From 80fc1f22540ad119d595e55b77b2b2ad6b3d96d7 Mon Sep 17 00:00:00 2001
From: gitolicious <26963495+gitolicious@users.noreply.github.com>
Date: Thu, 14 Dec 2023 09:34:14 +0100
Subject: [PATCH] fix(install): Limit HTTP redirects

---
 CHANGELOG.md    |  1 +
 lib/install.ps1 | 10 ++++++++--
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index bf8ec0b3a5..2320f4d136 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -40,6 +40,7 @@
 - **scoop-reset:** Don't abort when multiple apps are passed and an app is running ([#5687](https://github.com/ScoopInstaller/Scoop/issues/5687))
 - **core:** Do not call `scoop` externally from inside the code ([#5695](https://github.com/ScoopInstaller/Scoop/issues/5695))
 - **scoop-checkup:** Don't throw 7zip error when external 7zip is used ([#5703](https://github.com/ScoopInstaller/Scoop/issues/5703))
+- **install:** Limit HTTP redirects ([#5757](https://github.com/ScoopInstaller/Scoop/issues/5757))
 
 ### Performance Improvements
 
diff --git a/lib/install.ps1 b/lib/install.ps1
index 519c26403d..4a099a3b3f 100644
--- a/lib/install.ps1
+++ b/lib/install.ps1
@@ -1,3 +1,5 @@
+$MaxRedirectCount = 20
+
 function nightly_version($quiet = $false) {
     if (!$quiet) {
         warn "This is a nightly version. Downloaded files won't be verified."
@@ -355,7 +357,7 @@ function Invoke-CachedAria2Download ($app, $version, $manifest, $architecture, $
 }
 
 # download with filesize and progress indicator
-function Invoke-Download ($url, $to, $cookies, $progress) {
+function Invoke-Download ($url, $to, $cookies, $progress, $redirectCount = 0) {
     $reqUrl = ($url -split '#')[0]
     $wreq = [Net.WebRequest]::Create($reqUrl)
     if ($wreq -is [Net.HttpWebRequest]) {
@@ -396,6 +398,10 @@ function Invoke-Download ($url, $to, $cookies, $progress) {
             throw $exc
         }
 
+        if ($redirectCount++ -ge $MaxRedirectCount) {
+            throw "Exceeded maximum redirect limit. Aborting."
+        }
+
         # Get the new location of the file
         if ((-not $redirectRes.Headers) -or ($redirectRes.Headers -notcontains 'Location')) {
             throw $exc
@@ -410,7 +416,7 @@ function Invoke-Download ($url, $to, $cookies, $progress) {
             $newUrl = "$newUrl#/$postfix"
         }
 
-        Invoke-Download $newUrl $to $cookies $progress
+        Invoke-Download $newUrl $to $cookies $progress $redirectCount
         return
     }