fix(http11): pin retry fallback to HTTP/1.1 transport

[Tianlin0725]

Summary

This PR fixes #2240 by ensuring -pr http11 remains protocol-pinned even on retry fallback paths.

Problem

When HTTP/1.1 is forced, retryablehttp could still switch to its HTTPClient2 fallback on malformed HTTP/2 errors, which breaks explicit protocol pinning expectations.

Solution

• Keep existing HTTP/1.1 transport hardening (GODEBUG=http2client=0 + TLSNextProto disable).
• Additionally pin retry fallback to the same HTTP/1.1 client when Protocol == HTTP11:
  • httpx.client.HTTPClient2 = httpx.client.HTTPClient

This preserves retry behavior while preventing unintended protocol upgrade fallback.

Tests

Added unit test:

• TestNew_HTTP11DisablesRetryableHTTP2Fallback

Local verification:

• go test ./common/httpx -run TestNew_HTTP11DisablesRetryableHTTP2Fallback -count=1
• go test ./common/httpx -count=1

/claim #2240

Summary by CodeRabbit

• Bug Fixes
  • Fixed HTTP/1.1 protocol pinning to prevent unintended fallback to HTTP/2 when explicitly requested while maintaining retry and connection reuse capabilities.

[neo-by-projectdiscovery-dev]

Neo - PR Security Review

No security issues found

Highlights

• Fixes HTTP/1.1 protocol pinning by setting HTTPClient2 to the same HTTP/1.1 client when Protocol == HTTP11
• Prevents retryablehttp-go from falling back to HTTP/2 on malformed HTTP/2 errors, ensuring explicit protocol selection is honored
• Adds unit test to verify HTTP/1.1 mode uses the same client for both HTTPClient and HTTPClient2

Hardening Notes

• Consider adding integration tests that verify protocol pinning behavior against real servers that send malformed HTTP/2 responses
• Document the security rationale for protocol pinning in code comments to help future maintainers understand why HTTPClient2 must match HTTPClient in HTTP/1.1 mode

_{Comment @neo help for available commands. · Open in Neo}

[coderabbitai]

Walkthrough

The changes add protocol pinning logic to prevent HTTP/2 fallback when HTTP/1.1 is explicitly requested in the HTTPX client initialization, along with a test to validate that retry mechanisms still work without switching transports.

Changes

Cohort / File(s)	Summary
HTTP/1.1 Protocol Pinning common/httpx/httpx.go	Conditional logic added to the New function that assigns HTTPClient2 to HTTPClient when HTTP/1.1 protocol is forced, preventing fallback to HTTP/2 while maintaining retry capabilities.
Test Coverage common/httpx/http11_fallback_test.go	New test validating that forcing HTTP/1.1 protocol disables the HTTP/2 fallback mechanism and that both HTTPClient and HTTPClient2 reference the same transport instance.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A protocol pinned with care so true,
HTTP/1.1, we stick with you!
No fallback tricks to change our way,
One transport rules the test-checked day! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The pull request title accurately summarizes the main change: pinning the retry fallback to HTTP/1.1 transport to prevent unintended protocol upgrades when HTTP/1.1 is forced.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

common/httpx/http11_fallback_test.go (1)

20-22: Prefer a behavior-based assertion over internal pointer equality.

require.Same proves the constructor wired two fields together, but it doesn't prove the malformed-HTTP/2 retry path actually stays on HTTP/1.1. A regression in retryablehttp-go's fallback logic could still slip through this test.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@common/httpx/http11_fallback_test.go` around lines 20 - 22, The test
currently uses require.Same(ht.client.HTTPClient, ht.client.HTTPClient2) which
only asserts pointer equality; change this to a behavior-based assertion that
the malformed-HTTP/2 retry actually used HTTP/1.1: trigger the retry path via
the existing test harness (ht and ht.client), capture the actual
request/response metadata from the server or the client's RoundTripper hook, and
assert the protocol used (e.g., check Request.Proto or a recorded transport tag)
equals "HTTP/1.1" and that the retry went through the original client/transport
rather than an HTTP/2 transport; update assertions in http11_fallback_test.go to
reference ht, ht.client, and the recorded request/transport info instead of
require.Same.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@common/httpx/http11_fallback_test.go`:
- Around line 9-14: TestNew_HTTP11DisablesRetryableHTTP2Fallback calls New which
mutates the process-wide GODEBUG; save the original GODEBUG value before calling
New and restore it after the test (use os.Getenv to capture and defer restoring
with os.Setenv or os.Unsetenv as appropriate) so the test does not leak
http2client=0 to other tests; update
TestNew_HTTP11DisablesRetryableHTTP2Fallback to perform this save/restore around
the call to New.

---

Nitpick comments:
In `@common/httpx/http11_fallback_test.go`:
- Around line 20-22: The test currently uses require.Same(ht.client.HTTPClient,
ht.client.HTTPClient2) which only asserts pointer equality; change this to a
behavior-based assertion that the malformed-HTTP/2 retry actually used HTTP/1.1:
trigger the retry path via the existing test harness (ht and ht.client), capture
the actual request/response metadata from the server or the client's
RoundTripper hook, and assert the protocol used (e.g., check Request.Proto or a
recorded transport tag) equals "HTTP/1.1" and that the retry went through the
original client/transport rather than an HTTP/2 transport; update assertions in
http11_fallback_test.go to reference ht, ht.client, and the recorded
request/transport info instead of require.Same.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 73a38d4b-c683-4b3e-94d6-0be407fb6efb

📥 Commits

Reviewing files that changed from the base of the PR and between ed0f6af and 3549307.

📒 Files selected for processing (2)

• common/httpx/http11_fallback_test.go
• common/httpx/httpx.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Restore GODEBUG after this test.

New mutates the process-wide GODEBUG when HTTP11 is forced, so this test can leak http2client=0 into later cases and make the suite order-dependent.

💡 Proposed fix

 import (
+	"os"
 	"testing"
 
 	"github.com/stretchr/testify/require"
 )
 
 func TestNew_HTTP11DisablesRetryableHTTP2Fallback(t *testing.T) {
+	origGODEBUG, hadGODEBUG := os.LookupEnv("GODEBUG")
+	t.Cleanup(func() {
+		if hadGODEBUG {
+			_ = os.Setenv("GODEBUG", origGODEBUG)
+		} else {
+			_ = os.Unsetenv("GODEBUG")
+		}
+	})
+
 	opts := DefaultOptions
 	opts.Protocol = HTTP11
 
 	ht, err := New(&opts)

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	func TestNew_HTTP11DisablesRetryableHTTP2Fallback(t *testing.T) {
	opts := DefaultOptions
	opts.Protocol = HTTP11
	ht, err := New(&opts)
	require.NoError(t, err)
	import (
	"os"
	"testing"
	"github.com/stretchr/testify/require"
	)
	func TestNew_HTTP11DisablesRetryableHTTP2Fallback(t *testing.T) {
	origGODEBUG, hadGODEBUG := os.LookupEnv("GODEBUG")
	t.Cleanup(func() {
	if hadGODEBUG {
	_ = os.Setenv("GODEBUG", origGODEBUG)
	} else {
	_ = os.Unsetenv("GODEBUG")
	}
	})
	opts := DefaultOptions
	opts.Protocol = HTTP11
	ht, err := New(&opts)
	require.NoError(t, err)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@common/httpx/http11_fallback_test.go` around lines 9 - 14,
TestNew_HTTP11DisablesRetryableHTTP2Fallback calls New which mutates the
process-wide GODEBUG; save the original GODEBUG value before calling New and
restore it after the test (use os.Getenv to capture and defer restoring with
os.Setenv or os.Unsetenv as appropriate) so the test does not leak http2client=0
to other tests; update TestNew_HTTP11DisablesRetryableHTTP2Fallback to perform
this save/restore around the call to New.