fix accept verdic in body_filter

2025-12-31 13:49:09 +03:00 · 2025-12-11 16:02:53 +02:00
parent 3c71f456cf
commit 30481526b6
1 changed files with 16 additions and 4 deletions
--- a/attachments/kong/plugins/open-appsec-waf-kong-plugin/handler.lua
+++ b/attachments/kong/plugins/open-appsec-waf-kong-plugin/handler.lua
@@ -187,7 +187,6 @@ function NanoHandler.header_filter(conf)

    -- Clear Content-Length since we're buffering the response
    kong.log.err("Clearing Content-Length header to enable response body buffering, current value: ", tostring(content_length))
-    ngx.header["Content-Length"] = nil
    
    ctx.expect_body = not (status_code == 204 or status_code == 304 or (100 <= status_code and status_code < 200) or content_length == 0)
 end
@@ -266,7 +265,6 @@ function NanoHandler.body_filter(conf)
        ctx.body_buffer_chunk = ctx.body_buffer_chunk or 0
        ctx.body_seen = true

-        -- Buffer the chunk BEFORE sending to agent
        table.insert(ctx.response_buffer, chunk)

        local verdict, response, modifications = nano.send_body(session_id, session_data, chunk, nano.HttpChunkType.HTTP_RESPONSE_BODY)
@@ -297,8 +295,16 @@ function NanoHandler.body_filter(conf)
                    ngx.arg[1] = ""
                end
                ngx.arg[2] = true
-            end
                return
+            else
+                -- ACCEPT verdict - flush buffered data and switch to pass-through mode
+                kong.log.err("ACCEPT verdict in body_filter - flushing buffer and switching to pass-through")
+                local buffered_data = table.concat(ctx.response_buffer)
+                kong.log.err("Flushing ", #ctx.response_buffer, " buffered chunks (", #buffered_data, " bytes) before switching to pass-through")
+                ngx.arg[1] = buffered_data
+                ctx.response_buffer = nil  -- Clear buffer to free memory
+                return
+            end
        end
        kong.log.err("Response body chunk of size ", #chunk, " bytes inspected and passed")
        -- Don't send chunk yet - hold it in buffer
@@ -308,6 +314,8 @@ function NanoHandler.body_filter(conf)

    if eof then
        kong.log.err("End of response body reached in body_filter, eof=true")
+        
+        -- Call end_inspection if we haven't gotten ACCEPT verdict yet
        if ctx.body_seen or ctx.expect_body == false then
            kong.log.err("Calling end_inspection for response")
            local verdict, response = nano.end_inspection(session_id, session_data, nano.HttpChunkType.HTTP_RESPONSE_END)
@@ -330,11 +338,15 @@ function NanoHandler.body_filter(conf)
                    end
                    ngx.arg[2] = true
                    return
+                else
+                    -- ACCEPT verdict at EOF
+                    kong.log.err("ACCEPT verdict at EOF - will flush buffered response")
                end
            end
        end
+        
+        -- Send buffered response (for INSPECT or ACCEPT verdicts)
        kong.log.err("Response fully inspected and passed - flushing buffered chunks , total buffered chunks: ", #ctx.response_buffer)
-        -- All chunks inspected and passed - send buffered response
        if ctx.response_buffer and #ctx.response_buffer > 0 then
            local buffered_data = table.concat(ctx.response_buffer)
            kong.log.err("Flushing ", #ctx.response_buffer, " buffered chunks, total size: ", #buffered_data, " bytes")