fix(http): host var scope across multi-request URLs

[dwisiswant0]

Proposed changes

In multi-request HTTP templates, request-scoped
host variables could inherit state from the
original input target, and absolute URL requests
could inherit queryparams from input URL.

Fixes #7062

Proof

before:

$ ./bin/nuclei-3.7.0 -silent -t integration_tests/protocols/http/multi-request-host-variable-scope.yaml -u "http://scanme.sh/?foo=bar"
# no results

after (this patch):

$ ./bin/nuclei -silent -t integration_tests/protocols/http/multi-request-host-variable-scope.yaml -u "http://scanme.sh/?foo=bar"
[http-multi-request-host-variable-scope] [http] [info] http://honey.scanme.sh

Checklist

• Pull request is created against the dev branch
• All checks passed (lint, unit/integration/regression tests etc.) with my changes
• I have added tests that prove my fix is effective or that my feature works
• I have added necessary documentation (if appropriate)

Summary by CodeRabbit

• Bug Fixes

  • Prevented cross-domain query-parameter leakage — parameters now merge only when request hosts match.
  • Ensured response processing uses the actual formed request URL so reported/mapped URLs match the real request.

• Tests

  • Added an integration test covering host variable scope in multi-request HTTP scenarios.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 63268199-3f71-4732-9638-7420ed4a7475

📥 Commits

Reviewing files that changed from the base of the PR and between 85663c9 and 1bfc804.

⛔ Files ignored due to path filters (1)

• integration_tests/protocols/http/multi-request-host-variable-scope.yaml is excluded by !**/*.yaml

📒 Files selected for processing (3)

• cmd/integration-test/http.go
• pkg/protocols/http/build_request.go
• pkg/protocols/http/request.go

🚧 Files skipped from review as they are similar to previous changes (1)

• pkg/protocols/http/request.go

---

Walkthrough

Fixes multi-request HTTP host/parameter leakage: query params are merged only when the evaluated request host equals the input host, and DSL mapping now uses the actual formed request URLs. Adds an integration test to validate host-variable isolation across requests.

Changes

Cohort / File(s)	Summary
HTTP Request Building pkg/protocols/http/build_request.go	Only merge target URL query parameters into the final request when the evaluated request host equals the input host; otherwise leave request params unchanged.
HTTP Response → DSL Mapping pkg/protocols/http/request.go	Pass the formed URL (actual request URL) into responseToDSLMap instead of the original input URL so host-related DSL variables reflect the evaluated request.
Integration Tests cmd/integration-test/http.go	Added httpMultiRequestHostVariableScope test harness and test case for multi-request host/parameter scoping to ensure variables are isolated per request.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I nibbled at query strings under moonlight bright,
Two hops, two hosts now each take flight,
No more borrowing params from the first in line—
Each URL stands proud, its variables fine. 🥕✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main fix: correcting host variable scope across multi-request URLs in HTTP templates.
Linked Issues check	✅ Passed	The PR fixes the core issue [#7062]: host variables now derive from each request's evaluated URL rather than inheriting from the original input.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to fixing the host variable scoping bug: HTTP request building logic, DSL mapping, and integration tests.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch dwisiswant0/fix/http/host-var-scope-across-multi-request-URLs

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/protocols/http/build_request.go`:
- Around line 255-259: The host comparison using reqURL.Host == parsed.Host can
mismatch equivalent hosts (e.g., example.com vs example.com:80); update the
check to normalize hostnames and ports before merging params: extract hostname
via Hostname() and port via Port() from both reqURL and parsed, treat empty
ports as the scheme default (http->80, https->443), and compare
hostname+effectivePort equality; only when they match call
parsed.Params.Merge(reqURL.Params.Encode()) and assign to reqURL.Params
(referencing reqURL, parsed, parsed.Host, reqURL.Host, finalparams,
Params.Merge, Encode).

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9142eae and 85663c9.

⛔ Files ignored due to path filters (1)

• integration_tests/protocols/http/multi-request-host-variable-scope.yaml is excluded by !**/*.yaml

📒 Files selected for processing (3)

• cmd/integration-test/http.go
• pkg/protocols/http/build_request.go
• pkg/protocols/http/request.go

[neo-by-projectdiscovery-dev]

Neo - PR Security Review

No security issues found

Highlights

• Adds conditional check to prevent query parameters from being inherited by cross-domain absolute URLs in multi-request templates
• Ensures request-scoped host variables are derived from each request's actual URL rather than the original input target
• Includes integration test to verify host variable scope isolation across multi-request chains

Hardening Notes

• Consider adding validation in build_request.go:255 to ensure reqURL.Host and parsed.Host comparisons are case-insensitive, as DNS hostnames are case-insensitive per RFC 1035
• Add bounds checking or sanitization for the requestCount parameter in request.go before using it in fmt.Sprintf to prevent potential format string issues if requestCount comes from untrusted sources

_{Comment @neo help for available commands. · Open in Neo}

[dwisiswant0]

do not merge.

[Mzack9999]

The reporter confirmed this fixes the issue, all CI checks pass (including Windows), and the code changes look correct. Is there a reason this is on hold?