Fix HTTP redirect boundary limit issue

[dei96303-boop]

Fixes #5835

Description

Updated the checkMaxRedirects function in pkg/protocols/http/httpclientpool/clientpool.go to use >= instead of > when checking the redirect limit. This ensures the client stops exactly at the maxRedirects limit, preventing unnecessary extra requests and potential infinite loops.

Changes Made

• Changed len(via) > defaultMaxRedirects to len(via) >= defaultMaxRedirects
• Changed len(via) > maxRedirects to len(via) >= maxRedirects

Summary by CodeRabbit

• Bug Fixes

  • Enforced redirect limits so responses stop at the configured maximum instead of allowing an extra redirect.

• New Features

  • Added a way to clone request context while assigning a custom IP to that cloned context.

[neo-by-projectdiscovery-dev]

Neo - PR Security Review

No security issues found

Highlights

• Incremental commit adds input provider and context handling changes
• Direct struct initialization in hmap.go:192 bypasses NewMetaInput() constructor (causes nil mutex, not exploitable)
• Original redirect boundary fix (>= comparison) is preserved in clientpool.go

Hardening Notes

• In pkg/input/provider/list/hmap.go around lines 192-196, replace direct struct initialization &contextargs.MetaInput{Input: URL, CustomIP: ip} with contextargs.NewMetaInput() followed by field assignment to properly initialize the internal mutex and prevent panics in Clone() or GetScanHash() methods
• The Bengali comment on line 191 ('সরাসরি MetaInput তৈরি না করে contextargs এর মাধ্যমে হ্যান্ডেল করা ভালো') acknowledges this should be handled differently - follow through on that insight

_{Comment @neo help for available commands. · Open in Neo}

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b29865c and b7f3c95.

📒 Files selected for processing (2)

• pkg/input/provider/list/hmap.go
• pkg/protocols/common/contextargs/contextargs.go

---

Walkthrough

Small, focused edits: stricter redirect boundary check in the HTTP client pool, direct struct literal creation for MetaInput in the list provider, and a new Context helper method CloneWithIP that returns a context copy with its MetaInput.CustomIP set.

Changes

Cohort / File(s)	Summary
HTTP redirect check pkg/protocols/http/httpclientpool/clientpool.go	Changed checkMaxRedirects comparisons from > to >= for default and configured max-redirect checks, causing http.ErrUseLastResponse when the count equals the limit.
MetaInput construction in list provider pkg/input/provider/list/hmap.go	Replaced NewMetaInput + field assignments with a direct MetaInput{...} struct literal when creating entries (sets Input and CustomIP), and calls setItem with the literal.
Context helper addition pkg/protocols/common/contextargs/contextargs.go	Added method func (ctx *Context) CloneWithIP(ip string) *Context that clones the context and sets MetaInput.CustomIP to the provided IP. No other logic changed.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 I copied a context, set an IP so neat,
Built MetaInput faster—no extra repeat.
Redirects now stop when they reach the line,
Small hops, smart fixes, the code feels fine! ✨

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Linked Issues check	⚠️ Warning	The pull request addresses HTTP redirect limit boundary conditions, but the linked issue #5835 concerns environment variable handling in dynamic secret files, representing a significant scope mismatch.	Verify the correct linked issue for this pull request; the changes do not implement environment variable handling in dynamic secret files as described in issue #5835.
Out of Scope Changes check	⚠️ Warning	The pull request includes changes to HTTP redirect logic, context cloning with IP, and MetaInput initialization that appear unrelated to the linked issue about environment variables in dynamic secrets.	Clarify the intended scope and link the correct issue; verify whether all file changes (contextargs.go, hmap.go) are necessary for the redirect limit fix or represent scope creep.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Fix HTTP redirect boundary limit issue' accurately describes the main change in the pull request, which modifies boundary conditions in the checkMaxRedirects function.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}