fix: replace panic with error handling in template loader (#6674) by umer12-12 · Pull Request #7090 · projectdiscovery/nuclei

umer12-12 · 2026-03-03T07:37:42Z

Proposed Changes
Fixed issue #6674 by replacing panic() calls with proper error handling in the template loading logic.

Key Fixes
Replaced panics in pkg/catalog/loader/loader.go and pkg/templates/parser.go.

Resolved "no new variables" error in internal/runner/lazy.go.

Updated function signatures to return error and handled them in the runner.

Proof
Verified compilation with go build -o nuclei.exe ./cmd/nuclei (Exit code 0).

nuclei.exe binary generated successfully.

…6797) Bumps the modules group with 8 updates: | Package | From | To | | --- | --- | --- | | [github.com/projectdiscovery/fastdialer](https://github.com/projectdiscovery/fastdialer?target=https://github.com) | `0.5.3` | `0.5.4` | | [github.com/projectdiscovery/hmap](https://github.com/projectdiscovery/hmap?target=https://github.com) | `0.0.99` | `0.0.100` | | [github.com/projectdiscovery/interactsh](https://github.com/projectdiscovery/interactsh?target=https://github.com) | `1.2.4` | `1.3.0` | | [github.com/projectdiscovery/retryablehttp-go](https://github.com/projectdiscovery/retryablehttp-go?target=https://github.com) | `1.3.5` | `1.3.6` | | [github.com/projectdiscovery/dsl](https://github.com/projectdiscovery/dsl?target=https://github.com) | `0.8.12` | `0.8.13` | | [github.com/projectdiscovery/gologger](https://github.com/projectdiscovery/gologger?target=https://github.com) | `1.1.67` | `1.1.68` | | [github.com/projectdiscovery/wappalyzergo](https://github.com/projectdiscovery/wappalyzergo?target=https://github.com) | `0.2.65` | `0.2.66` | | [github.com/projectdiscovery/cdncheck](https://github.com/projectdiscovery/cdncheck?target=https://github.com) | `1.2.20` | `1.2.21` | Updates `github.com/projectdiscovery/fastdialer` from 0.5.3 to 0.5.4 - [Release notes](https://github.com/projectdiscovery/fastdialer/releases?target=https://github.com) - [Commits](projectdiscovery/fastdialer@v0.5.3...v0.5.4) Updates `github.com/projectdiscovery/hmap` from 0.0.99 to 0.0.100 - [Release notes](https://github.com/projectdiscovery/hmap/releases?target=https://github.com) - [Commits](projectdiscovery/hmap@v0.0.99...v0.0.100) Updates `github.com/projectdiscovery/interactsh` from 1.2.4 to 1.3.0 - [Release notes](https://github.com/projectdiscovery/interactsh/releases?target=https://github.com) - [Commits](projectdiscovery/interactsh@v1.2.4...v1.3.0) Updates `github.com/projectdiscovery/retryablehttp-go` from 1.3.5 to 1.3.6 - [Release notes](https://github.com/projectdiscovery/retryablehttp-go/releases?target=https://github.com) - [Commits](projectdiscovery/retryablehttp-go@v1.3.5...v1.3.6) Updates `github.com/projectdiscovery/dsl` from 0.8.12 to 0.8.13 - [Release notes](https://github.com/projectdiscovery/dsl/releases?target=https://github.com) - [Commits](projectdiscovery/dsl@v0.8.12...v0.8.13) Updates `github.com/projectdiscovery/gologger` from 1.1.67 to 1.1.68 - [Release notes](https://github.com/projectdiscovery/gologger/releases?target=https://github.com) - [Commits](projectdiscovery/gologger@v1.1.67...v1.1.68) Updates `github.com/projectdiscovery/wappalyzergo` from 0.2.65 to 0.2.66 - [Release notes](https://github.com/projectdiscovery/wappalyzergo/releases?target=https://github.com) - [Commits](projectdiscovery/wappalyzergo@v0.2.65...v0.2.66) Updates `github.com/projectdiscovery/cdncheck` from 1.2.20 to 1.2.21 - [Release notes](https://github.com/projectdiscovery/cdncheck/releases?target=https://github.com) - [Commits](projectdiscovery/cdncheck@v1.2.20...v1.2.21) --- updated-dependencies: - dependency-name: github.com/projectdiscovery/fastdialer dependency-version: 0.5.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: modules - dependency-name: github.com/projectdiscovery/hmap dependency-version: 0.0.100 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: modules - dependency-name: github.com/projectdiscovery/interactsh dependency-version: 1.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: modules - dependency-name: github.com/projectdiscovery/retryablehttp-go dependency-version: 1.3.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: modules - dependency-name: github.com/projectdiscovery/dsl dependency-version: 0.8.13 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: modules - dependency-name: github.com/projectdiscovery/gologger dependency-version: 1.1.68 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: modules - dependency-name: github.com/projectdiscovery/wappalyzergo dependency-version: 0.2.66 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: modules - dependency-name: github.com/projectdiscovery/cdncheck dependency-version: 1.2.21 dependency-type: indirect update-type: version-update:semver-patch dependency-group: modules ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…ery#6796) Refactor `ParseTemplateFromReader` to parse YAML once after applying preprocessors, avoiding redundant parsing for verification. Also add `parseTemplateNoVerify` and `applyTemplateVerification` helpers to separate parsing from signature verification logic to reduce CPU overhead during startup template loading. Signed-off-by: Dwi Siswanto <git@dw1.io>

Closes projectdiscovery#6734. Signed-off-by: Dwi Siswanto <git@dw1.io>

…6853) Bumps the modules group with 2 updates: [github.com/projectdiscovery/wappalyzergo](https://github.com/projectdiscovery/wappalyzergo?target=https://github.com) and [github.com/projectdiscovery/cdncheck](https://github.com/projectdiscovery/cdncheck?target=https://github.com). Updates `github.com/projectdiscovery/wappalyzergo` from 0.2.66 to 0.2.67 - [Release notes](https://github.com/projectdiscovery/wappalyzergo/releases?target=https://github.com) - [Commits](projectdiscovery/wappalyzergo@v0.2.66...v0.2.67) Updates `github.com/projectdiscovery/cdncheck` from 1.2.21 to 1.2.22 - [Release notes](https://github.com/projectdiscovery/cdncheck/releases?target=https://github.com) - [Commits](projectdiscovery/cdncheck@v1.2.21...v1.2.22) --- updated-dependencies: - dependency-name: github.com/projectdiscovery/wappalyzergo dependency-version: 0.2.67 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: modules - dependency-name: github.com/projectdiscovery/cdncheck dependency-version: 1.2.22 dependency-type: indirect update-type: version-update:semver-patch dependency-group: modules ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps the go_modules group with 1 update in the / directory: [github.com/go-git/go-git/v5](https://github.com/go-git/go-git?target=https://github.com). Updates `github.com/go-git/go-git/v5` from 5.16.2 to 5.16.5 - [Release notes](https://github.com/go-git/go-git/releases?target=https://github.com) - [Commits](go-git/go-git@v5.16.2...v5.16.5) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-version: 5.16.5 dependency-type: direct:production dependency-group: go_modules ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…pport (projectdiscovery#6841) * chore(deps): bump github.com/bytedance/sonic to 1.15.0 for Go 1.26 support Update https://github.com/bytedance/sonic?target=https://github.com to https://github.com/bytedance/sonic/releases/tag/v1.15.0?target=https://github.com For * bytedance/sonic#898 Found in * Homebrew/homebrew-core#258912 Upgraded by performing: ``` $ go1.26rc3 build -v ./... github.com/bytedance/sonic/internal/rt # github.com/bytedance/sonic/internal/rt ../../../go/pkg/mod/github.com/bytedance/sonic@v1.14.0/internal/rt/stubs.go:33:22: undefined: GoMapIterator ../../../go/pkg/mod/github.com/bytedance/sonic@v1.14.0/internal/rt/stubs.go:36:54: undefined: GoMapIterator $ go get github.com/bytedance/sonic@latest && go mod tidy go: added github.com/bytedance/gopkg v0.1.3 go: upgraded github.com/bytedance/sonic v1.14.0 => v1.15.0 go: upgraded github.com/bytedance/sonic/loader v0.3.0 => v0.5.0 go: upgraded github.com/cloudwego/base64x v0.1.5 => v0.1.6 $ go1.26rc3 build -v ./... $ ``` * chore(utils): update version range for json bytedance/sonic, to include 1.26 Signed-off-by: Dwi Siswanto <git@dw1.io> --------- Signed-off-by: Dwi Siswanto <git@dw1.io> Co-authored-by: Dwi Siswanto <git@dw1.io>

…6908) Bumps the modules group with 2 updates: [github.com/projectdiscovery/wappalyzergo](https://github.com/projectdiscovery/wappalyzergo?target=https://github.com) and [github.com/projectdiscovery/cdncheck](https://github.com/projectdiscovery/cdncheck?target=https://github.com). Updates `github.com/projectdiscovery/wappalyzergo` from 0.2.67 to 0.2.68 - [Release notes](https://github.com/projectdiscovery/wappalyzergo/releases?target=https://github.com) - [Commits](projectdiscovery/wappalyzergo@v0.2.67...v0.2.68) Updates `github.com/projectdiscovery/cdncheck` from 1.2.22 to 1.2.23 - [Release notes](https://github.com/projectdiscovery/cdncheck/releases?target=https://github.com) - [Commits](projectdiscovery/cdncheck@v1.2.22...v1.2.23) --- updated-dependencies: - dependency-name: github.com/projectdiscovery/wappalyzergo dependency-version: 0.2.68 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: modules - dependency-name: github.com/projectdiscovery/cdncheck dependency-version: 1.2.23 dependency-type: indirect update-type: version-update:semver-patch dependency-group: modules ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

projectdiscovery#6828) Clone the data map before modification to prevent race conditions when multiple goroutines call evaluateVarsWithInteractsh concurrently with a shared map. Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

…very#6969) Bumps the go_modules group with 1 update in the / directory: [github.com/refraction-networking/utls](https://github.com/refraction-networking/utls?target=https://github.com). Updates `github.com/refraction-networking/utls` from 1.8.0 to 1.8.2 - [Release notes](https://github.com/refraction-networking/utls/releases?target=https://github.com) - [Commits](refraction-networking/utls@v1.8.0...v1.8.2) --- updated-dependencies: - dependency-name: github.com/refraction-networking/utls dependency-version: 1.8.2 dependency-type: indirect dependency-group: go_modules ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps the go_modules group with 1 update in the / directory: [filippo.io/edwards25519](https://github.com/FiloSottile/edwards25519?target=https://github.com). Updates `filippo.io/edwards25519` from 1.1.0 to 1.1.1 - [Commits](FiloSottile/edwards25519@v1.1.0...v1.1.1) --- updated-dependencies: - dependency-name: filippo.io/edwards25519 dependency-version: 1.1.1 dependency-type: indirect dependency-group: go_modules ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…7006) Bumps the modules group with 2 updates: [github.com/projectdiscovery/wappalyzergo](https://github.com/projectdiscovery/wappalyzergo?target=https://github.com) and [github.com/projectdiscovery/cdncheck](https://github.com/projectdiscovery/cdncheck?target=https://github.com). Updates `github.com/projectdiscovery/wappalyzergo` from 0.2.68 to 0.2.69 - [Release notes](https://github.com/projectdiscovery/wappalyzergo/releases?target=https://github.com) - [Commits](projectdiscovery/wappalyzergo@v0.2.68...v0.2.69) Updates `github.com/projectdiscovery/cdncheck` from 1.2.23 to 1.2.24 - [Release notes](https://github.com/projectdiscovery/cdncheck/releases?target=https://github.com) - [Commits](projectdiscovery/cdncheck@v1.2.23...v1.2.24) --- updated-dependencies: - dependency-name: github.com/projectdiscovery/wappalyzergo dependency-version: 0.2.69 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: modules - dependency-name: github.com/projectdiscovery/cdncheck dependency-version: 1.2.24 dependency-type: indirect update-type: version-update:semver-patch dependency-group: modules ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…) calls

Bumps the go_modules group with 1 update in the / directory: [github.com/cloudflare/circl](https://github.com/cloudflare/circl?target=https://github.com). Updates `github.com/cloudflare/circl` from 1.6.1 to 1.6.3 - [Release notes](https://github.com/cloudflare/circl/releases?target=https://github.com) - [Commits](cloudflare/circl@v1.6.1...v1.6.3) --- updated-dependencies: - dependency-name: github.com/cloudflare/circl dependency-version: 1.6.3 dependency-type: indirect dependency-group: go_modules ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…ntf(...)) calls" This reverts commit 10421e9.

…(...))" This reverts commit 0b9665d.

…-ids-mapping-to-template-ids Expose cluster ids mapping to template ids

…7081) Bumps the modules group with 2 updates: [github.com/projectdiscovery/wappalyzergo](https://github.com/projectdiscovery/wappalyzergo?target=https://github.com) and [github.com/projectdiscovery/cdncheck](https://github.com/projectdiscovery/cdncheck?target=https://github.com). Updates `github.com/projectdiscovery/wappalyzergo` from 0.2.69 to 0.2.70 - [Release notes](https://github.com/projectdiscovery/wappalyzergo/releases?target=https://github.com) - [Commits](projectdiscovery/wappalyzergo@v0.2.69...v0.2.70) Updates `github.com/projectdiscovery/cdncheck` from 1.2.24 to 1.2.25 - [Release notes](https://github.com/projectdiscovery/cdncheck/releases?target=https://github.com) - [Commits](projectdiscovery/cdncheck@v1.2.24...v1.2.25) --- updated-dependencies: - dependency-name: github.com/projectdiscovery/wappalyzergo dependency-version: 0.2.70 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: modules - dependency-name: github.com/projectdiscovery/cdncheck dependency-version: 1.2.25 dependency-type: indirect update-type: version-update:semver-patch dependency-group: modules ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

coderabbitai · 2026-03-03T07:37:54Z

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Post copyable unit tests in a comment

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

neo-by-projectdiscovery-dev · 2026-03-03T07:37:56Z

Neo - PR Security Review

No security issues found

Highlights

Adds ClusterMappings feature to track template cluster IDs and their constituent templates
Fixes race condition in fuzz module by cloning maps before concurrent access
Adds GitHub workflow for memoization automation
Updates dependencies in go.mod and go.sum

Hardening Notes

The PR description mentions panic-to-error-handling refactor, but the actual changes are primarily new features (ClusterMappings) and a race condition fix. Existing panic() calls remain in pkg/templates/compile.go:159 and pkg/templates/parser.go:80,89,98 - these are internal assertions not exploitable by attackers.
The race condition fix in pkg/fuzz/execute.go:225 uses maps.Clone(data) to prevent concurrent map access. This addresses a crash bug, not an exploitable vulnerability.
ClusterMappingsMap in pkg/templates/types/cluster_mappings.go implements nil-safe methods with proper defensive checks on lines 15-16, 24-25, 36-37.
All panic() calls identified are internal assertions that cannot be triggered by attacker-controlled input and only cause application crashes, not exploitation vectors.

_{Comment @neo help for available commands. · Open in Neo}

dependabot bot and others added 19 commits February 2, 2026 06:30

ci: add memogen workflow (projectdiscovery#6736)

8aa427a

Closes projectdiscovery#6734. Signed-off-by: Dwi Siswanto <git@dw1.io>

bump version to v3.7.1

7ce4917

fix(lint): use fmt.Fprintf instead of WriteString(fmt.Sprintf(...))

0b9665d

fix(lint): use fmt.Fprintf for remaining WriteString(fmt.Sprintf(...)…

10421e9

…) calls

Revert "fix(lint): use fmt.Fprintf for remaining WriteString(fmt.Spri…

ef650de

…ntf(...)) calls" This reverts commit 10421e9.

Revert "fix(lint): use fmt.Fprintf instead of WriteString(fmt.Sprintf…

9142eae

…(...))" This reverts commit 0b9665d.

Merge pull request projectdiscovery#6788 from yaron12n/expose-cluster…

73507cd

…-ids-mapping-to-template-ids Expose cluster ids mapping to template ids

auto-assign bot requested a review from dogancanbakir March 3, 2026 07:37

algora-pbc bot added the 🙋 Bounty claim label Mar 3, 2026

algora-pbc bot mentioned this pull request Mar 3, 2026

Replace panic with error handling in template loader when dialers are missing #6674

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: replace panic with error handling in template loader (#6674)#7090

fix: replace panic with error handling in template loader (#6674)#7090
umer12-12 wants to merge 19 commits intoprojectdiscovery:mainfrom
umer12-12:dev

umer12-12 commented Mar 3, 2026

Uh oh!

coderabbitai bot commented Mar 3, 2026

Review skipped

Uh oh!

neo-by-projectdiscovery-dev bot commented Mar 3, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

7 participants

Conversation

umer12-12 commented Mar 3, 2026

Uh oh!

coderabbitai bot commented Mar 3, 2026

Review skipped

Uh oh!

neo-by-projectdiscovery-dev bot commented Mar 3, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Neo - PR Security Review

Highlights

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

7 participants

neo-by-projectdiscovery-dev bot commented Mar 3, 2026 •

edited

Loading