From 04c99a37cd487c9be3e7a0933bdbcea779468fda Mon Sep 17 00:00:00 2001 From: Sean Smith Date: Mon, 19 Aug 2024 13:58:46 -0500 Subject: [PATCH] Make sure to check redirects before we loop through and parse the host Properly handle no redirects wanted to return success --- lib/http/client.go | 11 +++++++++++ modules/http/scanner.go | 6 +++++- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/lib/http/client.go b/lib/http/client.go index f7b05c51..b9340b61 100644 --- a/lib/http/client.go +++ b/lib/http/client.go @@ -614,6 +614,17 @@ func (c *Client) Do(req *Request) (resp *Response, err error) { } return nil, uerr(err) } + err = c.checkRedirect(req, resp, reqs) + + // Sentinel error to let users select the + // previous response, without closing its + // body. See Issue 10069. + if err == ErrUseLastResponse { + return resp, nil + } + if err != nil { + return resp, err + } var shouldRedirect bool redirectMethod, shouldRedirect, includeBody = redirectBehavior(req.Method, resp, reqs[0]) diff --git a/modules/http/scanner.go b/modules/http/scanner.go index b63aba3c..14452813 100644 --- a/modules/http/scanner.go +++ b/modules/http/scanner.go @@ -37,6 +37,8 @@ var ( // ErrTooManyRedirects is returned when the number of HTTP redirects exceeds // MaxRedirects. ErrTooManyRedirects = errors.New("Too many redirects") + + ErrDoNotRedirect = errors.New("No redirects configured") ) // Flags holds the command-line configuration for the HTTP scan module. @@ -389,7 +391,7 @@ func redirectsToLocalhost(host string) bool { func (scan *scan) getCheckRedirect() func(*http.Request, *http.Response, []*http.Request) error { return func(req *http.Request, res *http.Response, via []*http.Request) error { if scan.scanner.config.MaxRedirects == 0 { - return nil + return ErrDoNotRedirect } if len(via) > scan.scanner.config.MaxRedirects { return ErrTooManyRedirects @@ -531,6 +533,8 @@ func (scan *scan) Grab() *zgrab2.ScanError { } if err != nil { switch err { + case ErrDoNotRedirect: + break case ErrRedirLocalhost: break case ErrTooManyRedirects: