Handle DisableUnsignedTemplates option

[p-l-]

Proposed changes

Option DisableUnsignedTemplates (CLI -dut) should "disable running unsigned templates or templates with mismatched signature" according to the documentation.

Checklist

• Pull request is created against the dev branch
• All checks passed (lint, unit/integration/regression tests etc.) with my changes
• I have added tests that prove my fix is effective or that my feature works
• I have added necessary documentation (if appropriate)

Summary by CodeRabbit

• Bug Fixes
  • Template loading now respects the “Disable unsigned templates” setting: unverified Code templates are skipped only when that option is enabled; otherwise they may be loaded as before.
• Tests
  • Integration tests updated to adjust how code execution is invoked to better reflect run-time behavior.

[coderabbitai]

Walkthrough

Restricts skipping of unverified Code-protocol templates so they are skipped only when DisableUnsignedTemplates is true and the template requests Code with no workflows; otherwise unverified Code templates can load. Also updates two integration test invocations to prepend a -dut flag before -t.

Changes

Cohort / File(s)	Change Summary
Catalog Loader pkg/catalog/loader/loader.go	Skip condition tightened: skipping now requires len(parsed.RequestsCode) > 0, not parsed.Verified, absence of Workflows, and DisableUnsignedTemplates to be true. Other control flow and error handling unchanged.
Integration Tests (code) cmd/integration-test/code.go	Test invocations updated: two calls now insert "-dut" before "-t" when calling RunNucleiArgsWithEnvAndGetResults (arguments otherwise unchanged). No other logic changes.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant Loader as CatalogLoader
  participant Template as TemplateMeta
  participant Opts as Options

  Loader->>Template: read metadata (RequestsCode, Verified, Workflows)
  Loader->>Opts: read DisableUnsignedTemplates
  alt RequestsCode && !Verified && no Workflows && DisableUnsignedTemplates
    Loader-->>Template: skip template
  else
    Loader-->>Template: load template
  end

Loading

sequenceDiagram
  autonumber
  participant Test as IntegrationTest
  participant Runner as RunNucleiArgsWithEnv...

  Test->>Runner: build args (insert "-dut", then "-t", ...)
  Runner-->>Test: execute nuclei with args
  Note right of Runner: previously args lacked "-dut"

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

I twitch my whiskers at a rule refined,
A tiny flag decides which hops are signed.
Tests now march with -dut in tow,
I nibble carrots, watch workflows go.
A rabbit cheers: concise and kind. 🐇✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title “Handle DisableUnsignedTemplates option” clearly summarizes the main change, which is updating the behavior of the DisableUnsignedTemplates CLI flag to disable running unsigned templates as intended. It is concise, specific, and directly aligned with the pull request objectives.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

pkg/catalog/loader/loader.go (1)

560-564: Critical: Modify this check to allow Code templates with workflows to pass through.

The general unsigned template check here returns early for ALL unverified templates when DisableUnsignedTemplates is enabled. However, based on the PR objectives and the change at line 608, the intent is to allow unverified Code templates that have workflows to load.

The current implementation has a logic flaw: line 608's new condition len(parsed.Workflows) == 0 will never be evaluated for unverified Code templates because this check (lines 560-564) returns early, preventing execution from reaching line 608.

Apply this diff to allow Code templates with workflows to bypass this check:

 if !parsed.Verified && store.config.ExecutorOptions.Options.DisableUnsignedTemplates {
-	// skip unverified templates when prompted to
-	stats.Increment(templates.SkippedUnsignedStats)
-	return
+	// skip unverified templates when prompted to, except Code templates with workflows
+	if len(parsed.RequestsCode) > 0 && len(parsed.Workflows) > 0 {
+		// Allow unsigned code templates with workflows to continue
+	} else {
+		stats.Increment(templates.SkippedUnsignedStats)
+		return
+	}
 }

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ecbf43b and 87cfdbd.

📒 Files selected for processing (2)

• cmd/integration-test/code.go (2 hunks)
• pkg/catalog/loader/loader.go (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**/*.go

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.go: Format Go code using go fmt
Run static analysis with go vet

Files:

• pkg/catalog/loader/loader.go
• cmd/integration-test/code.go

🧬 Code graph analysis (2)

pkg/catalog/loader/loader.go (1)

pkg/types/types.go (1)

• Options (34-472)

cmd/integration-test/code.go (1)

pkg/testutils/integration.go (1)

• RunNucleiArgsWithEnvAndGetResults (166-202)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Tests (ubuntu-latest)
• GitHub Check: Tests (macOS-latest)
• GitHub Check: Tests (windows-latest)

🔇 Additional comments (1)

cmd/integration-test/code.go (1)

140-140: LGTM! Test changes correctly validate unsigned template rejection.

The addition of -dut flag to both unsignedCode and codePyNoSig test cases properly validates that the DisableUnsignedTemplates option rejects unsigned templates as expected. The tests correctly expect an error when unsigned templates are executed with this flag enabled.

Also applies to: 155-155

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Verify the intended behavior for Code templates with workflows.

The added condition len(parsed.Workflows) == 0 aims to allow Code templates with workflows to load even when unsigned. However, due to the early return at line 560-564, this condition is currently unreachable for unverified templates.

After fixing line 560-564 as suggested, verify this logic works as intended:

---

🏁 Script executed:

#!/bin/bash
# Description: Search for templates with both RequestsCode and Workflows to understand the use case

# Find templates that might have both code requests and workflows
rg -nP -A 5 -B 5 --type=go 'RequestsCode.*Workflows|Workflows.*RequestsCode' 

# Look for workflow-related logic in template structures
ast-grep --pattern $'type Template struct {
  $$$
  RequestsCode $_ 
  $$$
  Workflows $_ 
  $$$
}'

Length of output: 1165

---

🏁 Script executed:

#!/bin/bash
# Inspect early return in loader.go around line 560
sed -n '550,580p' pkg/catalog/loader/loader.go

# Find Template struct definitions across pkg/catalog
rg -nP --type=go 'type\s+Template\s+' -n pkg/catalog

Length of output: 1469

---

Revise early-return to allow unsigned templates with workflows
The if !parsed.Verified && DisableUnsignedTemplates { … return } at lines 560–564 skips all unverified templates, making the later else if len(parsed.RequestsCode)>0 && !parsed.Verified && len(parsed.Workflows)==0 && DisableUnsignedTemplates branch unreachable. Change the early-return to only skip when both len(parsed.Workflows)==0 and len(parsed.RequestsCode)==0, so unsigned templates with workflows can load.

🤖 Prompt for AI Agents

In pkg/catalog/loader/loader.go around line 608 (and the early-return at lines
~560–564), the current early-return skips all unverified templates when
DisableUnsignedTemplates is true, making the later branch at line 608
unreachable; change the early-return condition so it only returns when the
template is unverified, DisableUnsignedTemplates is true, AND both
len(parsed.Workflows) == 0 AND len(parsed.RequestsCode) == 0, allowing
unverified templates that contain workflows to continue loading while still
skipping completely empty unsigned templates.

[Mzack9999]

Thanks for the PR! I think this case should be already covered as mentioned by @coderabbitai at line 560-564 as the conditions should cause an early return, making the changed branch unreacheable