github_mirrors/attachment
3
0
Fork 1
mirror of https://github.com/openappsec/attachment.git synced 2026-01-02 06:34:42 +03:00
Code Issues Packages Projects Releases Wiki Activity

remove comments

Browse Source
This commit is contained in:
wiaamm
2025-12-06 18:00:18 +02:00
parent 0a49169c9c
commit 489f49b7c7
1 changed files with 32 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

80
attachments/kong/plugins/open-appsec-waf-kong-plugin/handler.lua
View File

@@ -15,7 +15,6 @@ function NanoHandler.init_worker()
nano.init_attachment() nano.init_attachment()
end end
-- **Handles Request Headers (DecodeHeaders Equivalent)**
function NanoHandler.access(conf) function NanoHandler.access(conf)
local headers = kong.request.get_headers() local headers = kong.request.get_headers()
local session_id = nano.generate_session_id() local session_id = nano.generate_session_id()
@@ -40,8 +39,8 @@ function NanoHandler.access(conf)
kong.log.err("Failed to handle start transaction - failing open") kong.log.err("Failed to handle start transaction - failing open")
nano.fini_session(session_data) nano.fini_session(session_data)
nano.cleanup_all() nano.cleanup_all()
--collectgarbage("restart") collectgarbage("restart")
--collectgarbage("collect") collectgarbage("collect")
kong.ctx.plugin.session_data = nil kong.ctx.plugin.session_data = nil
kong.ctx.plugin.session_id = nil kong.ctx.plugin.session_id = nil
return return
@@ -52,8 +51,8 @@ function NanoHandler.access(conf)
kong.log.err("Failed to handle request headers - failing open") kong.log.err("Failed to handle request headers - failing open")
nano.fini_session(session_data) nano.fini_session(session_data)
nano.cleanup_all() nano.cleanup_all()
--collectgarbage("restart") collectgarbage("restart")
--collectgarbage("collect") collectgarbage("collect")
kong.ctx.plugin.session_data = nil kong.ctx.plugin.session_data = nil
kong.ctx.plugin.session_id = nil kong.ctx.plugin.session_id = nil
return return
@@ -68,7 +67,8 @@ function NanoHandler.access(conf)
local result = nano.handle_custom_response(session_data, response) local result = nano.handle_custom_response(session_data, response)
nano.fini_session(session_data) nano.fini_session(session_data)
nano.cleanup_all() nano.cleanup_all()
--collectgarbage("restart") collectgarbage("restart")
collectgarbage("collect")
kong.ctx.plugin.session_data = nil kong.ctx.plugin.session_data = nil
kong.ctx.plugin.session_id = nil kong.ctx.plugin.session_id = nil
return result return result
@@ -83,24 +83,26 @@ function NanoHandler.access(conf)
local result = nano.handle_custom_response(session_data, response) local result = nano.handle_custom_response(session_data, response)
nano.fini_session(session_data) nano.fini_session(session_data)
nano.cleanup_all() nano.cleanup_all()
--collectgarbage("restart") collectgarbage("restart")
collectgarbage("collect")
kong.ctx.plugin.session_data = nil kong.ctx.plugin.session_data = nil
kong.ctx.plugin.session_id = nil kong.ctx.plugin.session_id = nil
return result return result
end end
else else
kong.log.err("Request body not in memory, attempting to read from buffer/file") kong.log.debug("Request body not in memory, attempting to read from buffer/file")
local body_data = ngx.var.request_body local body_data = ngx.var.request_body
if body_data and #body_data > 0 then if body_data and #body_data > 0 then
kong.log.err("Found request body in nginx var, size: ", #body_data) kong.log.debug("Found request body in nginx var, size: ", #body_data)
verdict, response = nano.send_body(session_id, session_data, body_data, nano.HttpChunkType.HTTP_REQUEST_BODY) verdict, response = nano.send_body(session_id, session_data, body_data, nano.HttpChunkType.HTTP_REQUEST_BODY)
if verdict == nano.AttachmentVerdict.DROP then if verdict == nano.AttachmentVerdict.DROP then
kong.ctx.plugin.blocked = true kong.ctx.plugin.blocked = true
local result = nano.handle_custom_response(session_data, response) local result = nano.handle_custom_response(session_data, response)
nano.fini_session(session_data) nano.fini_session(session_data)
nano.cleanup_all() nano.cleanup_all()
--collectgarbage("restart") collectgarbage("restart")
collectgarbage("collect")
kong.ctx.plugin.session_data = nil kong.ctx.plugin.session_data = nil
kong.ctx.plugin.session_id = nil kong.ctx.plugin.session_id = nil
return result return result
@@ -108,7 +110,7 @@ function NanoHandler.access(conf)
else else
local body_file = ngx.var.request_body_file local body_file = ngx.var.request_body_file
if body_file then if body_file then
kong.log.err("Reading request body from file: ", body_file) kong.log.debug("Reading request body from file: ", body_file)
local file = io.open(body_file, "rb") local file = io.open(body_file, "rb")
if file then if file then
local entire_body = file:read("*all") local entire_body = file:read("*all")
@@ -117,7 +119,7 @@ function NanoHandler.access(conf)
if not entire_body then if not entire_body then
kong.log.err("Failed to read body file: ", body_file) kong.log.err("Failed to read body file: ", body_file)
elseif entire_body and #entire_body > 0 then elseif entire_body and #entire_body > 0 then
kong.log.err("Sending entire body of size ", #entire_body, " bytes to C module") kong.log.debug("Sending entire body of size ", #entire_body, " bytes to C module")
verdict, response = nano.send_body(session_id, session_data, entire_body, nano.HttpChunkType.HTTP_REQUEST_BODY) verdict, response = nano.send_body(session_id, session_data, entire_body, nano.HttpChunkType.HTTP_REQUEST_BODY)
if verdict == nano.AttachmentVerdict.DROP then if verdict == nano.AttachmentVerdict.DROP then
kong.ctx.plugin.blocked = true kong.ctx.plugin.blocked = true
@@ -125,16 +127,17 @@ function NanoHandler.access(conf)
nano.fini_session(session_data) nano.fini_session(session_data)
nano.cleanup_all() nano.cleanup_all()
collectgarbage("restart") collectgarbage("restart")
collectgarbage("collect")
kong.ctx.plugin.session_data = nil kong.ctx.plugin.session_data = nil
kong.ctx.plugin.session_id = nil kong.ctx.plugin.session_id = nil
return result return result
end end
else else
kong.log.err("Empty body file") kong.log.debug("Empty body file")
end end
end end
else else
kong.log.err("Request body expected but no body data or file available") kong.log.debug("Request body expected but no body data or file available")
end end
end end
end end
@@ -148,7 +151,8 @@ function NanoHandler.access(conf)
kong.log.err("Error ending request inspection: ", pcall_verdict, " - failing open") kong.log.err("Error ending request inspection: ", pcall_verdict, " - failing open")
nano.fini_session(session_data) nano.fini_session(session_data)
nano.cleanup_all() nano.cleanup_all()
--collectgarbage("restart") collectgarbage("restart")
collectgarbage("collect")
kong.ctx.plugin.session_data = nil kong.ctx.plugin.session_data = nil
kong.ctx.plugin.session_id = nil kong.ctx.plugin.session_id = nil
return return
@@ -161,7 +165,8 @@ function NanoHandler.access(conf)
local result = nano.handle_custom_response(session_data, response) local result = nano.handle_custom_response(session_data, response)
nano.fini_session(session_data) nano.fini_session(session_data)
nano.cleanup_all() nano.cleanup_all()
--collectgarbage("restart") collectgarbage("restart")
collectgarbage("collect")
kong.ctx.plugin.session_data = nil kong.ctx.plugin.session_data = nil
kong.ctx.plugin.session_id = nil kong.ctx.plugin.session_id = nil
return result return result
@@ -173,7 +178,8 @@ function NanoHandler.access(conf)
local result = nano.handle_custom_response(session_data, response) local result = nano.handle_custom_response(session_data, response)
nano.fini_session(session_data) nano.fini_session(session_data)
nano.cleanup_all() nano.cleanup_all()
--collectgarbage("restart") collectgarbage("restart")
collectgarbage("collect")
kong.ctx.plugin.session_data = nil kong.ctx.plugin.session_data = nil
kong.ctx.plugin.session_id = nil kong.ctx.plugin.session_id = nil
return result return result
@@ -232,24 +238,17 @@ function NanoHandler.body_filter(conf)
local session_data = ctx.session_data local session_data = ctx.session_data
if not session_id or not session_data or ctx.session_finalized then if not session_id or not session_data or ctx.session_finalized then
kong.log.err("No session data found or session already finalized in body_filter")
return return
end end
-- Initialize timeout tracking on first call
if not ctx.body_filter_start_time then if not ctx.body_filter_start_time then
kong.log.err("Initializing body filter start time")
ctx.body_filter_start_time = ngx.now() ctx.body_filter_start_time = ngx.now()
end end
-- Check for timeout (150 seconds)
local elapsed_time = ngx.now() - ctx.body_filter_start_time local elapsed_time = ngx.now() - ctx.body_filter_start_time
if elapsed_time > 150 then if elapsed_time > 150 then
kong.log.err("Body filter timeout after ", elapsed_time, " seconds - failing open") kong.log.warn("Body filter timeout after ", elapsed_time, " seconds - failing open")
-- End inspection before cleanup
local verdict, response, modifications = nano.end_inspection(session_id, session_data, nano.HttpChunkType.HTTP_RESPONSE_END) local verdict, response, modifications = nano.end_inspection(session_id, session_data, nano.HttpChunkType.HTTP_RESPONSE_END)
-- Handle modifications if any
if modifications then if modifications then
local chunk = ngx.arg[1] local chunk = ngx.arg[1]
chunk = nano.handle_body_modifications(chunk, modifications, ctx.body_buffer_chunk or 0) chunk = nano.handle_body_modifications(chunk, modifications, ctx.body_buffer_chunk or 0)
@@ -257,7 +256,6 @@ function NanoHandler.body_filter(conf)
end end
if verdict == nano.AttachmentVerdict.DROP then if verdict == nano.AttachmentVerdict.DROP then
kong.log.err("Response body inspection verdict: DROP")
ctx.blocked = true ctx.blocked = true
ctx.session_finalized = true ctx.session_finalized = true
local result = nano.handle_custom_response(session_data, response) local result = nano.handle_custom_response(session_data, response)
@@ -271,29 +269,23 @@ function NanoHandler.body_filter(conf)
end end
nano.fini_session(session_data) nano.fini_session(session_data)
nano.cleanup_all() nano.cleanup_all()
-- collectgarbage("restart") collectgarbage("restart")
-- collectgarbage("collect") -- Force immediate collection collectgarbage("collect")
ctx.session_finalized = true ctx.session_finalized = true
ctx.session_data = nil ctx.session_data = nil
ctx.session_id = nil ctx.session_id = nil
return return
end end
-- Get current chunk only, not entire body
local chunk = ngx.arg[1] local chunk = ngx.arg[1]
local eof = ngx.arg[2] local eof = ngx.arg[2]
if chunk and #chunk > 0 then if chunk and #chunk > 0 then
-- Initialize if not exists
ctx.body_buffer_chunk = ctx.body_buffer_chunk or 0 ctx.body_buffer_chunk = ctx.body_buffer_chunk or 0
kong.log.err("Processing response body chunk #", ctx.body_buffer_chunk, " bytes, EOF: ", tostring(eof))
ctx.body_seen = true ctx.body_seen = true
-- Process chunk by chunk to avoid loading entire large body into memory
local verdict, response, modifications = nano.send_body(session_id, session_data, chunk, nano.HttpChunkType.HTTP_RESPONSE_BODY) local verdict, response, modifications = nano.send_body(session_id, session_data, chunk, nano.HttpChunkType.HTTP_RESPONSE_BODY)
-- Handle body modifications if any
if modifications then if modifications then
chunk = nano.handle_body_modifications(chunk, modifications, ctx.body_buffer_chunk) chunk = nano.handle_body_modifications(chunk, modifications, ctx.body_buffer_chunk)
ngx.arg[1] = chunk ngx.arg[1] = chunk
@@ -306,10 +298,9 @@ function NanoHandler.body_filter(conf)
ctx.session_finalized = true ctx.session_finalized = true
local result = nano.handle_custom_response(session_data, response) local result = nano.handle_custom_response(session_data, response)
nano.fini_session(session_data) nano.fini_session(session_data)
-- Clean up allocated memory
nano.cleanup_all() nano.cleanup_all()
--collectgarbage("restart") collectgarbage("restart")
--collectgarbage("collect") -- Force immediate collection collectgarbage("collect")
ctx.session_data = nil ctx.session_data = nil
ctx.session_id = nil ctx.session_id = nil
ngx.arg[1] = "" ngx.arg[1] = ""
@@ -317,27 +308,21 @@ function NanoHandler.body_filter(conf)
return result return result
end end
-- Cleanup allocated memory after processing each chunk to prevent accumulation
nano.free_all_responses() nano.free_all_responses()
nano.free_all_nano_str() nano.free_all_nano_str()
end end
-- Handle end of stream
if eof then if eof then
kong.log.err("End of response body stream reached, body_seen: ", tostring(ctx.body_seen), ", expect_body: ", tostring(ctx.expect_body))
-- Always finalize at EOF, whether we saw body chunks or expected no body
if ctx.body_seen or ctx.expect_body == false then if ctx.body_seen or ctx.expect_body == false then
kong.log.err("Ending response body inspection")
local verdict, response = nano.end_inspection(session_id, session_data, nano.HttpChunkType.HTTP_RESPONSE_END) local verdict, response = nano.end_inspection(session_id, session_data, nano.HttpChunkType.HTTP_RESPONSE_END)
if verdict == nano.AttachmentVerdict.DROP then if verdict == nano.AttachmentVerdict.DROP then
ctx.blocked = true ctx.blocked = true
ctx.session_finalized = true ctx.session_finalized = true
local result = nano.handle_custom_response(session_data, response) local result = nano.handle_custom_response(session_data, response)
nano.fini_session(session_data) nano.fini_session(session_data)
-- Clean up allocated memory
nano.cleanup_all() nano.cleanup_all()
-- collectgarbage("restart") collectgarbage("restart")
--collectgarbage("collect") -- Force immediate collection collectgarbage("collect")
ctx.session_data = nil ctx.session_data = nil
ctx.session_id = nil ctx.session_id = nil
ngx.arg[1] = "" ngx.arg[1] = ""
@@ -346,10 +331,9 @@ function NanoHandler.body_filter(conf)
end end
nano.fini_session(session_data) nano.fini_session(session_data)
-- Clean up allocated memory
nano.cleanup_all() nano.cleanup_all()
--collectgarbage("restart") collectgarbage("restart")
--collectgarbage("collect") -- Force immediate collection collectgarbage("collect")
ctx.session_finalized = true ctx.session_finalized = true
ctx.session_data = nil ctx.session_data = nil
ctx.session_id = nil ctx.session_id = nil