fix(http): race condition regression

[dwisiswant0]

Proposed changes

fix(http): race condition regression

The race condition directive was broken due to
a strict dependency on threads > 0 for parallel
execution, causing templates with race directive
enabled but no explicit threads to fall back to
seq execution.

This regression was introduced in v3.2.0 (#4868),
which restricted parallel execution to only when
payloads were present.

Fixes #5713 to allow race conditions even w/o
explicit payloads, and add a default thread
count when race is enabled but threads is 0.

Proof

Server:

# server.py
from http.server import BaseHTTPRequestHandler, ThreadingHTTPServer
import time
import sys

class SimpleHTTPRequestHandler(BaseHTTPRequestHandler):
    def do_GET(self):
        time.sleep(2)
        self.send_response(200)
        self.send_header('Content-type', 'text/plain')
        self.end_headers()
        self.wfile.write(b"hi")
    
    def log_message(self, format, *args):
        sys.stderr.write("%s - - [%s] %s\n" %
                         (self.client_address[0],
                          self.log_date_time_string(),
                          format%args))

port = 8000
server_address = ('', port)
httpd = ThreadingHTTPServer(server_address, SimpleHTTPRequestHandler)

print(f"Starting server on port {port}...")
httpd.serve_forever()

# tty1
$ python3 repro_server.py 

# tty2
$ make build
$ ./bin/nuclei -u http://localhost:8000 -t integration_tests/protocols/http/race-condition-with-delay.yaml

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.6.2

		projectdiscovery.io

[INF] Current nuclei version: v3.6.2 (unknown) - remove '-duc' flag to enable update checks
[INF] Current nuclei-templates version: v10.3.6 (unknown) - remove '-duc' flag to enable update checks
[INF] New templates added in latest release: 176
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[race-condition-with-delay] [http] [info] http://localhost:8000
[race-condition-with-delay] [http] [info] http://localhost:8000
[race-condition-with-delay] [http] [info] http://localhost:8000
[INF] Scan completed in 4.206803862s. 3 matches found.

tty2 stdio:

Starting server on port 8000...
127.0.0.1 - - [03/Jan/2026 22:02:29] "GET / HTTP/1.1" 200 -
127.0.0.1 - - [03/Jan/2026 22:02:29] "GET / HTTP/1.1" 200 -
127.0.0.1 - - [03/Jan/2026 22:02:31] "GET / HTTP/1.1" 200 -

Checklist

• Pull request is created against the dev branch
• All checks passed (lint, unit/integration/regression tests etc.) with my changes
• I have added tests that prove my fix is effective or that my feature works
• I have added necessary documentation (if appropriate)

Summary by CodeRabbit

• New Features

  • Added HTTP race-condition test case that validates concurrent request timing and verifies proper delay handling between requests.

• Improvements

  • Enhanced parallel HTTP request execution to properly support race-condition scenarios in addition to payload-based parallelization.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Fixes HTTP race condition execution by adding the Race flag to the parallel execution trigger condition in ExecuteWithResults. Introduces integration test validating concurrent request timing behavior to ensure race-condition functionality works correctly.

Changes

Cohort / File(s)	Summary
Core HTTP execution logic pkg/protocols/http/request.go	Enhances parallel execution trigger: now activates when Threads > 0 AND (Payloads present OR Race flag true), enabling parallel processing for race-based flows without payloads
Integration test for race conditions cmd/integration-test/http.go	Adds httpRaceWithDelay test type with Execute() method; imports sync for mutex-protected request timestamp recording; registers new test case race-condition-with-delay.yaml to validate concurrent vs. delayed request behavior with timing assertions

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 A race condition mended with care,
Two requests now fly through the air!
The mutex keeps time in a lock,
While delays tick-tock, tick-tock,
Concurrent dreams fulfilled fair and square! 🏃‍♂️✨

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix(http): race condition regression' is directly related to the main change, which restores the race condition functionality that was broken in v3.2.0.
Linked Issues check	✅ Passed	The PR successfully addresses the linked issue #5713 by restoring race condition functionality when threads=0 and adding integration tests for concurrent request behavior.
Out of Scope Changes check	✅ Passed	All changes are directly related to fixing the race condition regression described in #5713; modifications to http.go and request.go are necessary to restore the expected behavior.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between dbeebda and 46c183e.

⛔ Files ignored due to path filters (1)

• integration_tests/protocols/http/race-condition-with-delay.yaml is excluded by !**/*.yaml

📒 Files selected for processing (2)

• cmd/integration-test/http.go
• pkg/protocols/http/request.go

🧰 Additional context used

📓 Path-based instructions (2)

**/*.go

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.go: Format Go code using go fmt ./...
Run static analysis using go vet ./... on Go code

Files:

• pkg/protocols/http/request.go
• cmd/integration-test/http.go

pkg/protocols/**/*.go

📄 CodeRabbit inference engine (CLAUDE.md)

pkg/protocols/**/*.go: Each protocol implementation should implement the Request interface with Compile(), ExecuteWithResults(), Match(), and Extract() methods
Protocol implementations should embed Operators for matching/extraction functionality

Files:

• pkg/protocols/http/request.go

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Lint

🔇 Additional comments (3)

pkg/protocols/http/request.go (1)

504-506: LGTM! Fix correctly restores race condition parallel execution.

The added || request.Race condition allows race templates with threads > 0 but no explicit payloads to enter parallel execution mode, addressing the regression introduced in v3.2.0.

cmd/integration-test/http.go (2)

14-14: LGTM!

The sync import is necessary for the mutex used in the new race delay test.

---

66-66: LGTM!

Test case registration follows the existing pattern and is appropriately placed alongside other race condition tests.