github_mirrors/attachment
3
0
Fork 1
mirror of https://github.com/openappsec/attachment.git synced 2025-12-31 13:49:09 +03:00
Code Issues Packages Projects Releases Wiki Activity

last try

Browse Source
This commit is contained in:
wiaamm
2025-12-09 16:05:06 +02:00
parent 839bb39539
commit 40e14bb20b
1 changed files with 12 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
attachments/kong/plugins/open-appsec-waf-kong-plugin/handler.lua
View File

@@ -149,9 +149,9 @@ end
function NanoHandler.header_filter(conf) function NanoHandler.header_filter(conf)
local ctx = kong.ctx.plugin local ctx = kong.ctx.plugin
kong.log.err("header_filter: ctx.blocked=", ctx.blocked, " ctx.cleanup_needed=", ctx.cleanup_needed, " ctx.session_id=", ctx.session_id, " ctx.session_data=", ctx.session_data and "EXISTS" or "NIL")
if ctx.blocked or ctx.cleanup_needed then if ctx.blocked or ctx.cleanup_needed then
kong.log.debug("blocked/cleanup in header_filter, passing through")
return return
end end
@@ -159,7 +159,7 @@ function NanoHandler.header_filter(conf)
local session_data = ctx.session_data local session_data = ctx.session_data
if not session_id or not session_data then if not session_id or not session_data then
kong.log.err("No session data found in header_filter - session_id:", session_id, " session_data:", session_data) kong.log.debug("No session data found in header_filter - session_id:", session_id, " session_data:", session_data)
return return
end end
@@ -168,6 +168,9 @@ function NanoHandler.header_filter(conf)
if not header_data then if not header_data then
kong.log.err("Failed to handle response headers - failing open") kong.log.err("Failed to handle response headers - failing open")
ctx.cleanup_needed = true
ctx.session_data = nil
ctx.session_id = nil
return return
end end
@@ -188,29 +191,19 @@ function NanoHandler.body_filter(conf)
local ctx = kong.ctx.plugin local ctx = kong.ctx.plugin
local chunk = ngx.arg[1] local chunk = ngx.arg[1]
local eof = ngx.arg[2] local eof = ngx.arg[2]
ctx.response_body_size = (ctx.response_body_size or 0) + (chunk and #chunk or 0)
kong.log.err("Response body size so far: ", ctx.response_body_size)
--kong.log.err("body_filter START: ctx.blocked=", ctx.blocked, " ctx.cleanup_needed=", ctx.cleanup_needed, " ctx.session_id=", ctx.session_id, " ctx.session_data=", ctx.session_data and "EXISTS" or "NIL")
if ctx.blocked or ctx.cleanup_needed then if ctx.blocked or ctx.cleanup_needed then
kong.log.err("Fail-open mode - blocked/cleanup chunk without inspection, passing through") kong.log.debug("blocked/cleanup chunk without inspection, passing through")
ngx.arg[1] = chunk
return return
end end
--kong.log.err("In body_filter phase")
local session_id = ctx.session_id local session_id = ctx.session_id
local session_data = ctx.session_data local session_data = ctx.session_data
-- kong.log.err("Session id after: ", session_id, " session_data: ", session_data and "EXISTS" or "NIL") if not session_id or not session_data then
if not session_id or not session_data or ctx.session_finalized then kong.log.debug("No session data found in body_filter")
kong.log.err("No session data found in body_filter - session_id:", session_id, " session_data:", session_data)
ngx.arg[1] = chunk
return return
end end
kong.log.err("Session id after 2")
-- Timeout handling
if not ctx.body_filter_start_time then if not ctx.body_filter_start_time then
ctx.body_filter_start_time = ngx.now() ctx.body_filter_start_time = ngx.now()
end end
@@ -238,7 +231,6 @@ function NanoHandler.body_filter(conf)
if verdict == nano.AttachmentVerdict.DROP then if verdict == nano.AttachmentVerdict.DROP then
ctx.blocked = true ctx.blocked = true
ctx.session_finalized = true
ctx.cleanup_needed = true ctx.cleanup_needed = true
ngx.arg[1] = "" ngx.arg[1] = ""
ngx.arg[2] = true ngx.arg[2] = true
@@ -247,16 +239,13 @@ function NanoHandler.body_filter(conf)
end end
if eof then if eof then
kong.log.err("End of response body reached in body_filter") kong.log.debug("End of response body reached in body_filter")
-- Timeout handling
if ctx.body_seen or ctx.expect_body == false then if ctx.body_seen or ctx.expect_body == false then
kong.log.err("Finalizing session in body_filter")
local verdict, response = nano.end_inspection(session_id, session_data, nano.HttpChunkType.HTTP_RESPONSE_END) local verdict, response = nano.end_inspection(session_id, session_data, nano.HttpChunkType.HTTP_RESPONSE_END)
if verdict == nano.AttachmentVerdict.DROP then if verdict == nano.AttachmentVerdict.DROP then
kong.log.err("Dropping response in body_filter after end_inspection") kong.log.debug("Dropping response in body_filter after end_inspection")
ctx.blocked = true ctx.blocked = true
ctx.session_finalized = true
ctx.cleanup_needed = true ctx.cleanup_needed = true
ngx.arg[1] = "" ngx.arg[1] = ""
ngx.arg[2] = true ngx.arg[2] = true
@@ -264,19 +253,17 @@ function NanoHandler.body_filter(conf)
end end
end end
-- Cleanup in log phase instead
ctx.cleanup_needed = true ctx.cleanup_needed = true
ctx.session_finalized = true
end end
end end
function NanoHandler.log(conf) function NanoHandler.log(conf)
local ctx = kong.ctx.plugin local ctx = kong.ctx.plugin
kong.log.err("log phase: ctx.blocked=", ctx.blocked, " ctx.cleanup_needed=", ctx.cleanup_needed, " ctx.session_id=", ctx.session_id, " ctx.session_data=", ctx.session_data and "EXISTS" or "NIL")
-- Cleanup session if it was blocked (kong.response.exit was called)
if ctx.cleanup_needed or ctx.session_data then if ctx.cleanup_needed or ctx.session_data then
nano.fini_session(ctx.session_data) nano.fini_session(ctx.session_data)
nano.cleanup_all() nano.cleanup_all()
collectgarbage("restart")
collectgarbage("collect")
ctx.session_data = nil ctx.session_data = nil
ctx.session_id = nil ctx.session_id = nil
end end