github_mirrors/attachment
3
0
Fork 1
mirror of https://github.com/openappsec/attachment.git synced 2025-12-31 05:39:07 +03:00
Code Issues Packages Projects Releases Wiki Activity

ctx.timeout_passthrough

Browse Source
This commit is contained in:
wiaamm
2025-12-07 22:38:11 +02:00
parent 704b3800b3
commit 01ca55a45b
1 changed files with 9 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
attachments/kong/plugins/open-appsec-waf-kong-plugin/handler.lua
View File

@@ -223,15 +223,13 @@ function NanoHandler.body_filter(conf)
ctx.body_filter_start_time = ngx.now() ctx.body_filter_start_time = ngx.now()
end end
local elapsed_time = ngx.now() - ctx.body_filter_start_time local elapsed_time = ngx.now() - ctx.body_filter_start_time
if elapsed_time > 150 then if elapsed_time > 150 and not ctx.timeout_passthrough then
kong.log.warn("Body filter timeout after ", elapsed_time, " seconds - failing open") kong.log.warn("Body filter timeout after ", elapsed_time, " seconds - failing open")
ctx.cleanup_needed = true
ctx.timeout_passthrough = true ctx.timeout_passthrough = true
return
end end
-- If timeout occurred, skip nano inspection but still process chunks
if chunk and #chunk > 0 then if not ctx.timeout_passthrough and chunk and #chunk > 0 then
ctx.body_buffer_chunk = ctx.body_buffer_chunk or 0 ctx.body_buffer_chunk = ctx.body_buffer_chunk or 0
ctx.body_seen = true ctx.body_seen = true
@@ -252,13 +250,10 @@ function NanoHandler.body_filter(conf)
ngx.arg[2] = true ngx.arg[2] = true
return nano.handle_custom_response(session_data, response) return nano.handle_custom_response(session_data, response)
end end
nano.free_all_responses()
nano.free_all_nano_str()
end end
if eof then if eof then
if ctx.body_seen or ctx.expect_body == false then if not ctx.timeout_passthrough and (ctx.body_seen or ctx.expect_body == false) then
local verdict, response = nano.end_inspection(session_id, session_data, nano.HttpChunkType.HTTP_RESPONSE_END) local verdict, response = nano.end_inspection(session_id, session_data, nano.HttpChunkType.HTTP_RESPONSE_END)
if verdict == nano.AttachmentVerdict.DROP then if verdict == nano.AttachmentVerdict.DROP then
ctx.blocked = true ctx.blocked = true
@@ -272,6 +267,9 @@ function NanoHandler.body_filter(conf)
-- Cleanup in log phase instead -- Cleanup in log phase instead
ctx.cleanup_needed = true ctx.cleanup_needed = true
ctx.session_finalized = true ctx.session_finalized = true
elseif ctx.timeout_passthrough then
-- Timeout occurred, just mark for cleanup in log phase
ctx.session_finalized = true
end end
end end
end end
@@ -279,8 +277,8 @@ end
function NanoHandler.log(conf) function NanoHandler.log(conf)
local ctx = kong.ctx.plugin local ctx = kong.ctx.plugin
-- Cleanup session if it was blocked (kong.response.exit was called) -- Cleanup session if it was blocked (kong.response.exit was called) OR timed out
if ctx.cleanup_needed and ctx.session_data then if (ctx.cleanup_needed or ctx.timeout_passthrough) and ctx.session_data then
nano.fini_session(ctx.session_data) nano.fini_session(ctx.session_data)
nano.cleanup_all() nano.cleanup_all()
ctx.session_data = nil ctx.session_data = nil