From 41e13b1bbac166c35f6e1d72a56c3b88314e2dc1 Mon Sep 17 00:00:00 2001
From: Gray <110347368+Granyaa@users.noreply.github.com>
Date: Tue, 23 Dec 2025 11:23:14 +0200
Subject: [PATCH] Feature/nano attachment delayed verdict response body (#50)

* Add delayed verdict support for response body in nano attachment
Summary:
* Implement TRAFFIC_VERDICT_DELAYED handling in SendResponseBody function * Add delayed verdict thread spawning when response body returns delayed verdict This change mirrors the existing delayed verdict handling in SendRequestBody to ensure consistent behavior for both request and response body processing.

* Redirect kong nano attachment output from stdout to stderr
---
 .../lua_attachment_wrapper.c                  |  2 +-
 .../nano_attachment/nano_attachment_sender.c  | 25 +++++++++++++++++++
 2 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/attachments/kong/plugins/open-appsec-waf-kong-plugin/lua_attachment_wrapper.c b/attachments/kong/plugins/open-appsec-waf-kong-plugin/lua_attachment_wrapper.c
index a0d36f7..eb49244 100755
--- a/attachments/kong/plugins/open-appsec-waf-kong-plugin/lua_attachment_wrapper.c
+++ b/attachments/kong/plugins/open-appsec-waf-kong-plugin/lua_attachment_wrapper.c
@@ -12,7 +12,7 @@ static int lua_init_nano_attachment(lua_State *L) {
     int worker_id = luaL_checkinteger(L, 1);
     int num_workers = luaL_checkinteger(L, 2);
 
-    NanoAttachment* attachment = InitNanoAttachment(0, worker_id, num_workers, fileno(stdout));
+    NanoAttachment* attachment = InitNanoAttachment(0, worker_id, num_workers, fileno(stderr));
     if (!attachment) {
         lua_pushnil(L);
         lua_pushstring(L, "Failed to initialize NanoAttachment");
diff --git a/attachments/nano_attachment/nano_attachment_sender.c b/attachments/nano_attachment/nano_attachment_sender.c
index 870fb64..d19e439 100644
--- a/attachments/nano_attachment/nano_attachment_sender.c
+++ b/attachments/nano_attachment/nano_attachment_sender.c
@@ -636,6 +636,31 @@ SendResponseBody(NanoAttachment *attachment, AttachmentData *data)
         ctx.res
     );
 
+    if (session_data_p->verdict == TRAFFIC_VERDICT_DELAYED) {
+        write_dbg(attachment, session_id, DBG_LEVEL_DEBUG, "spawn SendDelayedVerdictRequestThread");
+        res = NanoRunInThreadTimeout(
+            attachment,
+            data,
+            SendDelayedVerdictRequestThread,
+            (void *)&ctx,
+            attachment->waiting_for_verdict_thread_timeout_msec,
+            "SendDelayedVerdictRequestThread",
+            RESPONSE
+        );
+        if (!res) {
+            updateMetricField(attachment, HOLD_THREAD_TIMEOUT, 1);
+            return SendThreadTimeoutVerdict(attachment, session_id, &ctx);
+        }
+
+        write_dbg(
+            attachment,
+            session_id,
+            DBG_LEVEL_DEBUG,
+            "finished SendDelayedVerdictRequestThread successfully. res=%d",
+            ctx.res
+        );
+    }
+
     if (ctx.res != NANO_HTTP_FORBIDDEN && ctx.res != NANO_OK) {
         return FinalizeFailedResponse(attachment, session_id, &ctx);
     }