusion logic for paths with reserved names #6663

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Mzack9999 merged 3 commits into from
Dec 6, 2025
Merged

fix(config): template exclusion logic for paths with reserved names #6663

Mzack9999 merged 3 commits into from
Dec 6, 2025

Conversation

@dwisiswant0
Copy link
Member

@dwisiswant0 dwisiswant0 commented Dec 5, 2025
edited by coderabbitai bot
Loading

Proposed changes

Prev, the template exclusion logic checked if the
full file path contained any of the known
miscellaneous directory names (e.g., "helpers",
".git"). This caused false positives when valid
templates were stored in paths where a parent
directory matched one of these names (e.g.,
"/path/to/somewhere/that/has/helpers/dir/name/").

This commit introduces IsTemplateWithRoot, which
checks for excluded directories relative to a
provided root directory. It splits the relative
path into components.

Fixes #6662.

Checklist

  • Pull request is created against the dev branch
  • All checks passed (lint, unit/integration/regression tests etc.) with my changes
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation (if appropriate)

Summary by CodeRabbit

  • Tests

    • Added comprehensive tests for template detection across relative/absolute paths, excluded directories, file extensions, and edge cases; improved cross-platform test behavior.

  • Refactor

    • Template discovery is now root-aware and respects the configured templates directory during filtering and traversal, reducing false positives and improving accuracy.

✏️ Tip: You can customize this high-level summary in your review settings.

@dwisiswant0
fix(config): template exclusion logic for paths with reserved names
d945201 
Prev, the template exclusion logic checked if the
full file path contained any of the known
miscellaneous directory names (e.g., helpers,
.git). This caused false positives when valid
templates were stored in paths where a parent
directory matched one of these names (e.g.,
/path/to/somewhere/that/has/helpers/dir/name/).

This commit introduces `IsTemplateWithRoot`, which
checks for excluded directories relative to a
provided root directory. It splits the relative
path into components.

Signed-off-by: Dwi Siswanto <git@dw1.io>
@auto-assign auto-assign bot requested a review from Mzack9999 December 5, 2025 17:32
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Dec 5, 2025
edited
Loading

Walkthrough

Adds a root-aware template detection function IsTemplateWithRoot() and updates directory traversals and config processing to use it; refines exclusion logic to evaluate known misc directories relative to the templates root to avoid false positives; includes tests validating scenarios for absolute/relative paths and exclusions.

Changes

Cohort / File(s) Summary
Root-aware template detection
pkg/catalog/config/template.go		 Adds IsTemplateWithRoot(fpath, rootDir); updates IsTemplate(fpath) to delegate to it; computes pathToCheck using rootDir and fpath, performs component-wise, case-insensitive checks against known misc directories only on non-absolute paths, preserves config-file exclusions and template ID extraction.
Template detection usage
pkg/catalog/config/nucleiconfig.go, pkg/catalog/disk/find.go		 Replaces calls to IsTemplate(path) with IsTemplateWithRoot(path, <templatesDir/absPath>) so template identification is evaluated relative to the provided root during directory traversal and config processing.
Tests
pkg/catalog/config/template_test.go		 Adds table-driven tests for IsTemplateWithRoot() covering valid template extensions, excluded directories (including .git), absolute paths with and without a rootDir, and known config-file exclusions.
Misc test update
pkg/installer/zipslip_unix_test.go		 Replaces runtime.GOOS == "windows" with osutils.IsWindows() and updates skip message; imports adjusted.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

  • Verify pathToCheck computation handles absolute vs relative fpaths combined with a non-empty rootDir across platforms.
  • Confirm component-wise, case-insensitive matching against known misc directories prevents false positives (linked issue #6662) without false negatives.
  • Review call sites in nucleiconfig.go and find.go to ensure correct root values are passed and behavior preserved.
  • Run the new tests and check platform-dependent path normalization in template_test.go.

Poem

🐰 I hopped through folders, near and far,
I nudged the roots and found each star.
Helpers no longer hide the scene,
Templates now are clear and clean. ✨

Pre-merge checks and finishing touches

❌ Failed checks (2 warnings)
Check name Status Explanation Resolution
Out of Scope Changes check ⚠️ Warning One minor out-of-scope change exists: the Windows-specific skip check refactoring in zipslip_unix_test.go is unrelated to the template exclusion logic fix. Move the osutils.IsWindows() refactoring in pkg/installer/zipslip_unix_test.go to a separate PR focused on test utility updates.
Docstring Coverage ⚠️ Warning Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%. You can run @coderabbitai generate docstrings to improve docstring coverage.
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately describes the main change: fixing template exclusion logic to handle reserved directory names correctly in paths.
Linked Issues check ✅ Passed All primary objectives from #6662 are addressed: IsTemplateWithRoot checks paths relative to root, excludes only templates within reserved directories relative to root, and prevents false positives from ancestor directories.
✨ Finishing touches
  • 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch dwisiswant0/fix/config/template-exclusion-logic-for-paths-with-reserved-names
📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f6af521 and 0e498bc.

📒 Files selected for processing (2)
  • pkg/catalog/config/template_test.go (1 hunks)
  • pkg/installer/zipslip_unix_test.go (2 hunks)
🚧 Files skipped from review as they are similar to previous changes (1)
  • pkg/catalog/config/template_test.go
🧰 Additional context used
📓 Path-based instructions (1)
**/*.go

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.go: Format Go code using go fmt ./...
Run static analysis using go vet ./... on Go code

Files:

  • pkg/installer/zipslip_unix_test.go
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: Lint
🔇 Additional comments (3)
pkg/installer/zipslip_unix_test.go (3)

45-45: LGTM: Cleaner OS detection using utility function.

The refactor from runtime.GOOS == "windows" to osutils.IsWindows() maintains the same behavior while using a cleaner abstraction. This aligns with the coding guideline to prefer well-known libraries.

46-46: Improved skip message clarity.

The updated message "Skipping Zip LFI Check on Windows" is more accurate than the original. The previous message "Skipping Unix Zip LFI Check" was confusing since the test actually runs on Unix and is skipped on Windows.

10-10: Good refactor to use utility library for OS detection.

The import of osutils from the projectdiscovery utils package is appropriate and follows best practices. The IsWindows() function is properly exported from github.com/projectdiscovery/utils/os and functions correctly in version 0.7.3.

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Dec 5, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (1)
pkg/catalog/config/template.go (1)

75-114: Core logic is sound; consider edge case for robustness.

The root-aware exclusion logic correctly addresses the bug:

  • Computes relative paths when rootDir is provided and filters based on path components only for non-absolute paths
  • Avoids false positives from parent directory names outside the root

Optional edge case refinement for Line 88:

The check !strings.HasPrefix(rel, "..") could theoretically match directory names like "..sneaky" (though unlikely in practice for template directories). Consider a more precise check:

-			if err == nil && !strings.HasPrefix(rel, "..") {
+			if err == nil && rel != ".." && !strings.HasPrefix(rel, ".."+string(os.PathSeparator)) {

This ensures only paths genuinely outside the root (e.g., "../" or "../foo") are caught, not directories with names starting with "..".

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2b9c985 and d945201.

📒 Files selected for processing (4)
  • pkg/catalog/config/nucleiconfig.go (1 hunks)
  • pkg/catalog/config/template.go (3 hunks)
  • pkg/catalog/config/template_test.go (1 hunks)
  • pkg/catalog/disk/find.go (2 hunks)
🧰 Additional context used
📓 Path-based instructions (2)
**/*.go

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.go: Format Go code using go fmt ./...
Run static analysis using go vet ./... on Go code

Files:

  • pkg/catalog/disk/find.go
  • pkg/catalog/config/nucleiconfig.go
  • pkg/catalog/config/template.go
  • pkg/catalog/config/template_test.go
pkg/catalog/**/*.go

📄 CodeRabbit inference engine (CLAUDE.md)

Template discovery and loading from disk/remote sources should be implemented in pkg/catalog

Files:

  • pkg/catalog/disk/find.go
  • pkg/catalog/config/nucleiconfig.go
  • pkg/catalog/config/template.go
  • pkg/catalog/config/template_test.go
🧬 Code graph analysis (2)
pkg/catalog/disk/find.go (1)
pkg/catalog/config/template.go (1)
  • IsTemplateWithRoot (75-114)
pkg/catalog/config/nucleiconfig.go (1)
pkg/catalog/config/template.go (1)
  • IsTemplateWithRoot (75-114)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: Lint
🔇 Additional comments (6)
pkg/catalog/disk/find.go (2)

214-214: LGTM!

The change correctly passes absPath as the root directory to enable root-aware template detection, ensuring that excluded directories are checked relative to the traversal root rather than the full absolute path.

238-238: LGTM!

Consistent with the native filesystem branch, this correctly applies root-aware template detection for the embedded filesystem case.

pkg/catalog/config/template_test.go (1)

9-78: Excellent test coverage for the bug fix.

The test suite effectively validates the root-aware exclusion logic:

  • Lines 35-39 test the bug fix scenario where an excluded directory name appears in a parent path
  • Lines 41-45 confirm that excluded directories within the root are still properly filtered
  • Lines 47-51 verify backward compatibility when no root is provided

The table-driven approach with clear test case names makes the test suite maintainable and comprehensive.

pkg/catalog/config/template.go (2)

68-70: Good backward compatibility design.

Delegating to IsTemplateWithRoot(fpath, "") maintains the existing IsTemplate API while enabling the new root-aware behavior. When no root is provided, the function falls back to checking path components only for relative paths, skipping the check for absolute paths.

177-177: LGTM!

Correctly applies root-aware template detection when building the template index, ensuring excluded directories are evaluated relative to the templates directory rather than the full absolute path.

pkg/catalog/config/nucleiconfig.go (1)

203-207: Go version supports strings.FieldsSeq usage.

The project requires Go 1.24.2 (per go.mod), which exceeds the Go 1.23 minimum needed for strings.FieldsSeq. The change from strings.Fields to strings.FieldsSeq is compatible and provides allocation efficiency. The paired update to IsTemplateWithRoot correctly applies the templates directory as the root parameter.

@Mzack9999 Mzack9999 added the Type: Bug Inconsistencies or issues which will cause an issue or problem for users or implementors. label Dec 6, 2025
@Mzack9999 Mzack9999 merged commit 2c46f2c into dev Dec 6, 2025
20 checks passed
@Mzack9999 Mzack9999 deleted the dwisiswant0/fix/config/template-exclusion-logic-for-paths-with-reserved-names branch December 6, 2025 08:11
@dwisiswant0 dwisiswant0 added this to the v3.6.1 milestone Dec 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@Mzack9999 Mzack9999 Mzack9999 approved these changes

Assignees

@dwisiswant0 dwisiswant0

Labels

Type: Bug Inconsistencies or issues which will cause an issue or problem for users or implementors.

Projects

None yet

Milestone

v3.6.1

Development

Successfully merging this pull request may close these issues.

Template exclusion logic incorrectly filters paths containing known directory names

2 participants

@dwisiswant0 @Mzack9999