ctx.timeout_passthrough

2025-12-31 05:39:07 +03:00 · 2025-12-07 22:38:11 +02:00
parent 704b3800b3
commit 01ca55a45b
1 changed files with 9 additions and 11 deletions
--- a/attachments/kong/plugins/open-appsec-waf-kong-plugin/handler.lua
+++ b/attachments/kong/plugins/open-appsec-waf-kong-plugin/handler.lua
@@ -223,15 +223,13 @@ function NanoHandler.body_filter(conf)
        ctx.body_filter_start_time = ngx.now()
    end
    local elapsed_time = ngx.now() - ctx.body_filter_start_time
-    if elapsed_time > 150 then
+    if elapsed_time > 150 and not ctx.timeout_passthrough then
        kong.log.warn("Body filter timeout after ", elapsed_time, " seconds - failing open")
-        ctx.cleanup_needed = true
        ctx.timeout_passthrough = true
-        return 
    end

-
-    if chunk and #chunk > 0 then
+    -- If timeout occurred, skip nano inspection but still process chunks
+    if not ctx.timeout_passthrough and chunk and #chunk > 0 then
        ctx.body_buffer_chunk = ctx.body_buffer_chunk or 0
        ctx.body_seen = true
        
@@ -252,13 +250,10 @@ function NanoHandler.body_filter(conf)
            ngx.arg[2] = true
            return nano.handle_custom_response(session_data, response)
        end
-        
-        nano.free_all_responses()
-        nano.free_all_nano_str()
    end

    if eof then
-        if ctx.body_seen or ctx.expect_body == false then
+        if not ctx.timeout_passthrough and (ctx.body_seen or ctx.expect_body == false) then
            local verdict, response = nano.end_inspection(session_id, session_data, nano.HttpChunkType.HTTP_RESPONSE_END)
            if verdict == nano.AttachmentVerdict.DROP then
                ctx.blocked = true
@@ -272,6 +267,9 @@ function NanoHandler.body_filter(conf)
            -- Cleanup in log phase instead
            ctx.cleanup_needed = true
            ctx.session_finalized = true
+        elseif ctx.timeout_passthrough then
+            -- Timeout occurred, just mark for cleanup in log phase
+            ctx.session_finalized = true
        end
    end
 end
@@ -279,8 +277,8 @@ end
 function NanoHandler.log(conf)
    local ctx = kong.ctx.plugin
    
-    -- Cleanup session if it was blocked (kong.response.exit was called)
-    if ctx.cleanup_needed and ctx.session_data then
+    -- Cleanup session if it was blocked (kong.response.exit was called) OR timed out
+    if (ctx.cleanup_needed or ctx.timeout_passthrough) and ctx.session_data then
        nano.fini_session(ctx.session_data)
        nano.cleanup_all()
        ctx.session_data = nil