fix: preserve trailing slash in URLs and prevent path normalization

Author: devploit

cmd/api.go

@@ -4,8 +4,6 @@ import (
 	"bufio"
 	"crypto/tls"
 	"fmt"
-	"github.com/fatih/color"
-	"github.com/slicingmelon/go-rawurlparser"
 	"io"
 	"log"
 	"net"
@@ -15,6 +13,8 @@ import (
 	"os"
 	"strings"
 	"time"
+
+	"github.com/fatih/color"
 )
 
 // parseFile reads a file given its filename and returns a list containing each of its lines.
@@ -85,19 +85,17 @@ func request(method, uri string, headers []header, proxy *url.URL, rateLimit boo
 	}
 
 	// Use  raw URL parser instead
-	parsedURL, err := rawurlparser.RawURLParse(uri)
+	parsedURL, err := url.Parse(uri)
 	if err != nil {
 		log.Println(err)
 	}
 
-	// Create new request
+	parsedURL.RawPath = parsedURL.Path
+
 	req := &http.Request{
 		Method: method,
-		URL: &url.URL{
-			Scheme: parsedURL.Scheme,
-			Host:   parsedURL.Host,
-			Opaque: parsedURL.Path,
-		},
+		Host:   parsedURL.Host,
+		URL:    parsedURL,
 		Header: make(http.Header),
 		Close:  true,
 	}

cmd/requester.go

@@ -15,7 +15,6 @@ import (
 	"unicode"
 
 	"github.com/fatih/color"
-	"github.com/slicingmelon/go-rawurlparser"
 	"github.com/zenthangplus/goccm"
 )
 
@@ -503,7 +502,7 @@ func requestEndPaths(options RequestOptions) {
 		go func(line string) {
 			defer w.Done()
 
-			statusCode, response, err := request(options.method, options.uri+line, options.headers, options.proxy, options.rateLimit, options.timeout, options.redirect)
+			statusCode, response, err := request(options.method, joinURL(options.uri, line), options.headers, options.proxy, options.rateLimit, options.timeout, options.redirect)
 			if err != nil {
 				log.Println(err)
 			}
@@ -515,7 +514,7 @@ func requestEndPaths(options RequestOptions) {
 			}
 
 			result := Result{
-				line:          options.uri + line,
+				line:          joinURL(options.uri, line),
 				statusCode:    statusCode,
 				contentLength: len(response),
 				defaultReq:    false,
@@ -538,7 +537,7 @@ func requestMidPaths(options RequestOptions) {
 	x := strings.Split(options.uri, "/")
 	var uripath string
 
-	parsedURL, err := rawurlparser.RawURLParse(options.uri)
+	parsedURL, err := url.Parse(options.uri)
 	if err != nil {
 		log.Println(err)
 	}
@@ -595,7 +594,7 @@ func requestMidPaths(options RequestOptions) {
 func requestDoubleEncoding(options RequestOptions) {
 	color.Cyan("\n━━━━━━━━━━━━━━━ DOUBLE-ENCODING ━━━━━━━━━━━━━━")
 
-	parsedURL, err := rawurlparser.RawURLParse(options.uri)
+	parsedURL, err := url.Parse(options.uri)
 	if err != nil {
 		log.Println(err)
 		return
@@ -725,7 +724,7 @@ func parseCurlOutput(output string, httpVersion string) Result {
 func requestPathCaseSwitching(options RequestOptions) {
 	color.Cyan("\n━━━━━━━━━━━━ PATH CASE SWITCHING ━━━━━━━━━━━━━")
 
-	parsedURL, err := rawurlparser.RawURLParse(options.uri)
+	parsedURL, err := url.Parse(options.uri)
 	if err != nil {
 		log.Println(err)
 		return
@@ -830,6 +829,17 @@ func randomLine(filePath string) (string, error) {
 	return randomLine, nil
 }
 
+// joinURL safely joins a base URL and a path, preserving slashes
+func joinURL(base string, path string) string {
+	if !strings.HasSuffix(base, "/") && !strings.HasPrefix(path, "/") {
+		return base + "/" + path
+	}
+	if strings.HasSuffix(base, "/") && strings.HasPrefix(path, "/") {
+		return base + path[1:]
+	}
+	return base + path
+}
+
 // requester is the main function that runs all the tests.
 func requester(uri string, proxy string, userAgent string, reqHeaders []string, bypassIP string, folder string, method string, verbose bool, techniques []string, banner bool, rateLimit bool, timeout int, redirect bool, randomAgent bool) {
 	// Set up proxy if provided.

go.mod

@@ -4,11 +4,9 @@ go 1.19
 
 require (
 	github.com/fatih/color v1.18.0
-	github.com/slicingmelon/go-rawurlparser v0.2.8
 	github.com/spf13/cobra v1.5.0
 	github.com/spf13/viper v1.13.0
 	github.com/zenthangplus/goccm v1.1.2
-	github.com/slicingmelon/go-rawurlparser v0.2.8
 )
 
 require (