fix(http): lost request body on retries & redirects (#6666)

dwisiswant0 · zzyjsj · web-flow · commit 56b6d4272313 · 2025-12-06T16:27:57.000+07:00
* fix(http): lost request body on retries & redirects Updates the HTTP protocol to use `(*retryablehttp.Request).SetBodyString` instead of direct `Body` assignment. This fixes #6665 where the request body was dropped during retries or 307/308 redirects because `GetBody` was not being populated. Thanks to @zzyjsj for reporting the bug in the upstream dependency and the hints! Signed-off-by: Dwi Siswanto <git@dw1.io> * empty: add co-author Co-authored-by: zzy <zzyjsj@users.noreply.github.com> Signed-off-by: Dwi Siswanto <git@dw1.io> --------- Signed-off-by: Dwi Siswanto <git@dw1.io> Co-authored-by: zzy <zzyjsj@users.noreply.github.com>
diff --git a/go.mod b/go.mod
@@ -27,7 +27,7 @@ require (
 	github.com/projectdiscovery/interactsh v1.2.4
 	github.com/projectdiscovery/rawhttp v0.1.90
 	github.com/projectdiscovery/retryabledns v1.0.110
-	github.com/projectdiscovery/retryablehttp-go v1.0.133
+	github.com/projectdiscovery/retryablehttp-go v1.1.0
 	github.com/projectdiscovery/yamldoc-go v1.0.6
 	github.com/remeh/sizedwaitgroup v1.0.0
 	github.com/rs/xid v1.6.0
@@ -270,7 +270,7 @@ require (
 	github.com/k14s/starlark-go v0.0.0-20200720175618-3a5c849cc368 // indirect
 	github.com/kataras/jwt v0.1.10 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
-	github.com/klauspost/compress v1.18.1 // indirect
+	github.com/klauspost/compress v1.18.2 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.5 // indirect
 	github.com/klauspost/pgzip v1.2.6 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
diff --git a/go.sum b/go.sum
@@ -645,6 +645,8 @@ github.com/kitabisa/go-ci v1.0.3/go.mod h1:e3wBSzaJbcifXrr/Gw2ZBLn44MmeqP5WySwXy
 github.com/klauspost/compress v1.4.1/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A=
 github.com/klauspost/compress v1.18.1 h1:bcSGx7UbpBqMChDtsF28Lw6v/G94LPrrbMbdC3JH2co=
 github.com/klauspost/compress v1.18.1/go.mod h1:ZQFFVG+MdnR0P+l6wpXgIL4NTtwiKIdBnrBd8Nrxr+0=
+github.com/klauspost/compress v1.18.2 h1:iiPHWW0YrcFgpBYhsA6D1+fqHssJscY/Tm/y2Uqnapk=
+github.com/klauspost/compress v1.18.2/go.mod h1:R0h/fSBs8DE4ENlcrlib3PsXS61voFxhIs2DeRhCvJ4=
 github.com/klauspost/cpuid v1.2.0/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek=
 github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
 github.com/klauspost/cpuid/v2 v2.0.12/go.mod h1:g2LTdtYhdyuGPqyWyv7qRAmj1WBqxuObKfj5c0PQa7c=
@@ -875,6 +877,8 @@ github.com/projectdiscovery/retryabledns v1.0.110 h1:24p1PzWBdfsRnGsBf6ZxXPzvK0s
 github.com/projectdiscovery/retryabledns v1.0.110/go.mod h1:GFj5HjxfaGrZeoYf79zI/R99XljBNjmOqNvwOqPepRU=
 github.com/projectdiscovery/retryablehttp-go v1.0.133 h1:uAIGwsRelrS1Ulelyp9qLtZRDTFHixw4O0cUQWLhTJQ=
 github.com/projectdiscovery/retryablehttp-go v1.0.133/go.mod h1:9DU57ezv5cfZSWw/m5XFDTMjy1yKeMyn1kj35lPlcfM=
+github.com/projectdiscovery/retryablehttp-go v1.1.0 h1:uYp3EnuhhamTwvG41X6q6TAc/SHEO9pw9CBWbRASIQk=
+github.com/projectdiscovery/retryablehttp-go v1.1.0/go.mod h1:9DU57ezv5cfZSWw/m5XFDTMjy1yKeMyn1kj35lPlcfM=
 github.com/projectdiscovery/sarif v0.0.1 h1:C2Tyj0SGOKbCLgHrx83vaE6YkzXEVrMXYRGLkKCr/us=
 github.com/projectdiscovery/sarif v0.0.1/go.mod h1:cEYlDu8amcPf6b9dSakcz2nNnJsoz4aR6peERwV+wuQ=
 github.com/projectdiscovery/stringsutil v0.0.2 h1:uzmw3IVLJSMW1kEg8eCStG/cGbYYZAja8BH3LqqJXMA=
diff --git a/pkg/protocols/http/build_request.go b/pkg/protocols/http/build_request.go
@@ -28,7 +28,6 @@ import (
 	"github.com/projectdiscovery/rawhttp"
 	"github.com/projectdiscovery/retryablehttp-go"
 	"github.com/projectdiscovery/utils/errkit"
-	readerutil "github.com/projectdiscovery/utils/reader"
 	stringsutil "github.com/projectdiscovery/utils/strings"
 	urlutil "github.com/projectdiscovery/utils/url"
 )
@@ -466,11 +465,9 @@ func (r *requestGenerator) fillRequest(req *retryablehttp.Request, values map[st
 		if err != nil {
 			return nil, errkit.Wrap(err, "could not evaluate helper expressions")
 		}
-		bodyReader, err := readerutil.NewReusableReadCloser([]byte(body))
-		if err != nil {
-			return nil, errors.Wrap(err, "failed to create reusable reader for request body")
+		if err := req.SetBodyString(body); err != nil {
+			return nil, errors.Wrap(err, "failed to set request body")
 		}
-		req.Body = bodyReader
 	}
 	if !r.request.Unsafe {
 		userAgent := useragent.PickRandom()

-Original file line number
+Diff line change
 	github.com/projectdiscovery/interactsh v1.2.4
 	github.com/projectdiscovery/rawhttp v0.1.90
 	github.com/projectdiscovery/retryabledns v1.0.110
 -	github.com/projectdiscovery/retryablehttp-go v1.0.133
 +	github.com/projectdiscovery/retryablehttp-go v1.1.0
 	github.com/projectdiscovery/yamldoc-go v1.0.6
 	github.com/remeh/sizedwaitgroup v1.0.0
 	github.com/rs/xid v1.6.0
 	github.com/k14s/starlark-go v0.0.0-20200720175618-3a5c849cc368 // indirect
 	github.com/kataras/jwt v0.1.10 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
 -	github.com/klauspost/compress v1.18.1 // indirect
 +	github.com/klauspost/compress v1.18.2 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.5 // indirect
 	github.com/klauspost/pgzip v1.2.6 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,6 @@ import (`
`28`	`28`	`"github.com/projectdiscovery/rawhttp"`
`29`	`29`	`"github.com/projectdiscovery/retryablehttp-go"`
`30`	`30`	`"github.com/projectdiscovery/utils/errkit"`
`31`		`- readerutil "github.com/projectdiscovery/utils/reader"`
`32`	`31`	`stringsutil "github.com/projectdiscovery/utils/strings"`
`33`	`32`	`urlutil "github.com/projectdiscovery/utils/url"`
`34`	`33`	`)`
`@@ -466,11 +465,9 @@ func (r requestGenerator) fillRequest(req retryablehttp.Request, values map[st`
`466`	`465`	`if err != nil {`
`467`	`466`	`return nil, errkit.Wrap(err, "could not evaluate helper expressions")`
`468`	`467`	`}`
`469`		`- bodyReader, err := readerutil.NewReusableReadCloser([]byte(body))`
`470`		`- if err != nil {`
`471`		`- return nil, errors.Wrap(err, "failed to create reusable reader for request body")`
	`468`	`+ if err := req.SetBodyString(body); err != nil {`
	`469`	`+ return nil, errors.Wrap(err, "failed to set request body")`
`472`	`470`	`}`
`473`		`- req.Body = bodyReader`
`474`	`471`	`}`
`475`	`472`	`if !r.request.Unsafe {`
`476`	`473`	`userAgent := useragent.PickRandom()`