From 2dd196872384d74be203170df72888fe940f3cc8 Mon Sep 17 00:00:00 2001 From: wiaamm Date: Wed, 10 Dec 2025 15:28:54 +0200 Subject: [PATCH] add accept --- .../open-appsec-waf-kong-plugin/handler.lua | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/attachments/kong/plugins/open-appsec-waf-kong-plugin/handler.lua b/attachments/kong/plugins/open-appsec-waf-kong-plugin/handler.lua index bf1dfe5..f13f9d1 100755 --- a/attachments/kong/plugins/open-appsec-waf-kong-plugin/handler.lua +++ b/attachments/kong/plugins/open-appsec-waf-kong-plugin/handler.lua @@ -78,6 +78,10 @@ function NanoHandler.access(conf) if verdict == nano.AttachmentVerdict.DROP then kong.ctx.plugin.cleanup_needed = true return nano.handle_custom_response(session_data, response) + elseif verdict == nano.AttachmentVerdict.ACCEPT then + kong.log.debug("Request body passed inspection") + kong.ctx.plugin.cleanup_needed = true + return end else --kong.log.err("Request body not found in memory, checking nginx vars") @@ -91,6 +95,10 @@ function NanoHandler.access(conf) if verdict == nano.AttachmentVerdict.DROP then kong.ctx.plugin.cleanup_needed = true return nano.handle_custom_response(session_data, response) + elseif verdict == nano.AttachmentVerdict.ACCEPT then + kong.log.debug("Request body from nginx var passed inspection") + kong.ctx.plugin.cleanup_needed = true + return end kong.log.err("Sent request body from nginx var to C module") else @@ -113,6 +121,10 @@ function NanoHandler.access(conf) if verdict == nano.AttachmentVerdict.DROP then kong.ctx.plugin.cleanup_needed = true return nano.handle_custom_response(session_data, response) + elseif verdict == nano.AttachmentVerdict.ACCEPT then + kong.log.debug("Request body from file passed inspection") + kong.ctx.plugin.cleanup_needed = true + return end else kong.log.debug("Empty body file") @@ -137,6 +149,10 @@ function NanoHandler.access(conf) if verdict == nano.AttachmentVerdict.DROP then kong.ctx.plugin.cleanup_needed = true return nano.handle_custom_response(session_data, response) + elseif verdict == nano.AttachmentVerdict.ACCEPT then + kong.log.debug("Request end inspection passed") + kong.ctx.plugin.cleanup_needed = true + return end else kong.log.err("No request body to inspect, ending inspection directly") @@ -144,6 +160,10 @@ function NanoHandler.access(conf) if verdict == nano.AttachmentVerdict.DROP then kong.ctx.plugin.cleanup_needed = true return nano.handle_custom_response(session_data, response) + elseif verdict == nano.AttachmentVerdict.ACCEPT then + kong.log.debug("Request end inspection passed (no body)") + kong.ctx.plugin.cleanup_needed = true + return end end end @@ -190,6 +210,10 @@ function NanoHandler.header_filter(conf) if verdict == nano.AttachmentVerdict.DROP then kong.ctx.plugin.cleanup_needed = true return nano.handle_custom_response(session_data, response) + elseif verdict == nano.AttachmentVerdict.ACCEPT then + kong.log.debug("Response headers passed inspection") + kong.ctx.plugin.cleanup_needed = true + return end --kong.log.err("NanoHandler header_filter phase sent response headers") @@ -203,6 +227,10 @@ function NanoHandler.header_filter(conf) kong.log.err("DROP verdict after response end inspection") ctx.cleanup_needed = true return nano.handle_custom_response(session_data, response) + elseif verdict == nano.AttachmentVerdict.ACCEPT then + kong.log.debug("Response end inspection passed (no body expected)") + ctx.cleanup_needed = true + return end ctx.cleanup_needed = true end @@ -263,6 +291,10 @@ function NanoHandler.body_filter(conf) ngx.arg[1] = "" ngx.arg[2] = true return nano.handle_custom_response(session_data, response) + elseif verdict == nano.AttachmentVerdict.ACCEPT then + kong.log.debug("Response body chunk passed inspection") + ctx.cleanup_needed = true + return end end @@ -279,6 +311,10 @@ function NanoHandler.body_filter(conf) ngx.arg[1] = "" ngx.arg[2] = true return nano.handle_custom_response(session_data, response) + elseif verdict == nano.AttachmentVerdict.ACCEPT then + kong.log.debug("Response end inspection passed") + ctx.cleanup_needed = true + return end --kong.log.err("Response inspection ended successfully")