fix: [BUG] Authenticated scanning starts executing templates before th

[SolariSystems]

Summary

Fixes #6592

Fix the race condition between self-contained templates (auth/secret-file) and regular templates by moving the WaitGroup synchronization point to before strategy execution, ensuring auth templates complete first. Also force prefetch when secret files are provided.

Changes Made

Pass 2 direct: Fix the race condition between self-contained templates (auth/secret-file) and regular templates by moving the WaitGroup synchronization point to before strategy execution, ensuring auth templates com

Verification

• Build: PASS
• Tests: N/A
• Lint: PASS

Summary by CodeRabbit

• Bug Fixes
  • Secrets are now pre-fetched when supplied via file, not just when pre-fetch is explicitly enabled, allowing authentication templates to complete properly.
  • Improved template execution order to ensure all authentication and self-contained templates complete before executing target-bound templates, providing more predictable behavior.

/claim #6592

[neo-by-projectdiscovery-dev]

Neo - PR Security Review

No security issues found

Highlights

• Adds WaitGroup synchronization to ensure self-contained templates (auth/secret-file) complete before regular templates execute
• Forces PreFetchSecrets when secrets file is provided to guarantee auth completion
• Moves synchronization point to before strategy execution (TemplateSpray/HostSpray) to prevent race condition

Hardening Notes

• The race condition fix is a security improvement - it prevents regular templates from executing before authentication completes
• WaitGroup is properly managed with defer statements in executeAllSelfContained, preventing potential deadlocks
• The change is purely internal synchronization logic with no new external input handling or attack surface
• All automated security scanners (TruffleHog, Semgrep, ast-grep) reported zero findings

_{Comment @neo help for available commands. · Open in Neo}

[coderabbitai]

Walkthrough

Changes modify the secret pre-fetching logic across two files to trigger when either PreFetchSecrets is enabled OR a SecretsFile is provided. Additionally, adds synchronization to ensure self-contained templates complete before target-bound templates execute, preventing premature template execution before authentication completes.

Changes

Cohort / File(s)	Summary
Secret Pre-fetching Condition Update internal/runner/runner.go, lib/sdk_private.go	Modified the condition for pre-fetching secrets from PreFetchSecrets being true to additionally trigger when a SecretsFile is provided, ensuring auth templates complete before other operations.
Execution Synchronization pkg/core/execute_options.go	Added a WaitGroup synchronization point after self-contained templates execute to ensure they complete before target-bound templates begin, preventing premature template execution during authentication setup.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant Runner as Runner/Core
    participant Auth as Auth Template<br/>(Secret File)
    participant Templates as Target Templates

    Note over Client,Templates: Before Fix: Auth not guaranteed to complete first
    Client->>Runner: Start scan with secret-file
    Runner->>Auth: Prefetch auth (only if PreFetchSecrets=true)
    Runner->>Templates: Execute templates (may start concurrently)
    Auth->>Auth: Processing secret file...
    Templates->>Templates: Requests sent unauthenticated

    Note over Client,Templates: After Fix: Auth completes before targets
    Client->>Runner: Start scan with secret-file
    Runner->>Auth: Prefetch auth (if PreFetchSecrets OR SecretsFile exists)
    Auth->>Auth: Processing secret file...
    Auth-->>Runner: Auth complete
    Runner->>Templates: Wait for self-contained to finish
    Templates->>Templates: Requests sent authenticated

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~14 minutes

Poem

🐰 A hop, a skip, before the bound,
Let auth complete, with secrets found!
No rushed templates without their key—
Synchronized flows, authenticated spree! 🔐

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title is incomplete/truncated and does not clearly convey the main change being made.	Complete the title to clearly describe the fix, e.g., 'fix: ensure auth templates complete before executing regular templates when using secret-file'

✅ Passed checks (4 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	The code changes directly address issue #6592 by ensuring auth/secret-file templates complete before other templates execute.
Out of Scope Changes check	✅ Passed	All changes are directly related to fixing the race condition in authenticated scanning; no out-of-scope modifications detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[dogancanbakir]

Hi, thanks for your interest in contributing! Just a heads up, we ask contributors to work on 1 active issue at a time (see).

Also, we welcome AI-assisted development, but submissions must be complete, tested, and ready to merge. Please also make sure to fill out the PR template with proof that your changes work.

We're closing this PR along with your other open submissions. Once you're ready, feel free to pick one issue to focus on and resubmit; we'd be happy to review it.

Appreciate your understanding!