code from https://github.com/projectdiscovery/nuclei/pull/6427

[Mzack9999]

Proposed changes

Closes #4872

Checklist

• Pull request is created against the dev branch
• All checks passed (lint, unit/integration/regression tests etc.) with my changes
• I have added tests that prove my fix is effective or that my feature works
• I have added necessary documentation (if appropriate)

Summary by CodeRabbit

• New Features

  • Added Oracle database support in the JavaScript runtime, including detection, authentication, and query execution.
  • Introduced policy-enforced, context-aware networking for Oracle connections.

• Tests

  • Added Oracle database integration tests to validate connectivity and queries.
  • Tests are currently disabled on Windows and macOS.

• Chores

  • Included a new Oracle driver dependency to enable database interactions.

[coderabbitai]

Walkthrough

Adds Oracle support: new Oracle client library with connection, detection, and query execution; a custom dialer integrating policy checks; a JS integration test that spins up an Oracle XE Docker container and validates an auth template; and a new go-ora dependency.

Changes

Cohort / File(s)	Summary of Changes
Integration Tests — Oracle cmd/integration-test/javascript.go	Introduces Dockerized Oracle XE setup, readiness retry, and a new JavaScript test case (oracle-auth-test.yaml) executed via nuclei template; cleans up container; disabled on Windows/macOS.
Oracle JS Library pkg/js/libs/oracle/oracle.go	Adds OracleClient with cached go-ora connector; converts IsOracle to method; implements Connect, ConnectWithDSN, ExecuteQuery, and ExecuteQueryWithDSN; integrates SQL ping and result unmarshalling.
Oracle Custom Dialer pkg/js/libs/oracle/oracledialer.go	Adds internal dialer (oracleCustomDialer) that enforces protocolstate allowlist and uses executionId-specific fast dialer; provides Dial, DialContext, DialTimeout via a shared context-aware helper.
Dependencies go.mod	Adds dependency: github.com/sijms/go-ora/v2 v2.9.0.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant IT as Integration Test
  participant Docker as Oracle XE Container
  participant Nuclei as Nuclei Runner
  participant ORA as Oracle Listener (1521)

  rect rgb(235, 245, 255)
    note over IT,Docker: Setup
    IT->>Docker: Start gvenzl/oracle-xe (ORACLE_PASSWORD=mysecret)
    IT->>ORA: Retry readiness probe on localhost:1521
    ORA-->>IT: Ready (port open)
  end

  rect rgb(240, 255, 240)
    note over IT,Nuclei: Execute template
    IT->>Nuclei: Run oracle-auth-test.yaml with finalURL (mapped 1521)
    Nuclei-->>IT: Results
    IT->>IT: Validate expectResultsCount(..., 1)
  end

  rect rgb(255, 240, 240)
    note over IT,Docker: Teardown
    IT->>Docker: Purge container
  end

Loading

sequenceDiagram
  autonumber
  participant JS as JavaScript Runtime
  participant OCI as OracleClient
  participant Dial as oracleCustomDialer
  participant PS as protocolstate
  participant GOORA as go-ora Connector
  participant DB as Oracle DB

  rect rgb(235,245,255)
    note over JS,OCI: Connect / ExecuteQuery Flow
    JS->>OCI: Connect(host, port, service, user, pass)
    OCI->>GOORA: Build DSN and create connector (with Dial)
    GOORA->>Dial: DialContext(network, address)
    Dial->>PS: GetDialersWithId(executionId)
    PS-->>Dial: Fastdialer
    Dial->>PS: IsHostAllowed(address)?
    PS-->>Dial: Allowed / Denied
    alt Allowed
      Dial->>DB: TCP connect via Fastdialer
      DB-->>GOORA: Connected
      GOORA-->>OCI: Ping OK
      OCI-->>JS: true
    else Denied
      Dial-->>GOORA: Error (host denied)
      GOORA-->>OCI: Error
      OCI-->>JS: false/error
    end
  end

  rect rgb(240,255,240)
    JS->>OCI: ExecuteQuery(host, port, user, pass, dbName, query)
    OCI->>GOORA: Open via DSN, run query
    GOORA->>DB: Execute SQL
    DB-->>GOORA: Rows
    GOORA-->>OCI: Rows
    OCI-->>JS: utils.SQLResult
  end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Pre-merge checks (2 passed, 3 warnings)

❌ Failed checks (3 warnings)

Check name	Status	Explanation	Resolution
Title Check	⚠️ Warning	The current title is a raw URL and does not describe the pull request's purpose; it fails to summarize the primary change which adds Oracle support (JS OracleClient, custom dialer, go-ora dependency) and an Oracle integration test, so it does not meet the concise, descriptive-title requirement.	Replace the title with a short, descriptive sentence such as "Add Oracle JS client, custom dialer, go-ora dependency and Oracle integration tests (oracle-auth-test)" and remove the external PR URL so the title clearly highlights the primary change.
Linked Issues Check	⚠️ Warning	Linked issue [#4872] requests implementation of oracle-brute, oracle-brute-stealth, oracle-enum-users and oracle-sid-brute; this PR provides Oracle infrastructure (OracleClient, custom dialer, go-ora dependency and an integration test) but does not implement the listed brute/enumeration features or their nuclei templates, so the code changes do not satisfy the primary coding objectives of [#4872].	Either remove or postpone the "Closes #4872" claim and mark this PR as preparatory/incremental work, or extend the PR to implement each requested feature (oracle-brute, oracle-brute-stealth, oracle-enum-users, oracle-sid-brute) with corresponding code, nuclei templates and tests, then update the PR description to list completed items.
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Out of Scope Changes Check	✅ Passed	All modified files (go.mod, pkg/js/libs/oracle/*, and cmd/integration-test/javascript.go) are focused on adding Oracle support and integration tests and I do not see unrelated code changes, so there are no out-of-scope code modifications detected; the remaining issue is that the PR's claimed scope (closing [#4872]) is broader than the implemented features.

Poem

A bunny spins up XE with cheer,
Ears perked—port 1521’s near.
It dials with care, checks who’s allowed,
Hops through queries, modest but proud.
With go-ora packed in its burrow tight,
It squeaks: “Auth passed!” beneath moonlight. 🐇✨

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

• Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
• Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.

✨ Finishing touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat-4872-oracle-atp2

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 7

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

pkg/js/libs/oracle/oracle.go (1)

81-81: Fix duplicate assignment to resp.Banner.

Line 81 overwrites the value set in line 80. This appears to be a bug where both the version and metadata info should be preserved.

-	resp.Banner = service.Version
-	resp.Banner = service.Metadata().(plugins.ServiceOracle).Info
+	resp.Banner = service.Version
+	if metadata, ok := service.Metadata().(plugins.ServiceOracle); ok && metadata.Info != "" {
+		resp.Banner = metadata.Info
+	}

🧹 Nitpick comments (4)

pkg/js/libs/oracle/oracledialer.go (2)

17-27: Consider adding connection timeout handling in dialWithCtx.

The method properly integrates with the protocol state and policy checks. However, unlike DialTimeout which creates its own timeout context, dialWithCtx relies entirely on the passed context for timeout control. Consider documenting that callers should set appropriate timeouts on the context.

---

29-31: Consider using context.Background() instead of context.TODO().

Since this is a production implementation rather than a placeholder, context.Background() would be more appropriate than context.TODO().

 func (o *oracleCustomDialer) Dial(network, address string) (net.Conn, error) {
-	return o.dialWithCtx(context.TODO(), network, address)
+	return o.dialWithCtx(context.Background(), network, address)
 }

cmd/integration-test/javascript.go (1)

201-219: Consider increasing Oracle container startup timeout.

Oracle XE containers typically take longer to initialize than Redis or SSH containers. The 30-second expiry might be insufficient for Oracle to fully start up, especially on slower systems. Consider extending this to 60-90 seconds.

-	// by default expire after 30 sec
-	if err := oracleResource.Expire(30); err != nil {
+	// Oracle containers need more time to initialize
+	if err := oracleResource.Expire(90); err != nil {

pkg/js/libs/oracle/oracle.go (1)

203-208: Clarify the error handling logic with a comment.

The logic to return partial results when an error occurs might be confusing. Consider adding a comment to explain this behavior.

 	data, err := utils.UnmarshalSQLRows(rows)
 	if err != nil {
+		// Return partial results if any rows were successfully parsed before the error
 		if data != nil && len(data.Rows) > 0 {
 			return data, nil
 		}
 		return nil, err
 	}

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4b22a3d and c863143.

⛔ Files ignored due to path filters (4)

• go.sum is excluded by !**/*.sum
• pkg/js/generated/go/liboracle/oracle.go is excluded by !**/generated/**
• pkg/js/generated/ts/oracle.ts is excluded by !**/generated/**
• pkg/protocols/javascript/testcases/oracle-auth-test.yaml is excluded by !**/*.yaml

📒 Files selected for processing (4)

• cmd/integration-test/javascript.go (3 hunks)
• go.mod (1 hunks)
• pkg/js/libs/oracle/oracle.go (4 hunks)
• pkg/js/libs/oracle/oracledialer.go (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**/*.go

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.go: Format Go code using go fmt
Run static analysis with go vet

Files:

• pkg/js/libs/oracle/oracledialer.go
• cmd/integration-test/javascript.go
• pkg/js/libs/oracle/oracle.go

🧬 Code graph analysis (3)

pkg/js/libs/oracle/oracledialer.go (2)

pkg/protocols/common/protocolstate/state.go (1)

• GetDialersWithId (39-45)

pkg/protocols/common/protocolstate/headless.go (2)

• IsHostAllowed (124-150)
• ErrHostDenied (22-22)

cmd/integration-test/javascript.go (1)

pkg/testutils/integration.go (2)

• TestCase (247-250)
• RunNucleiTemplateAndGetResults (30-32)

pkg/js/libs/oracle/oracle.go (3)

pkg/js/generated/ts/oracle.ts (8)

• OracleClient (27-97)
• IsOracle (65-67)
• IsOracleResponse (13-16)
• Connect (40-42)
• ConnectWithDSN (53-55)
• ExecuteQuery (80-82)
• SQLResult (102-106)
• ExecuteQueryWithDSN (94-96)

pkg/protocols/common/contextargs/contextargs.go (1)

• Context (22-33)

pkg/js/utils/util.go (1)

• UnmarshalSQLRows (23-90)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Integration tests (macOS-latest)

🔇 Additional comments (2)

go.mod (1)

116-116: LGTM! Oracle driver dependency added appropriately.

The addition of github.com/sijms/go-ora/v2 v2.9.0 is correctly placed in the require block and aligns with the Oracle database support being added in this PR.

pkg/js/libs/oracle/oracle.go (1)

113-114: Fix JSDoc syntax error.

Missing parentheses in the constructor call.

 // const oracle = require('nuclei/oracle');
-// const client = new oracle.OracleClient;
+// const client = new oracle.OracleClient();
 // client.Connect('acme.com', 1521, 'XE', 'user', 'password');

Likely an incorrect or invalid review comment.

[coderabbitai]

⚠️ Potential issue

Fix copy-paste comment error.

The comment mentions "ssh server" but this is the Oracle authentication test.

-			//let ssh server start
+			//let oracle server start

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	//let ssh server start
	time.Sleep(3 * time.Second)
	//let oracle server start
	time.Sleep(3 * time.Second)

🤖 Prompt for AI Agents

In cmd/integration-test/javascript.go around lines 118 to 119, the comment above
the time.Sleep call incorrectly refers to "ssh server"; update the comment to
accurately describe the delay purpose for the Oracle authentication test (e.g.,
"let Oracle auth service initialize" or "wait for Oracle authentication to be
ready") so the comment matches the code intent.

[coderabbitai]

⚠️ Potential issue

Fix JSDoc comment typo.

The comment incorrectly states "Internally client uses oracle/godror driver" but the code actually uses go-ora/v2.

 	// Client is a client for Oracle database.
-	// Internally client uses oracle/godror driver.
+	// Internally client uses go-ora/v2 driver.
 	// @example

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	// Client is a client for Oracle database.
	// Internally client uses oracle/godror driver.
	// @example
	// ```javascript
	// const oracle = require('nuclei/oracle');
	// const client = new oracle.OracleClient();
	// ```
	OracleClient struct {
	connector *goora.OracleConnector
	}
	)
	// Client is a client for Oracle database.
	// Internally client uses go-ora/v2 driver.
	// @example
	//

🤖 Prompt for AI Agents

In pkg/js/libs/oracle/oracle.go around lines 30 to 40, the JSDoc comment
incorrectly states the driver as "oracle/godror"; update the comment to
accurately reference go-ora/v2 (e.g., "Internally client uses go-ora/v2") so the
documentation matches the actual implementation and remove or replace any
misleading driver names.

[coderabbitai]

⚠️ Potential issue

Add nil check for executionId.

The method assumes executionId exists in the context and will panic if it's missing. Add a defensive check.

 func (c *OracleClient) IsOracle(ctx context.Context, host string, port int) (IsOracleResponse, error) {
-	executionId := ctx.Value("executionId").(string)
+	executionId, ok := ctx.Value("executionId").(string)
+	if !ok || executionId == "" {
+		return IsOracleResponse{}, fmt.Errorf("executionId not found in context")
+	}
 	return memoizedisOracle(executionId, host, port)
 }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	func (c *OracleClient) IsOracle(ctx context.Context, host string, port int) (IsOracleResponse, error) {
	executionId := ctx.Value("executionId").(string)
	return memoizedisOracle(executionId, host, port)
	}
	func (c *OracleClient) IsOracle(ctx context.Context, host string, port int) (IsOracleResponse, error) {
	executionId, ok := ctx.Value("executionId").(string)
	if !ok || executionId == "" {
	return IsOracleResponse{}, fmt.Errorf("executionId not found in context")
	}
	return memoizedisOracle(executionId, host, port)
	}

🤖 Prompt for AI Agents

In pkg/js/libs/oracle/oracle.go around lines 49-52, the code unsafely assumes
ctx.Value("executionId") exists and panics if missing; add a nil/type check
before asserting: retrieve v := ctx.Value("executionId"), assert id, ok :=
v.(string) and if !ok || id == "" return an appropriate error (e.g., fmt.Errorf
or errors.New) and avoid calling memoizedisOracle; otherwise call
memoizedisOracle(id, host, port). Also add the necessary import for fmt/errors
if not present.

[coderabbitai]

⚠️ Potential issue

Add nil check for executionId in ConnectWithDSN.

Similar to the IsOracle method, this needs defensive handling for missing executionId.

 func (c *OracleClient) ConnectWithDSN(ctx context.Context, dsn string) (bool, error) {
-	executionId := ctx.Value("executionId").(string)
+	executionId, ok := ctx.Value("executionId").(string)
+	if !ok || executionId == "" {
+		return false, fmt.Errorf("executionId not found in context")
+	}

🤖 Prompt for AI Agents

In pkg/js/libs/oracle/oracle.go around lines 122 to 145, the code
unconditionally type-asserts ctx.Value("executionId").(string) which can panic
if executionId is missing or not a string; add a defensive nil/type check
similar to IsOracle: first retrieve v := ctx.Value("executionId"), if v == nil
return false with a clear error, then do s, ok := v.(string) and if !ok return
false with a clear error; use those early returns instead of allowing a panic so
connector creation handles missing/invalid executionId gracefully.

[coderabbitai]

⚠️ Potential issue

Fix incorrect comment and JSDoc examples.

The comment mentions "MS SQL database" but this is for Oracle. Also, the JSDoc example incorrectly uses SELECT @@version which is MySQL/SQL Server syntax, not Oracle.

-// ExecuteQuery connects to MS SQL database using given credentials and executes a query.
+// ExecuteQuery connects to Oracle database using given credentials and executes a query.
 // It returns the results of the query or an error if something goes wrong.
 // @example
 // ```javascript
 // const oracle = require('nuclei/oracle');
-// const client = new oracle.OracleClient;
-// const result = client.ExecuteQuery('acme.com', 1521, 'username', 'password', 'XE', 'SELECT @@version');
+// const client = new oracle.OracleClient();
+// const result = client.ExecuteQuery('acme.com', 1521, 'username', 'password', 'XE', 'SELECT * FROM v$version');
 // log(to_json(result));
 // ```

🤖 Prompt for AI Agents

In pkg/js/libs/oracle/oracle.go around lines 147 to 155, the function comment
and JSDoc example are incorrect: they reference "MS SQL" and use a non-Oracle
query; update the comment to say "Oracle database" and correct the example to
use a valid Oracle query and proper JS constructor call (e.g., use SELECT * FROM
v$version and new oracle.OracleClient() ), keeping the rest of the example
intact.

[coderabbitai]

⚠️ Potential issue

Fix JSDoc syntax errors.

Missing parentheses in constructor call and incorrect SQL syntax for Oracle.

 // @example
 // ```javascript
 // const oracle = require('nuclei/oracle');
-// const client = new oracle.OracleClient;
-// const result = client.ExecuteQueryWithDSN('oracle://user:password@host:port/service', 'SELECT @@version');
+// const client = new oracle.OracleClient();
+// const result = client.ExecuteQueryWithDSN('oracle://user:password@host:port/service', 'SELECT * FROM v$version');
 // log(to_json(result));
 // ```

🤖 Prompt for AI Agents

In pkg/js/libs/oracle/oracle.go around lines 174 to 181, the JSDoc example has
syntax errors: the constructor call is missing parentheses and the sample SQL is
not valid for Oracle; update the example to instantiate the client with new
oracle.OracleClient() and replace the query 'SELECT @@version' with a valid
Oracle query such as 'SELECT * FROM v$version' so the snippet compiles and
demonstrates a correct Oracle query.

[coderabbitai]

⚠️ Potential issue

Add nil check for executionId in ExecuteQueryWithDSN.

Consistent with other methods, add defensive handling for missing executionId.

 func (c *OracleClient) ExecuteQueryWithDSN(ctx context.Context, dsn string, query string) (*utils.SQLResult, error) {
-	executionId := ctx.Value("executionId").(string)
+	executionId, ok := ctx.Value("executionId").(string)
+	if !ok || executionId == "" {
+		return nil, fmt.Errorf("executionId not found in context")
+	}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	func (c *OracleClient) ExecuteQueryWithDSN(ctx context.Context, dsn string, query string) (*utils.SQLResult, error) {
	executionId := ctx.Value("executionId").(string)
	connector, err := c.oracleDbInstance(dsn, executionId)
	if err != nil {
	return nil, err
	}
	db := sql.OpenDB(connector)
	defer func() {
	_ = db.Close()
	}()
	db.SetMaxOpenConns(1)
	db.SetMaxIdleConns(0)
	rows, err := db.Query(query)
	if err != nil {
	return nil, err
	}
	data, err := utils.UnmarshalSQLRows(rows)
	if err != nil {
	if data != nil && len(data.Rows) > 0 {
	return data, nil
	}
	return nil, err
	}
	return data, nil
	}
	func (c *OracleClient) ExecuteQueryWithDSN(ctx context.Context, dsn string, query string) (*utils.SQLResult, error) {
	executionId, ok := ctx.Value("executionId").(string)
	if !ok || executionId == "" {
	return nil, fmt.Errorf("executionId not found in context")
	}
	connector, err := c.oracleDbInstance(dsn, executionId)
	if err != nil {
	return nil, err
	}
	db := sql.OpenDB(connector)
	defer func() {
	_ = db.Close()
	}()
	db.SetMaxOpenConns(1)
	db.SetMaxIdleConns(0)
	rows, err := db.Query(query)
	if err != nil {
	return nil, err
	}
	data, err := utils.UnmarshalSQLRows(rows)
	if err != nil {
	if data != nil && len(data.Rows) > 0 {
	return data, nil
	}
	return nil, err
	}
	return data, nil
	}

🤖 Prompt for AI Agents

In pkg/js/libs/oracle/oracle.go around lines 182 to 210, the code directly
type-asserts ctx.Value("executionId").(string) which can panic if the key is
missing; add a nil/type-check by retrieving the value with v, ok :=
ctx.Value("executionId") and then s, ok2 := v.(string) (or combine into s, ok :=
ctx.Value("executionId").(string)); if not present/valid return a clear error
(e.g., fmt.Errorf or errors.New) instead of panicking, and only call
c.oracleDbInstance(dsn, executionId) when executionId is validated. Ensure the
function returns the error early and does not proceed to open the DB when
executionId is missing.

[Mzack9999]

Merging - Already reviewed in #6427