implement timeout

2025-12-31 13:49:09 +03:00 · 2025-12-06 15:55:13 +02:00
parent c3a749eb11
commit 431977d27e
1 changed files with 16 additions and 10 deletions
--- a/attachments/kong/plugins/open-appsec-waf-kong-plugin/handler.lua
+++ b/attachments/kong/plugins/open-appsec-waf-kong-plugin/handler.lua
@@ -87,11 +87,11 @@ function NanoHandler.access(conf)
                return result
            end
        else
-            kong.log.debug("Request body not in memory, attempting to read from buffer/file")
+            kong.log.err("Request body not in memory, attempting to read from buffer/file")

            local body_data = ngx.var.request_body
            if body_data and #body_data > 0 then
-                kong.log.debug("Found request body in nginx var, size: ", #body_data)
+                kong.log.err("Found request body in nginx var, size: ", #body_data)
                verdict, response = nano.send_body(session_id, session_data, body_data, nano.HttpChunkType.HTTP_REQUEST_BODY)
                if verdict == nano.AttachmentVerdict.DROP then
                    kong.ctx.plugin.blocked = true
@@ -106,7 +106,7 @@ function NanoHandler.access(conf)
            else
                local body_file = ngx.var.request_body_file
                if body_file then
-                    kong.log.debug("Reading request body from file: ", body_file)
+                    kong.log.err("Reading request body from file: ", body_file)
                    local file = io.open(body_file, "rb")
                    if file then
                        local entire_body = file:read("*all")
@@ -115,7 +115,7 @@ function NanoHandler.access(conf)
                        if not entire_body then
                            kong.log.err("Failed to read body file: ", body_file)
                        elseif entire_body and #entire_body > 0 then
-                            kong.log.debug("Sending entire body of size ", #entire_body, " bytes to C module")
+                            kong.log.err("Sending entire body of size ", #entire_body, " bytes to C module")
                            verdict, response = nano.send_body(session_id, session_data, entire_body, nano.HttpChunkType.HTTP_REQUEST_BODY)
                            if verdict == nano.AttachmentVerdict.DROP then
                                kong.ctx.plugin.blocked = true
@@ -128,11 +128,11 @@ function NanoHandler.access(conf)
                                return result
                            end
                        else
-                            kong.log.debug("Empty body file")
+                            kong.log.err("Empty body file")
                        end
                    end
                else
-                    kong.log.warn("Request body expected but no body data or file available")
+                    kong.log.err("Request body expected but no body data or file available")
                end
            end
        end
@@ -230,18 +230,20 @@ function NanoHandler.body_filter(conf)
    local session_data = ctx.session_data

    if not session_id or not session_data or ctx.session_finalized then
+        kong.log.err("No session data found or session already finalized in body_filter")
        return
    end

    -- Initialize timeout tracking on first call
    if not ctx.body_filter_start_time then
+        kong.log.err("Initializing body filter start time")
        ctx.body_filter_start_time = ngx.now()
    end

    -- Check for timeout (150 seconds)
    local elapsed_time = ngx.now() - ctx.body_filter_start_time
    if elapsed_time > 150 then
-        kong.log.warn("Body filter timeout after ", elapsed_time, " seconds - failing open")
+        kong.log.err("Body filter timeout after ", elapsed_time, " seconds - failing open")
        nano.fini_session(session_data)
        nano.cleanup_all()
        collectgarbage("restart")
@@ -256,14 +258,15 @@ function NanoHandler.body_filter(conf)
    local eof = ngx.arg[2]

    if chunk and #chunk > 0 then
+        -- Initialize if not exists
+        ctx.body_buffer_chunk = ctx.body_buffer_chunk or 0
+        
+        kong.log.err("Processing response body chunk #", ctx.body_buffer_chunk, "  bytes, EOF: ", tostring(eof))
        ctx.body_seen = true
        
        -- Process chunk by chunk to avoid loading entire large body into memory
        local verdict, response, modifications = nano.send_body(session_id, session_data, chunk, nano.HttpChunkType.HTTP_RESPONSE_BODY)

-        -- Initialize if not exists
-        ctx.body_buffer_chunk = ctx.body_buffer_chunk or 0
-
        -- Handle body modifications if any
        if modifications then
            chunk = nano.handle_body_modifications(chunk, modifications, ctx.body_buffer_chunk)
@@ -294,7 +297,10 @@ function NanoHandler.body_filter(conf)

    -- Handle end of stream
    if eof then
+        kong.log.err("End of response body stream reached, body_seen: ", tostring(ctx.body_seen), ", expect_body: ", tostring(ctx.expect_body))
+        -- Always finalize at EOF, whether we saw body chunks or expected no body
        if ctx.body_seen or ctx.expect_body == false then
+            kong.log.err("Ending response body inspection")
            local verdict, response = nano.end_inspection(session_id, session_data, nano.HttpChunkType.HTTP_RESPONSE_END)
            if verdict == nano.AttachmentVerdict.DROP then
                ctx.blocked = true