fix: tools in readme, arjun chunk and ffuf header #679

ocervell · 2025-06-04T19:06:12Z

Summary by CodeRabbit

Bug Fixes
- Ensured runner input lists contain only unique elements to prevent duplicate processing.
- Improved test reliability by clearing template caches before relevant unit tests.
New Features
- Added input chunk size control to the "arjun" task for more granular processing.
Refactor
- Adjusted conditions for Host header fuzzing and "FUZZ" keyword warnings in the "ffuf" task for more accurate behavior.
Documentation
- Updated the README to remove a duplicate tool entry.
- Clarified workflow configuration for the "arjun" task to filter targets more precisely.

coderabbitai · 2025-06-04T19:06:18Z

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

This update removes a duplicate tool entry from the documentation, adds a filter to workflow configuration for the arjun task, deduplicates runner inputs in the Runner class, adjusts error handling and chunking in the arjun task, refines header fuzzing logic in the ffuf task, and clears template caches in relevant tests.

Changes

File(s)	Change Summary
README.md	Removed duplicate "dnsxbrute" tool entry from supported tools table.
secator/configs/workflows/url_params_fuzz.yaml	Added `targets_` filter to exclude targets with '?' in their name for the `arjun` task.
secator/runners/_base.py	Deduplicated inputs in `Runner` class constructor using set conversion.
secator/tasks/arjun.py	Removed unused `Error` import, added `input_chunk_size=1`, disabled error reporting for missing JSON.
secator/tasks/ffuf.py	Refined host header fuzzing and "FUZZ" keyword warning logic based on input count and presence.
tests/unit/test_template.py	Inserted `find_templates.cache_clear()` at start of several test methods to clear template cache.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant Runner
    participant Target

    User->>Runner: Provide inputs
    Runner->>Runner: Deduplicate inputs
    Runner->>Target: Create Target objects for unique inputs

sequenceDiagram
    participant Workflow
    participant ArjunTask

    Workflow->>ArjunTask: Provide targets
    ArjunTask->>ArjunTask: Filter targets where name does not contain '?'
    ArjunTask->>ArjunTask: Process filtered targets

sequenceDiagram
    participant FFUFTask
    participant Inputs

    FFUFTask->>Inputs: Check number of inputs
    alt Multiple inputs
        FFUFTask->>FFUFTask: Fuzz Host header if enabled
        FFUFTask->>FFUFTask: Warn if "FUZZ" missing in inputs, headers, or data
    else Single input
        FFUFTask->>FFUFTask: Do not fuzz Host header
        FFUFTask->>FFUFTask: No warning for missing "FUZZ"
    end

Possibly related PRs

freelabz/secator#673: Refactors and enhances the Runner class initialization and state management, directly related to the deduplication logic added in this update.

Poem

A hop and a skip, through code we go,
Deduping inputs, making tests glow.
Arjun and FFUF, with logic refined,
Docs a bit lighter, no dupes to find.
With caches cleared and filters set,
This rabbit’s code is the best one yet! 🐇✨

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

Review comments: Directly reply to a review comment made by CodeRabbit. Example:
- I pushed a fix in commit <commit_id>, please review it.
- Explain this complex logic.
- Open a follow-up GitHub issue for this discussion.
Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
- @coderabbitai explain this code block.
- @coderabbitai modularize this function.
PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
- @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
- @coderabbitai read src/utils.ts and explain its main purpose.
- @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
- @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

@coderabbitai pause to pause the reviews on a PR.
@coderabbitai resume to resume the paused reviews.
@coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
@coderabbitai full review to do a full review from scratch and review all the files again.
@coderabbitai summary to regenerate the summary of the PR.
@coderabbitai generate docstrings to generate docstrings for this PR.
@coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
@coderabbitai resolve resolve all the CodeRabbit review comments.
@coderabbitai configuration to show the current CodeRabbit configuration for the repository.
@coderabbitai help to get help.

Other keywords and placeholders

Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

Visit our Documentation for detailed information on how to use CodeRabbit.
Join our Discord Community to get help, request features, and share feedback.
Follow us on X/Twitter for updates and announcements.

coderabbitai

Actionable comments posted: 2

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2a3bf08 and 60f499d.

📒 Files selected for processing (6)

README.md (0 hunks)
secator/configs/workflows/url_params_fuzz.yaml (1 hunks)
secator/runners/_base.py (1 hunks)
secator/tasks/arjun.py (3 hunks)
secator/tasks/ffuf.py (1 hunks)
tests/unit/test_template.py (3 hunks)

💤 Files with no reviewable changes (1)

README.md

🧰 Additional context used

🧬 Code Graph Analysis (2)

secator/tasks/ffuf.py (1)

secator/runners/command.py (1)

get_opt_value (249-266)

secator/tasks/arjun.py (3)

secator/output_types/info.py (1)

Info (8-24)

secator/output_types/url.py (1)

Url (12-94)

secator/output_types/warning.py (1)

Warning (8-24)

⏰ Context from checks skipped due to timeout of 90000ms (1)

GitHub Check: integration (3.11, ubuntu-latest)

🔇 Additional comments (6)

secator/configs/workflows/url_params_fuzz.yaml (1)

12-15: LGTM! Logical filtering for parameter discovery.

The filter to exclude targets containing '?' is appropriate for URL parameter discovery, as these URLs already have parameters and may not be suitable for fuzzing.

tests/unit/test_template.py (1)

128-128: LGTM! Good practice for test isolation.

Adding cache clearing at the start of test methods ensures that cached template data doesn't influence test outcomes, improving test reliability and isolation.

Also applies to: 136-136, 152-152, 162-162, 174-174

secator/runners/_base.py (1)

183-183: LGTM! Efficient input deduplication.

Removing duplicate inputs prevents redundant processing and improves performance. The set conversion approach is efficient for deduplication.

secator/tasks/arjun.py (2)

7-7: LGTM! Consistent with usage.

Removing the unused Error import is appropriate since error reporting is no longer used in this file.

22-22: LGTM! Aligns with workflow filtering.

Setting input_chunk_size = 1 ensures single URL processing, which works well with the new target filtering in the workflow configuration.
secator/tasks/ffuf.py (1)

107-108:
❓ Verification inconclusive

Verify the inverted logic for FUZZ keyword warning.

The warning condition was inverted to trigger only when there are multiple inputs and FUZZ is missing. This seems counterintuitive:

Multiple URLs: Users providing multiple distinct URLs (e.g., ["http://site1.com/login", "http://site2.com/admin"]) are typically testing different endpoints, not fuzzing parameters, so missing FUZZ might be intentional.

Single URL: Users with a single URL like http://example.com/ without FUZZ are more likely to need the FUZZ keyword for meaningful fuzzing operations.

The current logic conflicts with the recursion handling at line 92, which adds /FUZZ specifically for single inputs when recursion is enabled.

🏁 Script executed:
#!/bin/bash
# Search for test cases and usage examples to understand the expected behavior
rg -A 15 -B 5 "FUZZ.*not.*present\|missing.*FUZZ"
Length of output: 51

🏁 Script executed:
#!/bin/bash
# Display lines 70–120 in secator/tasks/ffuf.py to review recursion and warning logic
sed -n '70,120p' secator/tasks/ffuf.py
Length of output: 1767

🏁 Script executed:
#!/bin/bash
# Show all occurrences of self.inputs and its initialization in secator/tasks/ffuf.py
rg -n "self.inputs" secator/tasks/ffuf.py
Length of output: 454

🏁 Script executed:
#!/bin/bash
# Search for class definition in secator/tasks/ffuf.py
rg -n "class " secator/tasks/ffuf.py
Length of output: 65

🏁 Script executed:
#!/bin/bash
# Display the beginning of secator/tasks/ffuf.py to review class docstring and comments
sed -n '1,200p' secator/tasks/ffuf.py
Length of output: 4156
Verify FUZZ warning condition in on_cmd_opts

The current check only emits a warning when there are multiple inputs and no “FUZZ” in URL, headers, or body, but:

For single‐URL invocations (where recursion isn’t enabled), users are more likely to forget “FUZZ” in their URL, yet no warning is shown.

For multiple distinct URLs (e.g. [“http://a.com/login”, “http://b.com/admin”]) a warning may be misleading if the intent isn’t parameter fuzzing.

Please confirm the intended behavior and adjust the condition accordingly. For example, you might:

Warn on single inputs when “FUZZ” is missing.

Or remove the len(self.inputs) > 1 guard entirely if every run should require “FUZZ” unless recursion added it.

Location:

secator/tasks/ffuf.py, inside on_cmd_opts() around lines 107–108.

secator/tasks/arjun.py

secator/tasks/ffuf.py

🤖 I have created a release *beep* *boop* --- ## [0.16.0](v0.15.1...v0.16.0) (2025-06-05) ### Features * **`dnsx`:** merge `dnsxbrute` into `dnsx` ([#571](#571)) ([d30a497](d30a497)) * add task revoke state and perf improvements ([#678](#678)) ([2a3bf08](2a3bf08)) * allow returning errors in hooks ([#632](#632)) ([39a56bd](39a56bd)) * improve bbot output types ([#627](#627)) ([3b0aa5d](3b0aa5d)) * improve runner logic, workflow building, results filtering logic; and add config defaults for profiles & drivers ([#673](#673)) ([df94657](df94657)) * improve template loading flow ([#667](#667)) ([f223120](f223120)) * memory optimizations ([#681](#681)) ([d633133](d633133)) * **misc:** condition-based runs, chunked_by opts, dynamic task profiles, cli improvements ([#659](#659)) ([e8225cd](e8225cd)) * **runner:** add input validation to all tasks and workflows ([#663](#663)) ([8392551](8392551)) * **runner:** improve option handling ([#670](#670)) ([59b1c68](59b1c68)) * **scans:** improve scans ([#660](#660)) ([bdd38ec](bdd38ec)) * use os system for CLI and better labs ([#649](#649)) ([8b49912](8b49912)) * **workflow:** improve subdomain_recon workflow ([#657](#657)) ([bc65092](bc65092)) ### Bug Fixes * allow dry-run mode to work without targets ([#624](#624)) ([cccffb9](cccffb9)) * check task is registered before running test ([1f5cd83](1f5cd83)) * formatting for dynamic opts ([#628](#628)) ([dcbbfe9](dcbbfe9)) * header options conversion ([#633](#633)) ([6ae8423](6ae8423)) * header parsing ([#629](#629)) ([db2f028](db2f028)) * improve mongodb duplicate checker ([#626](#626)) ([bf277a9](bf277a9)) * **installer:** compound distro.like() on distribs like popos ([#653](#653)) ([3687e1d](3687e1d)) * **installer:** ignore dev/post release from PyPI ([#634](#634)) ([614c3e2](614c3e A47C 2)) * **installer:** secator update with correct package version ([#648](#648)) ([a9cf189](a9cf189)) * lab --wait not in gitlab runner ([070ae84](070ae84)) * logic to test all tasks ([3bd7503](3bd7503)) * os.system return code ([02aed75](02aed75)) * progress type fields ([#652](#652)) ([f146914](f146914)) * remove duplicates from txt exporter ([#630](#630)) ([88ba5c5](88ba5c5)) * remove fping -r flag by default, show alive hosts better ([#665](#665)) ([5c945fd](5c945fd)) * remove no-recreate flag in labs as not supported by github runner ([bd997a8](bd997a8)) * short opt incorrectly named ([#631](#631)) ([0c73c60](0c73c60)) * tasks with no file flag need input_chunk_size=1 ([#668](#668)) ([a088c94](a088c94)) * tools in readme, arjun chunk and ffuf header ([#679](#679)) ([654ff30](654ff30)) * tools table generator update ([9420f14](9420f14)) * update ci workflow ([f4c2b13](f4c2b13)) * update generate table workflow ([ff62702](ff62702)) * vulnerability output reference when unset ([#625](#625)) ([a656fbf](a656fbf)) ### Documentation * generate tools table md ([#610](#610)) ([d60f11e](d60f11e)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).

ocervell added 2 commits June 4, 2025 15:02

update

b694f58

update

60f499d

coderabbitai bot changed the title ~~@coderabbitai~~ Remove duplicate tool entry, update arjun and ffuf tasks, refine tests Jun 4, 2025

coderabbitai bot reviewed Jun 4, 2025

View reviewed changes

secator/tasks/arjun.py Show resolved Hide resolved

secator/tasks/ffuf.py Outdated Show resolved Hide resolved

ocervell changed the title ~~Remove duplicate tool entry, update arjun and ffuf tasks, refine tests~~ fix: tools in readme, arjun chunk and ffuf header Jun 4, 2025

update

e848e3d

ocervell merged commit 654ff30 into main Jun 4, 2025
10 checks passed

ocervell deleted the minor-fixes-4 branch June 4, 2025 19:26

ocervell mentioned this pull request Jun 4, 2025

chore(main): release 0.16.0 #616

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix: tools in readme, arjun chunk and ffuf header #679

fix: tools in readme, arjun chunk and ffuf header #679

Uh oh!

Uh oh!

Review skipped

Chat

Support

CodeRabbit Commands (Invoked using PR comments)

Other keywords and placeholders

Documentation and Community

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

fix: tools in readme, arjun chunk and ffuf header #679

fix: tools in readme, arjun chunk and ffuf header #679

Uh oh!

Conversation

Uh oh!

Summary by CodeRabbit

Uh oh!

Uh oh!

Review skipped

Walkthrough

Changes

Sequence Diagram(s)

Possibly related PRs

Poem

Chat

Support

CodeRabbit Commands (Invoked using PR comments)

Other keywords and placeholders

Documentation and Community

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!