Removing singletons #6210

Mzack9999 · 2025-05-07T19:21:55Z

Proposed changes

Closes #5239

Checklist

Pull request is created against the dev branch
All checks passed (lint, unit/integration/regression tests etc.) with my changes
I have added tests that prove my fix is effective or that my feature works
I have added necessary documentation (if appropriate)

coderabbitai · 2025-05-07T19:22:02Z

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

Review comments: Directly reply to a review comment made by CodeRabbit. Example:
- I pushed a fix in commit <commit_id>, please review it.
- Generate unit testing code for this file.
- Open a follow-up GitHub issue for this discussion.
Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
- @coderabbitai generate unit testing code for this file.
- @coderabbitai modularize this function.
PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
- @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
- @coderabbitai read src/utils.ts and generate unit testing code.
- @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
- @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

@coderabbitai pause to pause the reviews on a PR.
@coderabbitai resume to resume the paused reviews.
@coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
@coderabbitai full review to do a full review from scratch and review all the files again.
@coderabbitai summary to regenerate the summary of the PR.
@coderabbitai generate docstrings to generate docstrings for this PR.
@coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
@coderabbitai resolve resolve all the CodeRabbit review comments.
@coderabbitai configuration to show the current CodeRabbit configuration for the repository.
@coderabbitai help to get help.

Other keywords and placeholders

Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (`.coderabbit.yaml`)

You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
Please see the configuration documentation for more information.
If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

Visit our Documentation for detailed information on how to use CodeRabbit.
Join our Discord Community to get help, request features, and share feedback.
Follow us on X/Twitter for updates and announcements.

cmd/integration-test/fuzz.go

@@ -55,7 +55,7 @@
 	router.GET("/", func(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
 		w.Header().Set("Content-Type", "text/html")
 		value := r.URL.Query().Get("id")
-		fmt.Fprintf(w, "This is test matcher text: %v", value)
+		_, _ = fmt.Fprintf(w, "This is test matcher text: %v", value)


To fix the reflected XSS vulnerability, the user-provided input (value) must be sanitized or escaped before being included in the HTTP response. In Go, the html.EscapeString function from the html package is a standard and effective way to escape special characters in a string for safe inclusion in HTML content. This ensures that any potentially malicious input is rendered harmless.

The fix involves:

Importing the html package if not already imported.

Escaping the value variable using html.EscapeString before passing it to fmt.Fprintf.

The changes will be made in the cmd/integration-test/fuzz.go file, specifically in the HTTP handler function on line 58.

cmd/integration-test/fuzz.go

@@ -75,7 +75,7 @@
 	router.GET("/", func(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
 		w.Header().Set("Content-Type", "text/html")
 		value := r.URL.Query().Get("id")
-		fmt.Fprintf(w, "This is test matcher text: %v", value)
+		_, _ = fmt.Fprintf(w, "This is test matcher text: %v", value)


To fix the reflected XSS vulnerability, the user-provided input (value) should be sanitized or escaped before being included in the HTTP response. In Go, the html.EscapeString function from the html package is commonly used to escape special characters in a string, making it safe for inclusion in HTML content. This ensures that any potentially malicious input is rendered as plain text rather than being executed as code.

The changes will be applied to both instances where fmt.Fprintf is used to write the value variable to the response (lines 58 and 78). The html package will also need to be imported.

cmd/integration-test/fuzz.go

@@ -120,7 +120,7 @@
 	router.GET("/", func(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
 		w.Header().Set("Content-Type", "text/html")
 		value := r.URL.Query().Get("id")
-		fmt.Fprintf(w, "This is test matcher text: %v", value)
+		_, _ = fmt.Fprintf(w, "This is test matcher text: %v", value)


To fix the reflected XSS vulnerability, the user-provided input (value) must be sanitized or escaped before being included in the HTTP response. In Go, the html.EscapeString function from the html package is a standard and effective way to escape special HTML characters, such as <, >, and &, which could otherwise be used to inject malicious scripts.

The fix involves:

Importing the html package if it is not already imported.

Escaping the value variable using html.EscapeString before passing it to fmt.Fprintf.

This ensures that any potentially malicious input is safely encoded and cannot be executed as part of the HTML response.

cmd/integration-test/fuzz.go

@@ -164,7 +164,7 @@
 	router := httprouter.New()
 	router.GET("/", func(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
 		resp := fmt.Sprintf("<html><body>%s</body></html>", r.URL.Query().Get("url"))
-		fmt.Fprint(w, resp)
+		_, _ = fmt.Fprint(w, resp)


To fix the reflected XSS vulnerability, the user-provided input (r.URL.Query().Get("url")) must be sanitized or escaped before being included in the HTML response. The html.EscapeString function from the Go standard library is well-suited for this purpose, as it escapes special characters like <, >, and & to their corresponding HTML entities, preventing the execution of malicious scripts.

The fix involves wrapping the user input with html.EscapeString before embedding it into the resp string. This ensures that any potentially harmful characters in the input are safely escaped.

cmd/integration-test/http.go

@@ -1192,7 +1201,7 @@
 func (h *httpVariables) Execute(filePath string) error {
 	router := httprouter.New()
 	router.GET("/", func(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
-		fmt.Fprintf(w, "%s\n%s\n%s", r.Header.Get("Test"), r.Header.Get("Another"), r.Header.Get("Email"))
+		_, _ = fmt.Fprintf(w, "%s\n%s\n%s", r.Header.Get("Test"), r.Header.Get("Another"), r.Header.Get("Email"))


To fix the issue, we need to sanitize the user-controlled input retrieved from the HTTP headers before writing it to the HTTP response. The html.EscapeString function from the html package in Go is a suitable choice for escaping special characters in the input, making it safe for inclusion in HTML responses.

The fix involves:

Importing the html package if it is not already imported.

Escaping the values retrieved from r.Header.Get using html.EscapeString before passing them to fmt.Fprintf.

cmd/integration-test/http.go

@@ -1192,7 +1201,7 @@
 func (h *httpVariables) Execute(filePath string) error {
 	router := httprouter.New()
 	router.GET("/", func(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
-		fmt.Fprintf(w, "%s\n%s\n%s", r.Header.Get("Test"), r.Header.Get("Another"), r.Header.Get("Email"))
+		_, _ = fmt.Fprintf(w, "%s\n%s\n%s", r.Header.Get("Test"), r.Header.Get("Another"), r.Header.Get("Email"))


To fix the reflected cross-site scripting vulnerability, the user-controlled input (r.Header.Get(...)) should be sanitized or escaped before being written to the HTTP response. In Go, the html.EscapeString function from the html package can be used to escape special characters in the input, making it safe for inclusion in HTML content.

The fix involves:

Importing the html package if not already imported.

Escaping the values retrieved from r.Header.Get(...) using html.EscapeString before passing them to fmt.Fprintf.

The changes will be applied to the cmd/integration-test/http.go file, specifically to the router.GET handler in the httpVariables.Execute method.

cmd/integration-test/http.go

@@ -1449,7 +1458,7 @@
 func (h *ConstantWithCliVar) Execute(filePath string) error {
 	router := httprouter.New()
 	router.GET("/", func(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
-		fmt.Fprint(w, r.URL.Query().Get("p"))
+		_, _ = fmt.Fprint(w, r.URL.Query().Get("p"))


To fix the issue, the user-provided value from the query parameter p should be sanitized or escaped before being written to the HTTP response. In Go, the html.EscapeString function from the html package can be used to escape special characters in the user input, making it safe to include in the response.

The fix involves:

Importing the html package if it is not already imported.

Escaping the value of r.URL.Query().Get("p") using html.EscapeString before passing it to fmt.Fprint.

This ensures that any potentially malicious input is neutralized, preventing XSS attacks.

cmd/integration-test/http.go

@@ -1486,10 +1495,10 @@
 func (h *httpDisablePathAutomerge) Execute(filePath string) error {
 	router := httprouter.New()
 	router.GET("/api/v1/test", func(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
-		fmt.Fprint(w, r.URL.Query().Get("id"))
+		_, _ = fmt.Fprint(w, r.URL.Query().Get("id"))


To fix the reflected cross-site scripting vulnerability, the user-provided input (id parameter) must be sanitized or escaped before being written to the HTTP response. In Go, the html.EscapeString function from the html package is commonly used to escape special characters in a string, making it safe for inclusion in HTML content.

Steps to fix:

Import the html package if it is not already imported.

Use html.EscapeString to escape the value of r.URL.Query().Get("id") before passing it to fmt.Fprint.

This ensures that any special characters in the user input (e.g., <, >, &) are converted to their HTML-escaped equivalents (e.g., <, >, &), preventing the execution of malicious scripts.

cmd/integration-test/workflow.go

 	})
 	router.GET("/path2", func(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
 		body, _ := io.ReadAll(r.Body)
-		fmt.Fprintf(w, "%s", body)
+		_, _ = fmt.Fprintf(w, "%s", body)


To fix the issue, the user-provided input (body) must be sanitized or escaped before being written to the HTTP response. In Go, the html.EscapeString function can be used to escape special HTML characters, ensuring that any malicious input is rendered harmless in the browser. This change should be applied to the fmt.Fprintf call on line 169.

Steps to fix:

Import the html package if not already imported.

Use html.EscapeString to sanitize the body variable before writing it to the response.

cmd/integration-test/workflow.go

 	})
 	// path2 responds with the value of the "extracted" query parameter, e.g.: /path2?extracted=blog.projectdiscovery.io => blog.projectdiscovery.io
 	router.GET("/path2", func(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
-		fmt.Fprintf(w, "%s", r.URL.Query().Get("extracted"))
+		_, _ = fmt.Fprintf(w, "%s", r.URL.Query().Get("extracted"))


To fix the reflected XSS vulnerability, the user-controlled input (r.URL.Query().Get("extracted")) must be sanitized or encoded before being written to the HTTP response. The best approach is to use the html.EscapeString function from the Go standard library, which escapes special HTML characters (<, >, &, etc.) to their corresponding HTML entities. This ensures that any malicious input is rendered harmless in the browser.

Steps to fix:

Import the html package from the Go standard library.

Replace the direct usage of r.URL.Query().Get("extracted") with html.EscapeString(r.URL.Query().Get("extracted")) in the fmt.Fprintf call on line 221.

Mzack9999 added 4 commits May 5, 2025 22:15

introducing execution id

a87b310

wip

e44e3a4

.

5d17531

adding separate execution context id

f27b251

Mzack9999 self-assigned this May 7, 2025

Mzack9999 added 3 commits May 7, 2025 21:24

Merge branch 'dev' into feat-5239-no-singleton

752bd3b

lint

6692c1d

vet

89020a6

github-advanced-security bot found potential problems May 7, 2025

View reviewed changes

Mzack9999 added 6 commits May 8, 2025 23:16

Merge branch 'dev' into feat-5239-no-singleton

781ca16

fixing pg dialers

d5066dd

test ignore

3b8241c

fixing loader FD limit

736ee5a

test

dfc8ed8

fd fix

2a6c6da

@@ -4,2 +4,3 @@
             	"fmt"
+            	"html"
             	"net/http"
@@ -57,3 +58,4 @@
             		value := r.URL.Query().Get("id")
-            		_, _ = fmt.Fprintf(w, "This is test matcher text: %v", value)
+            		escapedValue := html.EscapeString(value)
+            		_, _ = fmt.Fprintf(w, "This is test matcher text: %v", escapedValue)
             	})

@@ -4,2 +4,3 @@
             	"fmt"
+            	"html"
             	"net/http"
@@ -57,3 +58,3 @@
             		value := r.URL.Query().Get("id")
-            		_, _ = fmt.Fprintf(w, "This is test matcher text: %v", value)
+            		_, _ = fmt.Fprintf(w, "This is test matcher text: %v", html.EscapeString(value))
             	})
@@ -77,3 +78,3 @@
             		value := r.URL.Query().Get("id")
-            		_, _ = fmt.Fprintf(w, "This is test matcher text: %v", value)
+            		_, _ = fmt.Fprintf(w, "This is test matcher text: %v", html.EscapeString(value))
             	})

@@ -12,2 +12,3 @@
             	"github.com/projectdiscovery/nuclei/v3/pkg/utils/json"
+            	"html"
             )
@@ -122,3 +123,4 @@
             		value := r.URL.Query().Get("id")
-            		_, _ = fmt.Fprintf(w, "This is test matcher text: %v", value)
+            		escapedValue := html.EscapeString(value)
+            		_, _ = fmt.Fprintf(w, "This is test matcher text: %v", escapedValue)
             	})

@@ -12,2 +12,3 @@
             	"github.com/projectdiscovery/nuclei/v3/pkg/utils/json"
+            	"html"
             )
@@ -165,3 +166,4 @@
             	router.GET("/", func(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
-            		resp := fmt.Sprintf("<html><body>%s</body></html>", r.URL.Query().Get("url"))
+            		escapedURL := html.EscapeString(r.URL.Query().Get("url"))
+            		resp := fmt.Sprintf("<html><body>%s</body></html>", escapedURL)
             		_, _ = fmt.Fprint(w, resp)

@@ -4,2 +4,3 @@
             	"errors"
+            	"html"
             	"fmt"
@@ -1203,3 +1204,3 @@
             	router.GET("/", func(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
-            		_, _ = fmt.Fprintf(w, "%s\n%s\n%s", r.Header.Get("Test"), r.Header.Get("Another"), r.Header.Get("Email"))
+            		_, _ = fmt.Fprintf(w, "%s\n%s\n%s", html.EscapeString(r.Header.Get("Test")), html.EscapeString(r.Header.Get("Another")), html.EscapeString(r.Header.Get("Email")))
             	})

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Removing singletons #6210

Removing singletons #6210

Uh oh!

Mzack9999 commented May 7, 2025

Uh oh!

coderabbitai bot commented May 7, 2025

Review skipped

Chat

Support

CodeRabbit Commands (Invoked using PR comments)

Other keywords and placeholders

CodeRabbit Configuration File (`.coderabbit.yaml`)

Documentation and Community

Uh oh!

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Check warning

Copilot Autofix

Uh oh!

@@ -13,2 +13,3 @@
             	"strings"
+            	"html"
             	"time"
@@ -1460,3 +1461,4 @@
             	router.GET("/", func(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
-            		_, _ = fmt.Fprint(w, r.URL.Query().Get("p"))
+            		escapedParam := html.EscapeString(r.URL.Query().Get("p"))
+            		_, _ = fmt.Fprint(w, escapedParam)
             	})

Removing singletons #6210

Are you sure you want to change the base?

Removing singletons #6210

Uh oh!

Conversation

Mzack9999 commented May 7, 2025

Proposed changes

Checklist

Uh oh!

coderabbitai bot commented May 7, 2025

Review skipped

Chat

Support

CodeRabbit Commands (Invoked using PR comments)

Other keywords and placeholders

CodeRabbit Configuration File (.coderabbit.yaml)

Documentation and Community

Uh oh!

Check warning

Uh oh!

Copilot Autofix

Check warning

Uh oh!

Copilot Autofix

Check warning

Uh oh!

Copilot Autofix

Check warning

Uh oh!

Copilot Autofix

Check warning

Uh oh!

Copilot Autofix

Check warning

Uh oh!

Copilot Autofix

Check warning

Uh oh!

Copilot Autofix

Check warning

Uh oh!

Copilot Autofix

Check warning

Uh oh!

Copilot Autofix

Check warning

Uh oh!

Copilot Autofix

Uh oh!

CodeRabbit Configuration File (`.coderabbit.yaml`)