feat(js): add comprehensive utils library

[Ice3man543]

Add comprehensive nuclei/utils JavaScript helper library

Summary

This PR introduces a new nuclei/utils JavaScript library providing comprehensive utility functions for template authors writing JavaScript-based nuclei templates. The library is inspired by tools like pwntools and provides essential primitives for binary protocol exploitation, cryptographic operations, encoding/decoding, and data manipulation.

Additionally, the nuclei/net library has been enhanced with convenience methods for improved network I/O operations.

New nuclei/utils Library

Binary & Pattern Operations

• PatternCreate(length) / PatternOffset(pattern, search) - Cyclic pattern generation for buffer overflow analysis
• FindBytes / FindAllBytes - Search for byte patterns
• ReplaceBytes / RepeatBytes / ReverseBytes - Byte manipulation
• SwapEndian16 / SwapEndian32 - Endianness conversion
• GenerateRandomString / GenerateRandomBytes - Random data generation
• RepeatString / PadLeft / PadRight - String manipulation

Struct Packing/Unpacking (pwntools-style)

• PackUint8/16/32/64LE/BE - Pack integers to bytes
• UnpackUint16/32/64LE/BE - Unpack bytes to integers
• P8 / P16 / P32 / P64 - Pwntools-style pack aliases (little-endian)
• P16BE / P32BE / P64BE - Big-endian pack variants
• U16 / U32 / U64 - Pwntools-style unpack aliases
• ConcatBytes / Flat - Combine multiple byte arrays
• ToBytes / StringToBytes / BytesToString - Type conversions

Encoding/Decoding

• URLEncode / URLDecode
• HTMLEncode / HTMLDecode
• HexEncode / HexDecode
• Base64Encode / Base64Decode (standard, URL-safe, raw variants)
• UTF16LEEncode / UTF16LEDecode
• UTF16BEEncode / UTF16BEDecode

Hashing

• MD4 / MD4Raw - Required for NTLM authentication
• MD5 / MD5Raw
• SHA1 / SHA1Raw
• SHA256 / SHA256Raw
• SHA384 / SHA384Raw
• SHA512 / SHA512Raw
• HMACMD5 / HMACSHA1 / HMACSHA256 / HMACSHA512
• CRC32 / Adler32

Cryptography

• AESEncryptECB / AESDecryptECB
• AESEncryptCBC / AESDecryptCBC
• AESEncryptGCM / AESDecryptGCM
• DESEncryptECB / DESDecryptECB
• DES3EncryptCBC / DES3DecryptCBC
• RC4Encrypt
• XORBytes / XORSingleByte

Compression

• ZlibCompress / ZlibDecompress
• GzipCompress / GzipDecompress
• DeflateCompress / DeflateDecompress

Padding

• PKCS7Pad / PKCS7Unpad
• ZeroPad / ZeroUnpad

Time

• Sleep(milliseconds)
• UnixTimestamp / UnixTimestampMilli / UnixTimestampNano

Enhanced nuclei/net Library

New connection methods for improved network I/O:

• SendBytes(data) - Send raw byte array
• SendLine(data) - Send string with newline appended
• RecvUntil(delimiter) - Receive data until delimiter found
• RecvUntilString(delimiter) - Receive string until delimiter
• RecvLine() - Receive until newline
• RecvN(n) - Receive exactly N bytes (alias for RecvFull)

Example Usage

const utils = require('nuclei/utils');
const net = require('nuclei/net');

// Connect to target
const conn = net.Open('tcp', 'target:1234');

// Build exploit payload using pwntools-style packing
const payload = utils.Flat(
    utils.P32(0x41414141),           // 4-byte address
    utils.RepeatBytes([0x90], 100),  // NOP sled
    shellcode
);

// Send payload
conn.SendBytes(payload);

// Receive response until delimiter
const response = conn.RecvUntil([0x0d, 0x0a]);

// Compute hash for verification
const hash = utils.MD5(response);

Files Changed

• New files:

  • pkg/js/libs/utils/ - New utils library implementation (9 files)
  • pkg/js/generated/go/libutils/utils.go - Auto-generated bindings
  • pkg/js/generated/ts/utils.ts - TypeScript definitions

• Modified files:

  • pkg/js/libs/net/net.go - Added new connection methods
  • pkg/js/compiler/pool.go - Registered new utils library
  • pkg/js/devtools/bindgen/generator.go - Minor binding generation updates
  • pkg/js/devtools/tsgen/scrape.go - TypeScript generation updates
  • Various pkg/js/generated/ts/*.ts - Regenerated TypeScript definitions

Test Plan

• Unit tests added for all utils functions (pkg/js/libs/utils/utils_test.go)
• Integration test with sample template using the new library
• Verify TypeScript definitions work correctly in IDE

Summary by CodeRabbit

• New Features

  • Comprehensive Utils library: crypto (AES/DES/3DES/RC4), encoding (Base64/Hex/URL/HTML/UTF‑16), hashing (MD4/MD5/SHA variants + HMAC), compression (zlib/gzip/deflate), binary/struct helpers, padding, random and time utilities
  • Network I/O: line- and delimiter-based send/receive helpers

• Developer Tools

  • Improved devtool parsing and type scraping behavior to ignore test files and non-struct types

• Tests

  • Added extensive test suite covering all utilities

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Adds a new Utils library (encoding, crypto, hash, compression, binary, padding, struct/packing, time), extensive unit tests, new NetConn I/O helpers (delimiter-based reads/writes), a side-effect libutils import, a parser filter to skip _test.go, and scrape behavior changed to silently skip non-struct types.

Changes

Cohort / File(s)	Summary
JS Compiler & DevTools pkg/js/compiler/pool.go, pkg/js/devtools/bindgen/generator.go, pkg/js/devtools/tsgen/scrape.go	Added side-effect import of libutils; narrowed parser.ParseDir to exclude _test.go files; changed scrape to silently skip non-struct types instead of returning an error.
Network Library Enhancement pkg/js/libs/net/net.go	Added NetConn I/O utilities: SendBytes, SendLine, RecvUntil, RecvUntilString, RecvLine, RecvN, plus bytesEqual helper for delimiter handling.
Utils Core pkg/js/libs/utils/utils.go, pkg/js/libs/utils/utils_test.go	Introduced Utils type and a comprehensive test suite exercising the new utilities.
Time Utilities pkg/js/libs/utils/time.go	Added Sleep, UnixTimestamp, UnixTimestampMilli, UnixTimestampNano.
Binary & Byte Utilities pkg/js/libs/utils/binary.go	Added pattern generation/search, byte find/replace, repeat/reverse/swap-endian, random bytes/strings, and string padding helpers.
Struct / Packing Helpers pkg/js/libs/utils/struct.go	Added pack/unpack (8/16/32/64, LE/BE), aliases (P*/U*), Flat, ConcatBytes, ToBytes, and conversions between bytes/strings.
Cryptography pkg/js/libs/utils/crypto.go	Implemented AES (ECB/CBC/GCM), DES/3DES (ECB/CBC), RC4, and XOR utilities with PKCS#7 support and input validation.
Encoding pkg/js/libs/utils/encoding.go	Added URL/HTML encoding, Hex, Base64 variants, and UTF-16 LE/BE encode/decode helpers.
Hashing & Checksums pkg/js/libs/utils/hash.go	Added MD4/MD5/SHA1/SHA256/SHA384/SHA512 (hex and raw), HMAC variants, CRC32, and Adler32.
Compression pkg/js/libs/utils/compression.go	Added Zlib/Gzip/Deflate compress and decompress functions.
Padding Utilities pkg/js/libs/utils/padding.go	Added PKCS7 pad/unpad (with validation), zero/null padding, and block-size padding helpers.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐇 I nibble bytes by lantern light,

I pad and pack through crypto night,
I gzip, hash, and swap with glee,
New Utils hop into the tree,
Tests sing loud — the warren's bright! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.91% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title clearly and concisely summarizes the main change: adding a comprehensive utils library to the JavaScript/nuclei environment.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 9

🤖 Fix all issues with AI agents

In `@pkg/js/libs/net/net.go`:
- Around line 336-366: RecvUntil currently accepts an empty delimiter and treats
any read error as success by returning partial data; update RecvUntil on type
NetConn to first validate that delim is non-empty and return an error if it is,
and on any c.conn.Read error return nil and the error (do not return partial
result with nil error); keep the existing deadline handling
(setDeadLine/unsetDeadLine) and the delimiter check using bytesEqual on the
trailing bytes of result.

In `@pkg/js/libs/utils/binary.go`:
- Around line 9-10: The constant patternCharset is defined but unused; either
remove it to satisfy the linter or wire it into PatternCreate. Fix by deleting
the unused declaration named patternCharset (leaving alphanumCharset intact) OR
update the PatternCreate function to reference patternCharset instead of
alphanumCharset (or accept patternCharset as the charset parameter) so the
symbol is used; ensure tests/build pass after the change.
- Around line 3-7: The current imports use math/rand which makes
GenerateRandomString and GenerateRandomBytes deterministic; replace math/rand
with crypto/rand and update those functions to use crypto/rand.Reader (e.g.,
crypto/rand.Read for bytes or crypto/rand.Int for selecting indices) so bytes
are filled from a secure source, remove any dependency on rand.Seed, and adjust
imports (drop math/rand, keep bytes/strings as needed) while preserving function
names GenerateRandomString and GenerateRandomBytes.
- Around line 67-86: The FindAllBytes function can infinite-loop or panic when
needle is empty; add a guard at the start of Utils.FindAllBytes that returns an
empty slice if len(needle) == 0 (or handle as desired) before using bytes.Index,
and ensure subsequent logic uses haystack[start:] safely; reference the function
name FindAllBytes, variables haystack, needle, start, and the bytes.Index call
when making the change.

In `@pkg/js/libs/utils/compression.go`:
- Around line 37-42: The decompressors currently ignore errors from r.Close();
capture the Close() return value and, if io.ReadAll or other prior steps did not
already return an error, return the Close() error instead. Specifically, in the
zlib case around zlib.NewReader and io.ReadAll (and likewise for the gzip and
deflate blocks at the other occurrences), store the result of io.ReadAll into a
variable (e.g., data, err), then call cerr := r.Close(); if err != nil return
nil, err; if cerr != nil return nil, cerr; otherwise return the read bytes, nil.

In `@pkg/js/libs/utils/crypto.go`:
- Around line 100-140: AESEncryptGCM and AESDecryptGCM must validate the nonce
length before calling gcm.Seal/gcm.Open to avoid a panic; after creating gcm in
each function (the cipher.NewGCM call), get the expected nonce size via
gcm.NonceSize() and return a descriptive error if len(nonce) != nonceSize (e.g.,
"invalid nonce length: got X, want Y"); apply this check in both AESEncryptGCM
and AESDecryptGCM so they mirror the IV/nonce validation used in
AESEncryptCBC/AESDecryptCBC.

In `@pkg/js/libs/utils/hash.go`:
- Around line 3-38: The md4 import from "golang.org/x/crypto/md4" used by the
MD4 and MD4Raw methods triggers staticcheck SA1019; add a targeted lint
suppression comment immediately above the import (explaining MD4 is required for
NTLM compatibility and cannot be replaced) so the linter is satisfied while
preserving the md4.New() usage in the MD4 and MD4Raw functions; ensure the
comment references SA1019 and provides the justification (NTLM requirement) and
keep the existing function implementations unchanged.

In `@pkg/js/libs/utils/padding.go`:
- Around line 14-16: Validate blockSize at the top of PKCS7 padding/unpadding
paths: in pkcs7Pad (and the corresponding unpad function used at lines ~72-76)
and in the public wrapper Utils.PKCS7Pad, check that blockSize > 0 and blockSize
<= 255; if invalid, return the input unchanged (or nil if that matches existing
semantics) instead of performing len(data) % blockSize or casting padLen to a
byte. This prevents divide-by-zero panics and overflow of the padding byte; add
the same checks to the other PKCS7 helper used in the file.

In `@pkg/js/libs/utils/utils_test.go`:
- Around line 714-724: The test TestGenerateRandomAlphanumeric triggers
staticcheck QF1001 due to a negated compound condition; to fix it, replace the
inline negated compound in the loop with a named boolean predicate (e.g.,
isAlphanumeric := (c >= 'A' && c <= 'Z') || (c >= 'a' && c <= 'z') || (c >= '0'
&& c <= '9')) and then assert if !isAlphanumeric call t.Errorf(...) — update the
predicate usage inside TestGenerateRandomAlphanumeric that checks characters
from Utils.GenerateRandomAlphanumeric accordingly.

🧹 Nitpick comments (1)

pkg/js/devtools/tsgen/scrape.go (1)

37-42: Consider adding debug logging for observability.

Silently skipping non-struct types is reasonable since interfaces like net.Conn can't be scraped for fields. However, a debug log would aid troubleshooting without affecting normal operation.

♻️ Optional: Add debug logging

 	// Skip interfaces (like net.Conn) - they can't be scraped for fields
 	namedStruct, ok := typeNameObj.Type().Underlying().(*types.Struct)
 	if !ok {
 		// Not a struct (could be interface, etc.) - skip silently
+		// gologger.Debug().Msgf("Skipping non-struct type %v (underlying: %T)", typeName, typeNameObj.Type().Underlying())
 		return nil
 	}