Skip to content

Commit 85663c9

Browse files
dwisiswant0dwisiswant0
committed
fix(http): host var scope across multi-request URLs
In multi-request HTTP templates, request-scoped host variables could inherit state from the original input target, and absolute URL requests could inherit queryparams from input URL. Fixes #7062 Signed-off-by: Dwi Siswanto <git@dw1.io>
1 parent a825bd0 commit 85663c9

2 files changed

Lines changed: 9 additions & 5 deletions

File tree

pkg/protocols/http/build_request.go

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -250,9 +250,13 @@ func (r *requestGenerator) Make(ctx context.Context, input *contextargs.Context,
250250
return nil, errkit.Newf("failed to parse url %v while creating http request", reqData)
251251
}
252252
// while merging parameters first preference is given to target params
253-
finalparams := parsed.Params
254-
finalparams.Merge(reqURL.Params.Encode())
255-
reqURL.Params = finalparams
253+
// only merge target params when the evaluated request host matches input host
254+
// absolute cross-domain URLs should not inherit query params from the original input
255+
if reqURL.Host == parsed.Host {
256+
finalparams := parsed.Params
257+
finalparams.Merge(reqURL.Params.Encode())
258+
reqURL.Params = finalparams
259+
}
256260
return r.generateHttpRequest(ctx, reqURL, finalVars, payloads)
257261
}
258262

pkg/protocols/http/request.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -900,7 +900,7 @@ func (request *Request) executeRequest(input *contextargs.Context, generatedRequ
900900
// In case of interactsh markers and request times out, still send
901901
// a callback event so in case we receive an interaction, correlation is possible.
902902
// Also, to log failed use-cases.
903-
outputEvent := request.responseToDSLMap(&http.Response{}, input.MetaInput.Input, formedURL, convUtil.String(dumpedRequest), "", "", "", 0, generatedRequest.meta)
903+
outputEvent := request.responseToDSLMap(&http.Response{}, formedURL, formedURL, convUtil.String(dumpedRequest), "", "", "", 0, generatedRequest.meta)
904904
if i := strings.LastIndex(hostname, ":"); i != -1 {
905905
hostname = hostname[:i]
906906
}
@@ -1024,7 +1024,7 @@ func (request *Request) executeRequest(input *contextargs.Context, generatedRequ
10241024
}
10251025
}
10261026

1027-
outputEvent := request.responseToDSLMap(respChain.Response(), input.MetaInput.Input, matchedURL, convUtil.String(dumpedRequest), fullResponseStr, bodyStr, headersStr, duration, generatedRequest.meta)
1027+
outputEvent := request.responseToDSLMap(respChain.Response(), matchedURL, matchedURL, convUtil.String(dumpedRequest), fullResponseStr, bodyStr, headersStr, duration, generatedRequest.meta)
10281028
// add response fields to template context and merge templatectx variables to output event
10291029
request.options.AddTemplateVars(input.MetaInput, request.Type(), request.ID, outputEvent)
10301030
if request.options.HasTemplateCtx(input.MetaInput) {

0 commit comments

Comments
 (0)