fix(http): host var scope across multi-request URLs

[dwisiswant0]

Proposed changes

In multi-request HTTP templates, request-scoped
host variables could inherit state from the
original input target, and absolute URL requests
could inherit queryparams from input URL.

Fixes #7062

Proof

before:

$ ./bin/nuclei-3.7.0 -silent -t integration_tests/protocols/http/multi-request-host-variable-scope.yaml -u "http://scanme.sh/?foo=bar"
# no results

after (this patch):

$ ./bin/nuclei -silent -t integration_tests/protocols/http/multi-request-host-variable-scope.yaml -u "http://scanme.sh/?foo=bar"
[http-multi-request-host-variable-scope] [http] [info] http://honey.scanme.sh

Checklist

• Pull request is created against the dev branch
• All checks passed (lint, unit/integration/regression tests etc.) with my changes
• I have added tests that prove my fix is effective or that my feature works
• I have added necessary documentation (if appropriate)

Summary by CodeRabbit

• Bug Fixes

  • Fixed query parameter handling to prevent cross-domain parameter inheritance; parameters now only merge when request hosts match.

• Tests

  • Added test coverage for host variable scope handling in multi-request scenarios.

[coderabbitai]

Walkthrough

This pull request fixes a bug where multi-request HTTP templates incorrectly inherited query parameters and host variables across requests targeting different domains. The fix conditionally merges query parameters only when hosts match and ensures DSL variables use actual formed URLs instead of input URLs. A new integration test validates the behavior.

Changes

Cohort / File(s)	Summary
HTTP Request Building Logic pkg/protocols/http/build_request.go, pkg/protocols/http/request.go	Modified parameter merging to only combine query parameters when the evaluated request host matches the input host. Updated DSL mapping to use actual formed URLs instead of input URLs for generating host-related variables.
Integration Test Addition cmd/integration-test/http.go	Added new test harness httpMultiRequestHostVariableScope with corresponding test case to validate that multi-request templates with different domains properly generate isolated host variables.

Estimated Code Review Effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 A cottontail hopped through the code today,
Two hosts seemed the same, in a tangled way,
But now they're distinct, each domain runs free—
Parameters don't stray where they shouldn't be! 🌐✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title clearly describes the main fix: ensuring host variables maintain correct scope across multiple HTTP requests targeting different URLs.
Linked Issues check	✅ Passed	The PR addresses both requirements from issue #7062: fixing host variable inheritance and preventing query parameter inheritance for absolute URLs in multi-request templates.
Out of Scope Changes check	✅ Passed	All changes are directly related to fixing host variable scoping in HTTP multi-request templates; no unrelated modifications detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch dwisiswant0/fix/http/host-var-scope-across-multi-request-URLs

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/protocols/http/build_request.go`:
- Around line 255-259: The host comparison using reqURL.Host == parsed.Host can
mismatch equivalent hosts (e.g., example.com vs example.com:80); update the
check to normalize hostnames and ports before merging params: extract hostname
via Hostname() and port via Port() from both reqURL and parsed, treat empty
ports as the scheme default (http->80, https->443), and compare
hostname+effectivePort equality; only when they match call
parsed.Params.Merge(reqURL.Params.Encode()) and assign to reqURL.Params
(referencing reqURL, parsed, parsed.Host, reqURL.Host, finalparams,
Params.Merge, Encode).

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9142eae and 85663c9.

⛔ Files ignored due to path filters (1)

• integration_tests/protocols/http/multi-request-host-variable-scope.yaml is excluded by !**/*.yaml

📒 Files selected for processing (3)

• cmd/integration-test/http.go
• pkg/protocols/http/build_request.go
• pkg/protocols/http/request.go

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Normalize host comparison before deciding param merge.

Line 255 compares raw host strings, so equivalent hosts like example.com and example.com:80 can fail the check and skip intended same-host query merging.

💡 Suggested adjustment

-	if reqURL.Host == parsed.Host {
+	normalizeHost := func(scheme, host string) string {
+		h := strings.ToLower(strings.TrimSpace(host))
+		switch scheme {
+		case "http":
+			return strings.TrimSuffix(h, ":80")
+		case "https":
+			return strings.TrimSuffix(h, ":443")
+		default:
+			return h
+		}
+	}
+	if normalizeHost(reqURL.Scheme, reqURL.Host) == normalizeHost(parsed.Scheme, parsed.Host) {
 		finalparams := parsed.Params
 		finalparams.Merge(reqURL.Params.Encode())
 		reqURL.Params = finalparams
 	}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if reqURL.Host == parsed.Host {
	finalparams := parsed.Params
	finalparams.Merge(reqURL.Params.Encode())
	reqURL.Params = finalparams
	}
	if reqURL.Host == parsed.Host {
	normalizeHost := func(scheme, host string) string {
	h := strings.ToLower(strings.TrimSpace(host))
	switch scheme {
	case "http":
	return strings.TrimSuffix(h, ":80")
	case "https":
	return strings.TrimSuffix(h, ":443")
	default:
	return h
	}
	}
	if normalizeHost(reqURL.Scheme, reqURL.Host) == normalizeHost(parsed.Scheme, parsed.Host) {
	finalparams := parsed.Params
	finalparams.Merge(reqURL.Params.Encode())
	reqURL.Params = finalparams
	}
	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/protocols/http/build_request.go` around lines 255 - 259, The host
comparison using reqURL.Host == parsed.Host can mismatch equivalent hosts (e.g.,
example.com vs example.com:80); update the check to normalize hostnames and
ports before merging params: extract hostname via Hostname() and port via Port()
from both reqURL and parsed, treat empty ports as the scheme default (http->80,
https->443), and compare hostname+effectivePort equality; only when they match
call parsed.Params.Merge(reqURL.Params.Encode()) and assign to reqURL.Params
(referencing reqURL, parsed, parsed.Host, reqURL.Host, finalparams,
Params.Merge, Encode).

[dwisiswant0]

The previous implementation didn't consider this. So be it.

[coderabbitai]

@dwisiswant0, understood! The current fix addresses the main scoping issue effectively. The host normalization edge case can be addressed separately if it becomes a practical concern.

---

🧠 Learnings used

Learnt from: ayuxsec
Repo: projectdiscovery/nuclei PR: 6769
File: pkg/installer/template.go:217-217
Timestamp: 2026-01-15T10:44:22.186Z
Learning: In projectdiscovery/gologger, the Print() function writes to stderr and Silent() writes to stdout. During reviews, ensure code uses Print() for error/output going to stderr and Silent() for stdout; verify the chosen function matches the intended destination and that logs are directed to the correct stream for proper piping/redirects.