fix(install): Limit HTTP redirects

CHANGELOG.md

@@ -40,6 +40,7 @@
 - **scoop-reset:** Don't abort when multiple apps are passed and an app is running ([#5687](https://github.com/ScoopInstaller/Scoop/issues/5687))
 - **core:** Do not call `scoop` externally from inside the code ([#5695](https://github.com/ScoopInstaller/Scoop/issues/5695))
 - **scoop-checkup:** Don't throw 7zip error when external 7zip is used ([#5703](https://github.com/ScoopInstaller/Scoop/issues/5703))
+- **install:** Limit HTTP redirects ([#5757](https://github.com/ScoopInstaller/Scoop/issues/5757))
 
 ### Performance Improvements
 

lib/install.ps1

@@ -1,3 +1,5 @@
+$MaxRedirectCount = 20
+
 function nightly_version($quiet = $false) {
     if (!$quiet) {
         warn "This is a nightly version. Downloaded files won't be verified."
@@ -355,7 +357,7 @@ function Invoke-CachedAria2Download ($app, $version, $manifest, $architecture, $
 }
 
 # download with filesize and progress indicator
-function Invoke-Download ($url, $to, $cookies, $progress) {
+function Invoke-Download ($url, $to, $cookies, $progress, $redirectCount = 0) {
     $reqUrl = ($url -split '#')[0]
     $wreq = [Net.WebRequest]::Create($reqUrl)
     if ($wreq -is [Net.HttpWebRequest]) {
@@ -396,6 +398,10 @@ function Invoke-Download ($url, $to, $cookies, $progress) {
             throw $exc
         }
 
+        if ($redirectCount++ -ge $MaxRedirectCount) {
+            throw "Exceeded maximum redirect limit. Aborting."
+        }
+
         # Get the new location of the file
         if ((-not $redirectRes.Headers) -or ($redirectRes.Headers -notcontains 'Location')) {
             throw $exc
@@ -410,7 +416,7 @@ function Invoke-Download ($url, $to, $cookies, $progress) {
             $newUrl = "$newUrl#/$postfix"
         }
 
-        Invoke-Download $newUrl $to $cookies $progress
+        Invoke-Download $newUrl $to $cookies $progress $redirectCount
         return
     }