Using comma delimited wordlists, and multiple parameters isn't working as intended

[codingo]

For the sake of the tests below domains.txt contains only "codingo" and wordlist.txt contains only "admin".

When specifying a wordlist, you can specify a variable to fuzz with using:

-w ./wordlist.txt:W1

Where W1 is our insertion point. In addition, FFUF allows you to specify multiple wordlists in a comma delimited fashion. If we put the two together, we have something like:

ffuf -u https://W2.io/W1 -w ./wordlist.txt:W1, ./domains.txt:W2

Unfortunately, this isn't accepted, throwing the error:

Encountered error(s): 1 errors occurred.
* Keyword W1, defined, but not found in headers, method, URL or POST data.

However if we remove the comma delimited w flag, and use it a second time, this works as intended:

ffuf -u https://W2.io/W1 -w ./wordlist.txt:W1 -w ./domains.txt:W2

This appears to be a bug in the input sanitisation of parameters, and likely an easy first issue for somebody to tackle.

[joohoi]

I don't think comma separation of multiple wordlists has been a feature (at least not intentionally), but I do agree that it would make sense to have it. Definitely something that would be rather easy to tackle. I'll add a good-first-issue label to this, so if anyone wants to get started with contributing it would serve as an easy introduction to the codebase.

[codingo]

Awesome, offering a bounty for this one here https://twitter.com/codingo_/status/1304919422713249792

If nobody claims it I'll try to get the time next week to solve this.