Fixes a few issues with redirects (#462)

Cherry-pick: 8981417

* Fixes a few issues with redirects

First, this prevents a DNS lookup from happening when we encounter a
redirect, *even if we don't intend to follow it*. This likely addresses
some part of #452

Second, if we aren't following redirects, don't have the scan fail in an
'application-error'. We are succeeding in what we intended to do, which
is to scan without following redirects

* Make sure to check redirects before we loop through and parse the host

Properly handle no redirects wanted to return success

* Handle 0 indexing

* Pull out the original checkRedirectCode so we deal with consistently

* lint

* add redirect fix to ipp module

---------

Co-authored-by: Phillip Stephens <phillip@cs.stanford.edu>
Co-authored-by: Zakir Durumeric <zakird@gmail.com>

Author: phillip-stephens

lib/http/client.go

@@ -637,8 +637,9 @@ func (c *Client) do(req *Request) (retres *Response, reterr error) {
 	for {
 		// For all but the first request, create the next
 		// request hop and replace req.
+		loc := req.URL.String()
 		if len(reqs) > 0 {
-			loc := resp.Header.Get("Location")
+			loc = resp.Header.Get("Location")
 			if loc == "" {
 				// While most 3xx responses include a Location, it is not
 				// required and 3xx responses without a Location have been

modules/http/scanner.go

@@ -316,6 +316,9 @@ func (scan *scan) getCheckRedirect() func(*http.Request, *http.Response, []*http
 		if len(via)-1 > scan.scanner.config.MaxRedirects {
 			return ErrTooManyRedirects
 		}
+		if !scan.scanner.config.FollowLocalhostRedirects && redirectsToLocalhost(req.URL.Hostname()) {
+			return ErrRedirLocalhost
+		}
 		// We're following a re-direct. The IP that the framework resolved initially is no longer valid. Clearing
 		scan.target.IP = nil
 		scan.results.RedirectResponseChain = append(scan.results.RedirectResponseChain, res)