ci: integrate typos spell checker into CI (#6532)

[Yeachan-Heo]

Summary

• Add crate-ci/typos GitHub Actions workflow (.github/workflows/typos.yml) to catch spelling errors in PRs and pushes to dev
• Add _typos.toml configuration to handle false positives: foreign language READMEs, test data, WAF regex patterns, SQL injection patterns, exported API identifiers, and encoded certificate data
• Fix legitimate typos found across the codebase:
  • Reuests -> Requests (comment in server.go)
  • fiter -> filter (comment in config.go)
  • seperate -> separate (comments in sdk_test.go)
  • formated/Formated -> formatted/Formatted (variables/strings in tmc/main.go)
  • thant -> that (comment in flow_executor_test.go)
  • ExludedDastTmplStats -> ExcludedDastTmplStats (exported constant in parser_stats.go, stats.go, runner.go, loader.go)

Closes #6532

Test plan

• typos runs clean with the provided _typos.toml config
• CI workflow triggers on PRs and pushes to dev
• No build regressions from renamed constant (ExcludedDastTmplStats)

🤖 Generated with Claude Code

Summary by CodeRabbit

• Bug Fixes

  • Corrected multiple spelling errors and typos in variable names, identifiers, and comments throughout the codebase.

• Chores

  • Added configuration file to enforce and manage typo detection across the project.

[neo-by-projectdiscovery-dev]

Neo - PR Security Review

Medium: 1

Highlights

• Adds typos spell checker CI workflow to catch spelling errors in PRs and pushes to dev branch
• Fixes legitimate typos in comments and variable names across the codebase
• Renames exported constant ExludedDastTmplStats → ExcludedDastTmplStats (API change)

Medium (1)

• GitHub Action pinned to mutable branch reference — .github/workflows/typos.yml:20
  The crate-ci/typos action is referenced using @master, which is a mutable branch reference. This means the workflow will automatically use whatever code is on the master branch at runtime, potentially executing malicious code if the upstream repository is compromised.

Security Impact

GitHub Action pinned to mutable branch reference (.github/workflows/typos.yml:20):
If the crate-ci/typos repository is compromised or a malicious commit is pushed to master, this workflow will automatically execute the malicious code in the CI environment. An attacker could potentially exfiltrate repository secrets, modify code, or compromise the build pipeline.

Attack Examples

GitHub Action pinned to mutable branch reference (.github/workflows/typos.yml:20):

Attacker compromises crate-ci/typos repository → pushes malicious code to master branch → next PR triggers this workflow → malicious code executes with workflow permissions → attacker can read repository contents, access GITHUB_TOKEN, or modify workflow artifacts

Suggested Fixes

GitHub Action pinned to mutable branch reference (.github/workflows/typos.yml:20):

Pin the action to a specific commit SHA or immutable tag version. Replace 'uses: crate-ci/typos@master' with 'uses: crate-ci/typos@v1.28.3' (or latest stable version) or use a commit SHA like 'uses: crate-ci/typos@a1234567890abcdef1234567890abcdef12345678'

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@.github/workflows/typos.yml` at line 20, the crate-ci/typos action is
referenced using the mutable @master branch reference; replace it with a pinned
version tag (e.g., @v1.28.3) or a specific commit SHA to prevent automatic
execution of potentially malicious code if the upstream repository is
compromised. Check the crate-ci/typos releases page for the latest stable
version.

Hardening Notes

• Consider adding explicit permissions block to typos.yml workflow to follow principle of least privilege (e.g., 'permissions: contents: read')
• The _typos.toml configuration excludes several file types and patterns - periodically review these exclusions to ensure they don't hide actual typos in security-relevant code
• Document the ExcludedDastTmplStats constant rename in release notes as it's an exported API change that could affect external consumers

_{Comment @neo help for available commands. · Open in Neo}

[coderabbitai]

Walkthrough

This PR corrects multiple typos and misspellings across the codebase, including variable naming, constant identifiers, struct names, and comments. It also introduces a _typos.toml configuration file for the typos tool to prevent future typos.

Changes

Cohort / File(s)	Summary
Typos Tool Configuration _typos.toml	New configuration file for the typos tool with file exclusions and word mappings to define ignored patterns and valid non-typo terms for automated typo checking.
Variable & Struct Naming Fixes cmd/tmc/main.go, internal/server/server.go	Corrects misspelled variable names (formatedTemplateData → formattedTemplateData, isFormated → isFormatted) and public struct name (PostReuestsHandlerRequest → PostRequestsHandlerRequest).
Constant & Reference Fixes internal/runner/runner.go, pkg/catalog/loader/loader.go, pkg/templates/parser_stats.go, pkg/templates/stats.go	Fixes typo in public constant identifier from ExludedDastTmplStats to ExcludedDastTmplStats across multiple files that define or reference this stat.
Comment & Documentation Fixes lib/config.go, lib/tests/sdk_test.go, pkg/tmplexec/flow/flow_executor_test.go	Corrects inline comments and test documentation (fiter → filter, seperate → separate, thant → that).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 A hop through the code, typos we chase,
ExludedDast becomes Excluded with grace,
Formated and separate, now spelled just right,
The config tool watches through morning and night! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'ci: integrate typos spell checker into CI' directly reflects the main objective of adding a typos tool to the CI pipeline, which aligns with the changes adding the GitHub Actions workflow and configuration file.
Linked Issues check	✅ Passed	The PR successfully implements all requirements from issue #6532: integrating the crate-ci/typos tool via GitHub Actions, providing a _typos.toml configuration to handle false positives, and fixing confirmed typos throughout the codebase.
Out of Scope Changes check	✅ Passed	All changes are directly related to the typos integration objective: the _typos.toml config, GitHub Actions workflow, and fixes for typos (spelling corrections in variable names, comments, and exported constants).

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[neo-by-projectdiscovery-dev]

🟡 GitHub Action pinned to mutable branch reference (CWE-829) — The crate-ci/typos action is referenced using @master, which is a mutable branch reference. This means the workflow will automatically use whatever code is on the master branch at runtime, potentially executing malicious code if the upstream repository is compromised.

Attack Example

Attacker compromises crate-ci/typos repository → pushes malicious code to master branch → next PR triggers this workflow → malicious code executes with workflow permissions → attacker can read repository contents, access GITHUB_TOKEN, or modify workflow artifacts

Suggested Fix

Pin the action to a specific commit SHA or immutable tag version. Replace 'uses: crate-ci/typos@master' with 'uses: crate-ci/typos@v1.28.3' (or latest stable version) or use a commit SHA like 'uses: crate-ci/typos@a1234567890abcdef1234567890abcdef12345678'

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@.github/workflows/typos.yml` at line 20, the crate-ci/typos action is
referenced using the mutable @master branch reference; replace it with a pinned
version tag (e.g., @v1.28.3) or a specific commit SHA to prevent automatic
execution of potentially malicious code if the upstream repository is
compromised. Check the crate-ci/typos releases page for the latest stable
version.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@_typos.toml`:
- Around line 56-73: Update the suppressed-typos list to correct actual mistakes
and clarify intentional suppressions: change the entries for noticable ->
"noticeable", brower -> "browser", and inerval -> "interval"; remove or justify
the worflow entry if it no longer appears; and add a short clarifying comment
next to pannel noting that "pannel" is intentionally suppressed because it
matches a real-world target application typo (used in the integration test
matcher "{{BaseURL}}/admin-pannel"). Ensure the keys referenced (pannel,
noticable, brower, inerval, worflow) in the existing suppression block are
edited accordingly.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 73507cd and 4c5e3de.

⛔ Files ignored due to path filters (1)

• .github/workflows/typos.yml is excluded by !**/*.yml

📒 Files selected for processing (10)

• _typos.toml
• cmd/tmc/main.go
• internal/runner/runner.go
• internal/server/server.go
• lib/config.go
• lib/tests/sdk_test.go
• pkg/catalog/loader/loader.go
• pkg/templates/parser_stats.go
• pkg/templates/stats.go
• pkg/tmplexec/flow/flow_executor_test.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Find occurrences of suppressed typos to determine if they should be fixed

echo "=== Searching for 'pannel' ==="
rg -n -C2 'pannel' --type-not=toml

echo -e "\n=== Searching for 'noticable' ==="
rg -n -C2 'noticable' --type-not=toml

echo -e "\n=== Searching for 'brower' ==="
rg -n -C2 'brower' --type-not=toml

echo -e "\n=== Searching for 'inerval' ==="
rg -n -C2 'inerval' --type-not=toml

echo -e "\n=== Searching for 'worflow' ==="
rg -n -C2 'worflow' --type-not=toml

Repository: projectdiscovery/nuclei

Length of output: 2065

---

Consider fixing genuine typos and clarifying intentional suppressions.

The suppressed typos have mixed justifications:

• pannel (line 58) — appears in test matcher "{{BaseURL}}/admin-pannel" (integration_tests/protocols/http/matcher-status.yaml:17). Suppression is valid; this intentionally matches a typo in a real-world target application.
• noticable (line 60) — appears as a comment typo in integration_tests/protocols/network/net-https-timeout.yaml:15. Should be fixed to "noticeable".
• brower (line 66) — appears in documentation (README_CN.md:263) as -show-brower flag. Should be fixed to "browser".
• inerval (line 67) — appears in documentation (README_CN.md:297) as -stats-inerval flag. Should be fixed to "interval".
• worflow (line 69) — does not appear in the codebase; suppression can be removed or clarified.

Fix the typos in comments and documentation; clarify in the comment for pannel that it intentionally matches a real-world application typo.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@_typos.toml` around lines 56 - 73, Update the suppressed-typos list to
correct actual mistakes and clarify intentional suppressions: change the entries
for noticable -> "noticeable", brower -> "browser", and inerval -> "interval";
remove or justify the worflow entry if it no longer appears; and add a short
clarifying comment next to pannel noting that "pannel" is intentionally
suppressed because it matches a real-world target application typo (used in the
integration test matcher "{{BaseURL}}/admin-pannel"). Ensure the keys referenced
(pannel, noticable, brower, inerval, worflow) in the existing suppression block
are edited accordingly.