github_mirrors/attachment
3
0
Fork 1
mirror of https://github.com/openappsec/attachment.git synced 2025-12-31 05:39:07 +03:00
Code Issues Packages Projects Releases Wiki Activity

remove ctx.timeout_passthrough

Browse Source
This commit is contained in:
wiaamm
2025-12-07 23:09:26 +02:00
parent 01ca55a45b
commit 458dffaa00
1 changed files with 17 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
attachments/kong/plugins/open-appsec-waf-kong-plugin/handler.lua
View File

@@ -223,13 +223,15 @@ function NanoHandler.body_filter(conf)
ctx.body_filter_start_time = ngx.now() ctx.body_filter_start_time = ngx.now()
end end
local elapsed_time = ngx.now() - ctx.body_filter_start_time local elapsed_time = ngx.now() - ctx.body_filter_start_time
if elapsed_time > 150 and not ctx.timeout_passthrough then if elapsed_time > 150 then
kong.log.warn("Body filter timeout after ", elapsed_time, " seconds - failing open") kong.log.warn("Body filter timeout after ", elapsed_time, " seconds - failing open")
ctx.cleanup_needed = true
ctx.timeout_passthrough = true ctx.timeout_passthrough = true
return
end end
-- If timeout occurred, skip nano inspection but still process chunks
if not ctx.timeout_passthrough and chunk and #chunk > 0 then if chunk and #chunk > 0 then
ctx.body_buffer_chunk = ctx.body_buffer_chunk or 0 ctx.body_buffer_chunk = ctx.body_buffer_chunk or 0
ctx.body_seen = true ctx.body_seen = true
@@ -253,9 +255,14 @@ function NanoHandler.body_filter(conf)
end end
if eof then if eof then
if not ctx.timeout_passthrough and (ctx.body_seen or ctx.expect_body == false) then kong.log.err("End of response body reached in body_filter")
-- Timeout handling
if ctx.body_seen or ctx.expect_body == false then
kong.log.err("Finalizing session in body_filter")
local verdict, response = nano.end_inspection(session_id, session_data, nano.HttpChunkType.HTTP_RESPONSE_END) local verdict, response = nano.end_inspection(session_id, session_data, nano.HttpChunkType.HTTP_RESPONSE_END)
if verdict == nano.AttachmentVerdict.DROP then if verdict == nano.AttachmentVerdict.DROP then
kong.log.err("Dropping response in body_filter after end_inspection")
ctx.blocked = true ctx.blocked = true
ctx.session_finalized = true ctx.session_finalized = true
ctx.cleanup_needed = true ctx.cleanup_needed = true
@@ -264,21 +271,18 @@ function NanoHandler.body_filter(conf)
return nano.handle_custom_response(session_data, response) return nano.handle_custom_response(session_data, response)
end end
-- Cleanup in log phase instead
ctx.cleanup_needed = true
ctx.session_finalized = true
elseif ctx.timeout_passthrough then
-- Timeout occurred, just mark for cleanup in log phase
ctx.session_finalized = true
end end
-- Cleanup in log phase instead
ctx.cleanup_needed = true
ctx.session_finalized = true
end end
end end
function NanoHandler.log(conf) function NanoHandler.log(conf)
local ctx = kong.ctx.plugin local ctx = kong.ctx.plugin
kong.log.err("log phase: ctx.blocked=", ctx.blocked, " ctx.cleanup_needed=", ctx.cleanup_needed, " ctx.session_id=", ctx.session_id, " ctx.session_data=", ctx.session_data and "EXISTS" or "NIL")
-- Cleanup session if it was blocked (kong.response.exit was called) OR timed out -- Cleanup session if it was blocked (kong.response.exit was called)
if (ctx.cleanup_needed or ctx.timeout_passthrough) and ctx.session_data then if ctx.cleanup_needed and ctx.session_data then
nano.fini_session(ctx.session_data) nano.fini_session(ctx.session_data)
nano.cleanup_all() nano.cleanup_all()
ctx.session_data = nil ctx.session_data = nil