adding support for execution in docker

[Mzack9999]

Proposed changes

Checklist

• Pull request is created against the dev branch
• All checks passed (lint, unit/integration/regression tests etc.) with my changes
• I have added tests that prove my fix is effective or that my feature works
• I have added necessary documentation (if appropriate)

Summary by CodeRabbit

• New Features
  • Introduced Docker sandbox support for code execution, enabling isolated containerized environments with configurable working directories and images for enhanced security and consistency.

[coderabbitai]

Walkthrough

Docker sandbox support is introduced for code execution with new Sandbox configuration type. Integration tests for virtual environments are added with Linux-only gates. Dependencies are updated, including OpenTelemetry to v1.38.0 and golang.org/x/time to v0.14.0.

Changes

Cohort / File(s)	Summary
Code Protocol Sandbox Support pkg/protocols/code/code.go	Added Sandbox struct with WorkingDir and Image fields; added Sandbox field to Request; introduced useSandbox() helper; modified execution to route through EvalWithVirtualEnv when sandbox is configured.
Integration Tests cmd/integration-test/code.go	Added two new test cases (sh-virtual.yaml and py-virtual.yaml) with Linux-only DisableOn conditions for virtual environment code execution testing.
Dependency Updates go.mod	Upgraded gozero to v0.1.1-0.20251027191944-a4ea43320b81; added backoff/v5 v5.0.3; bumped OpenTelemetry suite to v1.38.0; updated golang.org/x/time to v0.14.0.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant Request
    participant useSandbox
    participant Eval
    participant EvalWithVirtualEnv
    
    Client->>Request: Execute Code
    Request->>useSandbox: Check if sandbox configured
    
    alt Sandbox Enabled
        useSandbox-->>Request: true
        Request->>EvalWithVirtualEnv: Execute with Docker<br/>(WorkingDir, Image)
        EvalWithVirtualEnv-->>Request: Result
    else Sandbox Disabled
        useSandbox-->>Request: false
        Request->>Eval: Execute normally
        Eval-->>Request: Result
    end
    
    Request-->>Client: Return Result

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• pkg/protocols/code/code.go: Review sandbox struct design, verify useSandbox() logic correctly identifies sandbox configuration, confirm EvalWithVirtualEnv is properly integrated into execution flow, and validate YAML/JSON schema annotations.
• cmd/integration-test/code.go: Verify test case structure and DisableOn conditions align with existing patterns.
• go.mod: Confirm no breaking changes from OpenTelemetry and golang.org/x/time version bumps affect downstream code.

Poem

🐰 Sandboxes spring up in Docker's den,
Virtual paths where code runs then,
Linux gates keep tests in line,
Dependencies updated, all is fine!
Hops through environments, safe and sound,
Where rabbit code can freely bound. 🌱

Pre-merge checks and finishing touches

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title 'adding support for execution in docker' directly reflects the main change in the changeset. The raw summary confirms that sandbox support for Docker execution has been introduced in the code protocol, with new Sandbox type and corresponding logic to route code execution through a Docker sandbox when configured. The title accurately captures this primary feature addition.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat-gozero-virtual

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Mzack9999]

@coderabbitai create an issue for this PR: it depends on projectdiscovery/gozero#25 and introduces execution of nuclei code templates into a virtualized docker enviroment

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Create a GitHub issue for PR #6549

gh issue create \
  --repo projectdiscovery/nuclei \
  --title "Docker Sandbox Support for Code Execution" \
  --body "This issue tracks the implementation of Docker sandbox support for executing nuclei code templates in a virtualized Docker environment.

## Dependencies
This feature depends on: https://github.com/projectdiscovery/gozero/pull/25

## Description
This feature introduces the ability to execute nuclei code templates within isolated Docker containers, providing enhanced security and consistency through containerized environments with configurable working directories and images.

## Related Pull Request
- PR: https://github.com/projectdiscovery/nuclei/pull/6549

## Requested by
@Mzack9999

---
_This issue was created from [this comment](https://github.com/projectdiscovery/nuclei/pull/6549#discussion_r1)._" \
  --assignee Mzack9999

Length of output: 54

---

@Mzack9999: I've created issue #6582 for this PR. The issue includes:

• The dependency on Adding support for Docker Virtual Engine gozero#25
• Description of the Docker sandbox support for executing nuclei code templates
• A backlink to this PR
• Assignment to you

You can view the issue here: #6582

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

pkg/protocols/code/code.go (1)

49-52: LGTM! Consider adding field validation.

The Sandbox struct is well-defined with appropriate YAML/JSON tags. However, consider adding validation in the future to ensure WorkingDir (if provided) is an absolute path and Image is a valid Docker image reference.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d2ae352 and c4a63ec.

⛔ Files ignored due to path filters (3)

• go.sum is excluded by !**/*.sum
• integration_tests/protocols/code/py-virtual.yaml is excluded by !**/*.yaml
• integration_tests/protocols/code/sh-virtual.yaml is excluded by !**/*.yaml

📒 Files selected for processing (3)

• cmd/integration-test/code.go (1 hunks)
• go.mod (4 hunks)
• pkg/protocols/code/code.go (5 hunks)

🧰 Additional context used

📓 Path-based instructions (2)

**/*.go

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.go: Format Go code using go fmt
Run static analysis with go vet

Files:

• cmd/integration-test/code.go
• pkg/protocols/code/code.go

pkg/protocols/**/*.go

📄 CodeRabbit inference engine (CLAUDE.md)

Each protocol implementation must provide a Request interface with methods Compile(), ExecuteWithResults(), Match(), and Extract()

Files:

• pkg/protocols/code/code.go

🧬 Code graph analysis (2)

cmd/integration-test/code.go (1)

pkg/testutils/integration.go (1)

• TestCase (247-250)

pkg/protocols/code/code.go (1)

pkg/protocols/protocols.go (1)

• Request (308-333)

🔇 Additional comments (4)

pkg/protocols/code/code.go (2)

479-481: LGTM! Sandbox detection logic is clear.

The useSandbox() helper correctly checks both that Sandbox is not nil and that Image is non-empty, which is the minimum requirement for Docker execution.

---

255-265: Sandbox configuration lacks pre-flight validation before passing to gozero.

The useSandbox() method (line 480) validates only that Sandbox is non-nil and Image is non-empty. The WorkingDir field and Image format are never validated before construction of DockerConfiguration at lines 260–263. While error handling exists downstream (line 271), the absence of local validation means invalid paths or malformed Docker image references will only surface as runtime errors from gozero.

Add validation for:

• Image: Verify it matches valid Docker image reference format
• WorkingDir: Validate path constraints (absolute path, accessible, etc.)

Alternatively, document that gozero performs these validations and handles invalid configurations gracefully.

cmd/integration-test/code.go (1)

27-28: LGTM! Linux-gated virtual environment tests added.

The new test cases for sandbox-based code execution are appropriately gated to Linux-only environments, which is correct for Docker-based virtualization. The test cases reuse the existing codeSnippet implementation, maintaining consistency with the test suite structure.

go.mod (1)

101-101: No security advisories found for the updated dependencies.

The verification check against GitHub's security advisory database confirms that none of the updated dependencies (gozero, OpenTelemetry suite, golang.org/x/time, and backoff/v5) have known security vulnerabilities in their current versions.