fix: remove nil interface set in createEphemeralObjects to avoid panic

[maxwolf8852]

Proposed changes

This PR fixes #6943. In the createEphemeralObjects, the nil cast to the hosterrorscache.CacheInterface interface has been removed. This previously caused a panic when accessing data here since the interface was not null (but its value does).

Proof

Previously, this code caused a panic when executing the ExecuteNucleiWithOptsCtx function, now the problem is fixed.

func main() {
	options := []nuclei.NucleiSDKOptions{
		withNoHostErrors,
	}
	ne, err := nuclei.NewThreadSafeNucleiEngineCtx(context.TODO(), options...)
	if err != nil {
		panic(err)
	}

	if err := ne.GlobalLoadAllTemplates(); err != nil {
		panic(err)
	}

	ne.GlobalResultCallback(func(event *output.ResultEvent) {
		fmt.Println(event.Host, event.Info.SeverityHolder.Severity)
	})

	if err := ne.ExecuteNucleiWithOptsCtx(context.TODO(), []string{"example.com"}); err != nil {
		panic(err)
	}
}

Checklist

• Pull request is created against the dev branch
• All checks passed (lint, unit/integration/regression tests etc.) with my changes
• I have added tests that prove my fix is effective or that my feature works
• I have added necessary documentation (if appropriate)

Summary by CodeRabbit

• Tests

  • Added an automated test validating thread-safe engine behavior with host-error protection disabled to help ensure stability.

• Style

  • Minor formatting/alignment adjustments with no functional impact.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Relocated the HostErrorsCache assignment inside createEphemeralObjects in lib/multi.go into the existing if opts.ShouldUseHostError() && base.hostErrCache != nil block (preventing unconditional nil assignment), and added a regression test TestThreadSafeNucleiEngineWithNoHostErrors in lib/sdk_test.go.

Changes

Cohort / File(s)	Summary
ExecutorOptions / HostErrorsCache lib/multi.go	Moved HostErrorsCache field assignment from unconditional initialization into the if opts.ShouldUseHostError() && base.hostErrCache != nil conditional; minor field re-alignment/formatting around the ExecutorOptions struct literal.
Regression test & imports lib/sdk_test.go	Added TestThreadSafeNucleiEngineWithNoHostErrors and imports (os, github.com/projectdiscovery/nuclei/v3/pkg/types); creates a temporary template, builds a thread-safe engine with NoHostErrors=true, loads templates, and executes against http://scanme.sh asserting no errors.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

I'm a rabbit in the CI glen, ears all a-flutter,
I nudged a field to skip a nil butter,
Tests hop in line, no panic to fear,
HostErrors tucked safe — threads cheer! 🐇✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: removing a nil interface assignment in createEphemeralObjects that was causing panics.
Linked Issues check	✅ Passed	Changes directly address the root cause identified in issue #6943: HostErrorsCache is no longer set as a nil interface value, preventing the nil-pointer panic when NoHostErrors is enabled.
Out of Scope Changes check	✅ Passed	All changes are directly related to fixing issue #6943. The multi.go change relocates HostErrorsCache assignment conditionally, and the test validates the fix.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

lib/multi.go (1)

37-37: Dead RateLimiter initializer in struct literal.

RateLimiter: base.rateLimiter (line 37) is unconditionally overwritten at line 54 by utils.GetRateLimiter(...) with no intervening read, so the struct-literal assignment is never observed.

♻️ Proposed cleanup

 u.executerOpts = &protocols.ExecutorOptions{
     Output:       base.customWriter,
     Options:      opts,
     Progress:     base.customProgress,
     Catalog:      base.catalog,
     IssuesClient: base.rc,
-    RateLimiter:  base.rateLimiter,
     Interactsh:   base.interactshClient,
     Colorizer:    aurora.NewAurora(true),
     ResumeCfg:    types.NewResumeCfg(),
     Parser:       base.parser,
     Browser:      base.browserInstance,
 }

Also applies to: 54-54

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@lib/multi.go` at line 37, The struct literal sets RateLimiter:
base.rateLimiter but that value is immediately overwritten by the subsequent
utils.GetRateLimiter(...) call, making the initial assignment dead; remove the
redundant RateLimiter: base.rateLimiter entry from the struct literal (or,
alternatively, only set RateLimiter to base.rateLimiter if
utils.GetRateLimiter(...) returns nil) so that the final RateLimiter used comes
only from utils.GetRateLimiter(...) or is fallback-assigned consistently; look
for the struct construction where base.rateLimiter is used and the later call to
utils.GetRateLimiter to apply this change.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@lib/multi.go`:
- Line 37: The struct literal sets RateLimiter: base.rateLimiter but that value
is immediately overwritten by the subsequent utils.GetRateLimiter(...) call,
making the initial assignment dead; remove the redundant RateLimiter:
base.rateLimiter entry from the struct literal (or, alternatively, only set
RateLimiter to base.rateLimiter if utils.GetRateLimiter(...) returns nil) so
that the final RateLimiter used comes only from utils.GetRateLimiter(...) or is
fallback-assigned consistently; look for the struct construction where
base.rateLimiter is used and the later call to utils.GetRateLimiter to apply
this change.

[neo-by-projectdiscovery-dev]

Neo - PR Security Review

No security issues found

Highlights

• Fixes nil interface panic in createEphemeralObjects by adding nil check before HostErrorsCache assignment
• Adds test coverage for noHostErrors SDK option

_{Comment @pdneo help for available commands. · Open in Neo}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

lib/sdk_test.go (2)

65-67: Redundant t.Cleanup for temp file removal.

os.CreateTemp(t.TempDir(), ...) places the file inside the directory created by t.TempDir(), which the testing package already deletes automatically at the end of the test. The extra os.Remove cleanup is a no-op.

♻️ Suggested simplification

-	t.Cleanup(func() {
-		_ = os.Remove(tempTemplate.Name())
-	})
-

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@lib/sdk_test.go` around lines 65 - 67, Redundant t.Cleanup: remove the
t.Cleanup wrapper that calls os.Remove(tempTemplate.Name()) because the file was
created with os.CreateTemp(t.TempDir(), ...) and the test framework will delete
t.TempDir() automatically; simply delete the t.Cleanup(func() { _ =
os.Remove(tempTemplate.Name()) }) block (references: t.Cleanup, os.Remove,
os.CreateTemp, t.TempDir, tempTemplate.Name()).

---

98-108: Use require.NoError directly; drop the commented-out block.

The if err != nil { require.NoError(...) } pattern appears three times and is inconsistent with the existing test style. A bare require.NoError is equivalent, clearer, and already the project convention. The commented-out callback (lines 102–104) is a debug artifact.

♻️ Suggested simplification

-	if err := ne.GlobalLoadAllTemplates(); err != nil {
-		require.NoError(t, err, "could not load templates")
-	}
-
-	// ne.GlobalResultCallback(func(event *output.ResultEvent) {
-	// 	fmt.Println(event.Host, event.Info.SeverityHolder.Severity)
-	// })
-
-	if err := ne.ExecuteNucleiWithOptsCtx(context.TODO(), []string{"http://scanme.sh"}); err != nil {
-		require.NoError(t, err, "nuclei execution should not return an error")
-	}
+	require.NoError(t, ne.GlobalLoadAllTemplates(), "could not load templates")
+	require.NoError(t, ne.ExecuteNucleiWithOptsCtx(context.TODO(), []string{"http://scanme.sh"}), "nuclei execution should not return an error")

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@lib/sdk_test.go` around lines 98 - 108, Replace the explicit if err != nil {
require.NoError(t, err, "...") } checks with direct calls to require.NoError(t,
err, "...") for GlobalLoadAllTemplates and ExecuteNucleiWithOptsCtx to match
project test style (use the existing function names GlobalLoadAllTemplates and
ExecuteNucleiWithOptsCtx to locate the assertions), and remove the commented-out
GlobalResultCallback debug block entirely.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@lib/sdk_test.go`:
- Around line 93-96: The test creates a nuclei engine with
nuclei.NewThreadSafeNucleiEngineCtx and stores it in variable ne but never
closes it, leaking goroutines/resources; add a defer ne.Close() immediately
after successful creation (mirroring other tests like
TestContextCancelNucleiEngine and TestHeadlessOptionInitialization) so the
engine is always shut down when the test finishes.

---

Nitpick comments:
In `@lib/sdk_test.go`:
- Around line 65-67: Redundant t.Cleanup: remove the t.Cleanup wrapper that
calls os.Remove(tempTemplate.Name()) because the file was created with
os.CreateTemp(t.TempDir(), ...) and the test framework will delete t.TempDir()
automatically; simply delete the t.Cleanup(func() { _ =
os.Remove(tempTemplate.Name()) }) block (references: t.Cleanup, os.Remove,
os.CreateTemp, t.TempDir, tempTemplate.Name()).
- Around line 98-108: Replace the explicit if err != nil { require.NoError(t,
err, "...") } checks with direct calls to require.NoError(t, err, "...") for
GlobalLoadAllTemplates and ExecuteNucleiWithOptsCtx to match project test style
(use the existing function names GlobalLoadAllTemplates and
ExecuteNucleiWithOptsCtx to locate the assertions), and remove the commented-out
GlobalResultCallback debug block entirely.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 92d6fa2 and 708ff29.

📒 Files selected for processing (2)

• lib/multi.go
• lib/sdk_test.go

✅ Files skipped from review due to trivial changes (1)

• lib/multi.go

[coderabbitai]

♻️ Duplicate comments (1)

lib/sdk_test.go (1)

93-96: ⚠️ Potential issue | 🟡 Minor

Missing defer ne.Close() — resource leak.

Both existing tests call defer ne.Close() immediately after a successful engine creation. This test omits it, leaving goroutines and network resources open until the process exits.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@lib/sdk_test.go` around lines 93 - 96, The test creates a nuclei engine with
nuclei.NewThreadSafeNucleiEngineCtx and assigns it to ne but never closes it;
add a deferred close immediately after successful creation — e.g., after
checking err is nil, call defer ne.Close() — so the engine's goroutines and
network resources are cleaned up; update the test around the
nuclei.NewThreadSafeNucleiEngineCtx call to include defer ne.Close().

🧹 Nitpick comments (3)

lib/sdk_test.go (3)

65-67: Redundant t.Cleanup — t.TempDir() already handles removal.

os.CreateTemp(t.TempDir(), ...) stores the file inside a directory created by t.TempDir(), which automatically registers a cleanup that removes the entire directory tree when the test ends. The manual os.Remove is dead code.

♻️ Proposed simplification

-	t.Cleanup(func() {
-		_ = os.Remove(tempTemplate.Name())
-	})
-

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@lib/sdk_test.go` around lines 65 - 67, Remove the redundant manual cleanup
that calls t.Cleanup with os.Remove(tempTemplate.Name()) because the file was
created via os.CreateTemp(t.TempDir(), ...) and t.TempDir() already registers
cleanup for the temp directory; locate the t.Cleanup call referencing os.Remove
and delete that block so cleanup is solely handled by t.TempDir().

---

102-104: Remove commented-out debug code.

Dead code should not be committed; if the callback is useful for future debugging, track it in an issue instead.

♻️ Proposed fix

-	// ne.GlobalResultCallback(func(event *output.ResultEvent) {
-	// 	fmt.Println(event.Host, event.Info.SeverityHolder.Severity)
-	// })
-

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@lib/sdk_test.go` around lines 102 - 104, Remove the commented-out debug
callback in lib/sdk_test.go: delete the two lines containing the
ne.GlobalResultCallback(...) block (the commented call and its fmt.Println) so
no dead debug code remains; if you want to preserve this snippet for future use,
open an issue referencing GlobalResultCallback and output.ResultEvent instead of
leaving commented code in the test.

---

93-96: Non-idiomatic if err != nil { require.NoError(...) } — three occurrences.

require.NoError already short-circuits on nil (t.FailNow is only called when err != nil), so the if err != nil guard is always redundant. Every other require.NoError call in this file (lines 22, 52, 63, 82, 83) is written without the guard. Mixing patterns reduces readability.

♻️ Proposed fix — apply at all three sites

 	ne, err := nuclei.NewThreadSafeNucleiEngineCtx(context.TODO(), nuclei.WithOptions(options))
-	if err != nil {
-		require.NoError(t, err, "could not create nuclei engine")
-	}
+	require.NoError(t, err, "could not create nuclei engine")
+	defer ne.Close()

-	if err := ne.GlobalLoadAllTemplates(); err != nil {
-		require.NoError(t, err, "could not load templates")
-	}
+	require.NoError(t, ne.GlobalLoadAllTemplates(), "could not load templates")

-	if err := ne.ExecuteNucleiWithOptsCtx(context.TODO(), []string{"scanme.sh"}); err != nil {
-		require.NoError(t, err, "nuclei execution should not return an error")
-	}
+	require.NoError(t, ne.ExecuteNucleiWithOptsCtx(context.TODO(), []string{"scanme.sh"}), "nuclei execution should not return an error")

Also applies to: 98-100, 106-108

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@lib/sdk_test.go` around lines 93 - 96, Remove the redundant if err != nil
guards wrapping require.NoError calls: when creating the nuclei engine via
nuclei.NewThreadSafeNucleiEngineCtx (and the two other identical sites), call
require.NoError(t, err, "could not create nuclei engine") directly without the
surrounding if block so the test helper short-circuits correctly and matches the
other require.NoError usages in the file.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@lib/sdk_test.go`:
- Around line 93-96: The test creates a nuclei engine with
nuclei.NewThreadSafeNucleiEngineCtx and assigns it to ne but never closes it;
add a deferred close immediately after successful creation — e.g., after
checking err is nil, call defer ne.Close() — so the engine's goroutines and
network resources are cleaned up; update the test around the
nuclei.NewThreadSafeNucleiEngineCtx call to include defer ne.Close().

---

Nitpick comments:
In `@lib/sdk_test.go`:
- Around line 65-67: Remove the redundant manual cleanup that calls t.Cleanup
with os.Remove(tempTemplate.Name()) because the file was created via
os.CreateTemp(t.TempDir(), ...) and t.TempDir() already registers cleanup for
the temp directory; locate the t.Cleanup call referencing os.Remove and delete
that block so cleanup is solely handled by t.TempDir().
- Around line 102-104: Remove the commented-out debug callback in
lib/sdk_test.go: delete the two lines containing the
ne.GlobalResultCallback(...) block (the commented call and its fmt.Println) so
no dead debug code remains; if you want to preserve this snippet for future use,
open an issue referencing GlobalResultCallback and output.ResultEvent instead of
leaving commented code in the test.
- Around line 93-96: Remove the redundant if err != nil guards wrapping
require.NoError calls: when creating the nuclei engine via
nuclei.NewThreadSafeNucleiEngineCtx (and the two other identical sites), call
require.NoError(t, err, "could not create nuclei engine") directly without the
surrounding if block so the test helper short-circuits correctly and matches the
other require.NoError usages in the file.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 708ff29 and b987c4b.

📒 Files selected for processing (1)

• lib/sdk_test.go

[coderabbitai]

🧹 Nitpick comments (3)

lib/sdk_test.go (3)

65-67: Redundant t.Cleanup — t.TempDir() already owns cleanup.

t.TempDir() registers its own t.Cleanup that removes the entire directory (including the file inside) when the test ends. The explicit os.Remove is never needed and can be dropped entirely.

🧹 Proposed fix

-	t.Cleanup(func() {
-		_ = os.Remove(tempTemplate.Name())
-	})
-

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@lib/sdk_test.go` around lines 65 - 67, Remove the redundant cleanup: delete
the t.Cleanup wrapper that calls os.Remove(tempTemplate.Name()) since
t.TempDir() already registers cleanup for the directory and its contents; simply
rely on t.TempDir() and keep the tempTemplate variable usage but remove the
explicit os.Remove call and its surrounding t.Cleanup block (referencing
tempTemplate and t.TempDir()).

---

104-106: Remove commented-out GlobalResultCallback block.

Debug/example code left as a comment should be cleaned up before merging. If the intent is to show usage, a code comment (not commented-out code) or a separate example file would be more appropriate.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@lib/sdk_test.go` around lines 104 - 106, Remove the commented-out
debug/example block that calls ne.GlobalResultCallback and prints event.Host and
event.Info.SeverityHolder.Severity; either delete those commented lines entirely
or move their intent into a proper example/test file or explanatory comment.
Locate the commented block referencing GlobalResultCallback and
output.ResultEvent in the test (the lines starting with //
ne.GlobalResultCallback(...)) and remove it so the test file contains no
leftover commented-out code.

---

93-96: Unwrap the redundant if err != nil guard around require.NoError.

require.NoError(t, err, ...) already short-circuits the test when err != nil; the enclosing if adds no value and diverges from the idiomatic style used everywhere else in this file.

♻️ Proposed fix (all three sites)

-	ne, err := nuclei.NewThreadSafeNucleiEngineCtx(context.TODO(), nuclei.WithOptions(options))
-	if err != nil {
-		require.NoError(t, err, "could not create nuclei engine")
-	}
+	ne, err := nuclei.NewThreadSafeNucleiEngineCtx(context.TODO(), nuclei.WithOptions(options))
+	require.NoError(t, err, "could not create nuclei engine")

 	defer ne.Close()

-	if err := ne.GlobalLoadAllTemplates(); err != nil {
-		require.NoError(t, err, "could not load templates")
-	}
+	require.NoError(t, ne.GlobalLoadAllTemplates(), "could not load templates")

-	if err := ne.ExecuteNucleiWithOptsCtx(context.TODO(), []string{"scanme.sh"}); err != nil {
-		require.NoError(t, err, "nuclei execution should not return an error")
-	}
+	require.NoError(t, ne.ExecuteNucleiWithOptsCtx(context.TODO(), []string{"scanme.sh"}), "nuclei execution should not return an error")

Also applies to: 100-102, 108-110

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@lib/sdk_test.go` around lines 93 - 96, The current pattern wraps
require.NoError(t, err, ...) inside an unnecessary if err != nil { ... } guard
around calls to nuclei.NewThreadSafeNucleiEngineCtx; remove the redundant if
checks and directly call require.NoError(t, err, "could not create nuclei
engine") (and analogous messages) after the NewThreadSafeNucleiEngineCtx calls
so the test short-circuits idiomatically; update all three occurrences that
follow this pattern (look for NewThreadSafeNucleiEngineCtx + err +
require.NoError usage).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@lib/sdk_test.go`:
- Around line 65-67: Remove the redundant cleanup: delete the t.Cleanup wrapper
that calls os.Remove(tempTemplate.Name()) since t.TempDir() already registers
cleanup for the directory and its contents; simply rely on t.TempDir() and keep
the tempTemplate variable usage but remove the explicit os.Remove call and its
surrounding t.Cleanup block (referencing tempTemplate and t.TempDir()).
- Around line 104-106: Remove the commented-out debug/example block that calls
ne.GlobalResultCallback and prints event.Host and
event.Info.SeverityHolder.Severity; either delete those commented lines entirely
or move their intent into a proper example/test file or explanatory comment.
Locate the commented block referencing GlobalResultCallback and
output.ResultEvent in the test (the lines starting with //
ne.GlobalResultCallback(...)) and remove it so the test file contains no
leftover commented-out code.
- Around line 93-96: The current pattern wraps require.NoError(t, err, ...)
inside an unnecessary if err != nil { ... } guard around calls to
nuclei.NewThreadSafeNucleiEngineCtx; remove the redundant if checks and directly
call require.NoError(t, err, "could not create nuclei engine") (and analogous
messages) after the NewThreadSafeNucleiEngineCtx calls so the test
short-circuits idiomatically; update all three occurrences that follow this
pattern (look for NewThreadSafeNucleiEngineCtx + err + require.NoError usage).

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b987c4b and 002b58d.

📒 Files selected for processing (1)

• lib/sdk_test.go