fix(expressions): avoid helper eval in literal checks

dwisiswant0 · dwisiswant0 · commit a3f3c990c650 · 2026-04-02T10:29:47.000+07:00
`hasLiteralsOnly()` currently evaluates helper expressions while deciding whether "{{...}}" contains unresolved variables, which makes validation paths run side-effectful helpers. Just replace that runtime eval with a `Vars()` len check so unresolved-variable detection literally stays literal (am I writing it right?), and of course side-effect free. Also make `Evaluate()` return template-authored expression compile/eval errors instead of logging and then keep continuing, so malformed helper calls still fail in the rendering path. Fixes #7320 Signed-off-by: Dwi Siswanto <git@dw1.io>
diff --git a/pkg/protocols/common/expressions/expressions.go b/pkg/protocols/common/expressions/expressions.go
@@ -1,10 +1,10 @@
 package expressions
 
 import (
+	"fmt"
 	"strings"
 
 	"github.com/Knetic/govaluate"
-	"github.com/projectdiscovery/gologger"
 
 	"github.com/projectdiscovery/nuclei/v3/pkg/operators/common/dsl"
 	"github.com/projectdiscovery/nuclei/v3/pkg/protocols/common/marker"
@@ -53,28 +53,40 @@ func evaluate(data string, base map[string]interface{}) (string, error) {
 	// - complex: containing helper functions [ + variables]
 	// literals like {{2+2}} are not considered expressions
 	for _, expression := range expressions {
+		originalExpression := expression
 		// replace variable placeholders with base values
 		expression = replacer.Replace(expression, base)
+
 		// turns expressions (either helper functions+base values or base values)
 		compiled, err := govaluate.NewEvaluableExpressionWithFunctions(expression, dsl.HelperFunctions)
 		if err != nil {
-			gologger.Warning().Msgf("Failed to compile expression '%s': %v", expression, err)
-			continue
-		}
-		// propagate unresolved {{...}} markers from variable values so the
-		// downstream ContainsUnresolvedVariables check can detect them instead
-		// of having encoding functions (e.g. base64) hide them
-		if markers := unresolvedVarMarkers(compiled.Vars(), base); markers != "" {
-			data = replacer.ReplaceOne(data, expression, markers)
-			continue
+			return data, fmt.Errorf("failed to compile expression %q: %w", originalExpression, err)
 		}
+
 		result, err := compiled.Evaluate(base)
 		if err != nil {
-			gologger.Warning().Msgf("Failed to evaluate expression '%s': %v", expression, err)
-			continue
+			return data, fmt.Errorf("failed to evaluate expression %q: %w", originalExpression, err)
 		}
+
+		replacement := result
+		// Preserve unresolved markers only when a helper call would otherwise
+		// hide them from downstream validation. Plain expressions such as
+		// comparisons should evaluate normally.
+		if markers := unresolvedVarMarkers(compiled.Vars(), base); markers != "" {
+			usesFunctions := false
+			for _, token := range compiled.Tokens() {
+				if token.Kind == govaluate.FUNCTION {
+					usesFunctions = true
+					break
+				}
+			}
+			if usesFunctions && ContainsUnresolvedVariables(fmt.Sprint(result)) == nil {
+				replacement = markers
+			}
+		}
+
 		// replace incrementally
-		data = replacer.ReplaceOne(data, expression, result)
+		data = replacer.ReplaceOne(data, expression, replacement)
 	}
 	return data, nil
 }
diff --git a/pkg/protocols/common/expressions/expressions_test.go b/pkg/protocols/common/expressions/expressions_test.go
@@ -105,3 +105,50 @@ func TestEvaluateDoesNotReinterpretResolvedValues(t *testing.T) {
 		})
 	}
 }
+
+func TestEvaluateDoesNotExecuteHelpersFromResolvedValues(t *testing.T) {
+	var calls int
+
+	withTestHelperFunction(t, "test_side_effect", func(args ...interface{}) (interface{}, error) {
+		calls++
+		return "ok", nil
+	})
+
+	value, err := Evaluate("{{body}}", map[string]interface{}{
+		"body": "{{test_side_effect(1)}}",
+	})
+	require.NoError(t, err)
+	require.Equal(t, "{{test_side_effect(1)}}", value)
+	require.Zero(t, calls)
+}
+
+func TestEvaluateReturnsErrorForInvalidTemplateExpression(t *testing.T) {
+	_, err := Evaluate("{{base64()}}", map[string]interface{}{})
+	require.Error(t, err)
+	require.ErrorContains(t, err, `failed to evaluate expression "base64()"`)
+}
+
+func TestEvaluateErrorDoesNotLeakResolvedValues(t *testing.T) {
+	_, err := Evaluate("{{base64('{{secret_token}}', 'extra')}}", map[string]interface{}{
+		"secret_token": "top-secret-cia-mi6-kgb-mossad-classified",
+	})
+	require.Error(t, err)
+	require.ErrorContains(t, err, `failed to evaluate expression "base64('{{secret_token}}', 'extra')"`)
+	require.NotContains(t, err.Error(), "top-secret-cia-mi6-kgb-mossad-classified")
+}
+
+func TestEvaluatePlainExpressionsWithMarkerLikeValues(t *testing.T) {
+	value, err := Evaluate("{{body != ''}}", map[string]interface{}{
+		"body": "{{contact_id}}",
+	})
+	require.NoError(t, err)
+	require.Equal(t, "true", value)
+}
+
+func TestEvaluatePreservesVisibleMarkersFromHelperResults(t *testing.T) {
+	value, err := Evaluate("{{concat(body, '-x')}}", map[string]interface{}{
+		"body": "{{contact_id}}",
+	})
+	require.NoError(t, err)
+	require.Equal(t, "{{contact_id}}-x", value)
+}
diff --git a/pkg/protocols/common/expressions/variables.go b/pkg/protocols/common/expressions/variables.go
@@ -120,9 +120,10 @@ func hasLiteralsOnly(data string) bool {
 	if err != nil {
 		return false
 	}
-	if expr != nil {
-		_, err = expr.Evaluate(nil)
-		return err == nil
+
+	if expr == nil {
+		return true
 	}
-	return true
+
+	return len(expr.Vars()) == 0
 }
diff --git a/pkg/protocols/common/expressions/variables_test.go b/pkg/protocols/common/expressions/variables_test.go
@@ -4,9 +4,26 @@ import (
 	"errors"
 	"testing"
 
+	"github.com/Knetic/govaluate"
+	"github.com/projectdiscovery/nuclei/v3/pkg/operators/common/dsl"
 	"github.com/stretchr/testify/require"
 )
 
+func withTestHelperFunction(t *testing.T, name string, fn govaluate.ExpressionFunction) {
+	t.Helper()
+
+	originalFn, hadFn := dsl.HelperFunctions[name]
+	dsl.HelperFunctions[name] = fn
+
+	t.Cleanup(func() {
+		if hadFn {
+			dsl.HelperFunctions[name] = originalFn
+			return
+		}
+		delete(dsl.HelperFunctions, name)
+	})
+}
+
 func TestUnresolvedVariablesCheck(t *testing.T) {
 	tests := []struct {
 		data string
@@ -26,3 +43,15 @@ func TestUnresolvedVariablesCheck(t *testing.T) {
 		require.Equal(t, test.err, err, "could not get unresolved variables")
 	}
 }
+
+func TestUnresolvedVariablesCheckDoesNotExecuteHelpers(t *testing.T) {
+	var calls int
+	withTestHelperFunction(t, "test_side_effect", func(args ...interface{}) (interface{}, error) {
+		calls++
+		return "ok", nil
+	})
+
+	err := ContainsUnresolvedVariables("{{test_side_effect(1)}}")
+	require.NoError(t, err)
+	require.Zero(t, calls)
+}

Original file line number	Diff line number	Diff line change
`@@ -120,9 +120,10 @@ func hasLiteralsOnly(data string) bool {`
`120`	`120`	`if err != nil {`
`121`	`121`	`return false`
`122`	`122`	`}`
`123`		`- if expr != nil {`
`124`		`- _, err = expr.Evaluate(nil)`
`125`		`- return err == nil`
	`123`	`+`
	`124`	`+ if expr == nil {`
	`125`	`+ return true`
`126`	`126`	`}`
`127`		`- return true`
	`127`	`+`
	`128`	`+ return len(expr.Vars()) == 0`
`128`	`129`	`}`