From 19bbd5a553f16fa01bd49fab979d9890fbba3f3d Mon Sep 17 00:00:00 2001 From: wiaamm Date: Wed, 3 Dec 2025 02:14:34 +0200 Subject: [PATCH] increase timeout --- .../open-appsec-waf-kong-plugin/handler.lua | 25 ++++++++----------- .../open-appsec-waf-kong-plugin/nano_ffi.lua | 10 +++++--- 2 files changed, 17 insertions(+), 18 deletions(-) diff --git a/attachments/kong/plugins/open-appsec-waf-kong-plugin/handler.lua b/attachments/kong/plugins/open-appsec-waf-kong-plugin/handler.lua index abf744f..5306259 100755 --- a/attachments/kong/plugins/open-appsec-waf-kong-plugin/handler.lua +++ b/attachments/kong/plugins/open-appsec-waf-kong-plugin/handler.lua @@ -72,12 +72,15 @@ function NanoHandler.access(conf) local contains_body = has_content_length and 1 or 0 local verdict, response = nano.send_data(session_id, session_data, meta_data, req_headers, contains_body, nano.HttpChunkType.HTTP_REQUEST_FILTER) + + -- Restart GC after send_data completes (was stopped in handle_start_transaction) + collectgarbage("restart") + if verdict == nano.AttachmentVerdict.DROP then kong.ctx.plugin.blocked = true kong.ctx.plugin.inspection_complete = true local result = nano.handle_custom_response(session_data, response) nano.fini_session(session_data) - nano.cleanup_all() kong.ctx.plugin.session_id = nil kong.ctx.plugin.session_data = nil return result @@ -92,7 +95,6 @@ function NanoHandler.access(conf) kong.ctx.plugin.inspection_complete = true local result = nano.handle_custom_response(session_data, response) nano.fini_session(session_data) - nano.cleanup_all() kong.ctx.plugin.session_id = nil kong.ctx.plugin.session_data = nil return result @@ -112,7 +114,6 @@ function NanoHandler.access(conf) kong.ctx.plugin.inspection_complete = true local result = nano.handle_custom_response(session_data, response) nano.fini_session(session_data) - nano.cleanup_all() kong.ctx.plugin.session_id = nil kong.ctx.plugin.session_data = nil return result @@ -137,7 +138,6 @@ function NanoHandler.access(conf) kong.ctx.plugin.inspection_complete = true local result = nano.handle_custom_response(session_data, response) nano.fini_session(session_data) - nano.cleanup_all() kong.ctx.plugin.session_id = nil kong.ctx.plugin.session_data = nil return result @@ -177,7 +177,6 @@ function NanoHandler.access(conf) kong.ctx.plugin.inspection_complete = true local result = nano.handle_custom_response(session_data, response) nano.fini_session(session_data) - nano.cleanup_all() kong.ctx.plugin.session_id = nil kong.ctx.plugin.session_data = nil return result @@ -219,12 +218,11 @@ function NanoHandler.header_filter(conf) if verdict == nano.AttachmentVerdict.DROP then ctx.blocked = true ctx.inspection_complete = true - local custom_result = nano.handle_custom_response(ctx.session_data, response) + local result = nano.handle_custom_response(ctx.session_data, response) nano.fini_session(ctx.session_data) - nano.cleanup_all() ctx.session_id = nil ctx.session_data = nil - return custom_result + return result end end @@ -290,13 +288,12 @@ function NanoHandler.body_filter(conf) if verdict == nano.AttachmentVerdict.DROP then ctx.blocked = true ctx.inspection_complete = true - local custom_result = nano.handle_custom_response(ctx.session_data, response) + local result = nano.handle_custom_response(ctx.session_data, response) nano.fini_session(ctx.session_data) - nano.cleanup_all() collectgarbage("collect") ctx.session_id = nil ctx.session_data = nil - return custom_result + return result end else kong.log.err("nano.send_body failed: ", tostring(result), " - cleaning up session") @@ -323,13 +320,12 @@ function NanoHandler.body_filter(conf) if verdict == nano.AttachmentVerdict.DROP then ctx.blocked = true ctx.inspection_complete = true - local custom_result = nano.handle_custom_response(ctx.session_data, response) + local result = nano.handle_custom_response(ctx.session_data, response) nano.fini_session(ctx.session_data) - nano.cleanup_all() collectgarbage("collect") ctx.session_id = nil ctx.session_data = nil - return custom_result + return result else ngx.arg[1] = nil -- Discard chunk ctx.inspection_complete = true @@ -378,7 +374,6 @@ function NanoHandler.log(conf) if ctx.session_id and ctx.session_data and not ctx.inspection_complete then kong.log.err("Emergency cleanup for session ", ctx.session_id) nano.fini_session(ctx.session_data) - nano.cleanup_all() collectgarbage("collect") ctx.inspection_complete = true ctx.session_id = nil diff --git a/attachments/kong/plugins/open-appsec-waf-kong-plugin/nano_ffi.lua b/attachments/kong/plugins/open-appsec-waf-kong-plugin/nano_ffi.lua index 68470e0..bf7e2f9 100755 --- a/attachments/kong/plugins/open-appsec-waf-kong-plugin/nano_ffi.lua +++ b/attachments/kong/plugins/open-appsec-waf-kong-plugin/nano_ffi.lua @@ -94,6 +94,7 @@ function nano.handle_custom_response(session_data, response) end local response_type = nano_attachment.get_web_response_type(attachment, session_data, response) + kong.log.err("Block response - type: ", response_type) if response_type == nano.WebResponseType.RESPONSE_CODE_ONLY then local code = nano_attachment.get_response_code(response) @@ -101,12 +102,13 @@ function nano.handle_custom_response(session_data, response) kong.log.warn("Invalid response code received: ", code, " - using 403 instead") code = 403 end - kong.log.debug("Response code only: ", code) + kong.log.err("Response code only: ", code) return kong.response.exit(code, "") end if response_type == nano.WebResponseType.REDIRECT_WEB_RESPONSE then local location = nano_attachment.get_redirect_page(attachment, session_data, response) + kong.log.err("Redirect response to: ", location) return kong.response.exit(307, "", { ["Location"] = location }) end @@ -120,7 +122,7 @@ function nano.handle_custom_response(session_data, response) kong.log.warn("Invalid response code received: ", code, " - using 403 instead") code = 403 end - kong.log.debug("Block page response with code: ", code) + kong.log.err("Block page response with code: ", code, ", page length: ", #block_page) return kong.response.exit(code, block_page, { ["Content-Type"] = "text/html" }) end @@ -291,6 +293,8 @@ function nano.handle_start_transaction() table.insert(nano.allocated_metadata, metadata) + -- Temporarily stop GC to ensure metadata isn't collected before it's used + -- Handler will restart GC after send_data completes collectgarbage("stop") return metadata @@ -434,7 +438,7 @@ function nano.fini_session(session_data) -- This prevents memory leaks from responses, headers, metadata, etc. nano.cleanup_all() - kong.log.info("Successfully finalized session ", session_data, " for worker ", worker_id) + kong.log.err("Successfully finalized session ", session_data, " for worker ", worker_id) return true end