From 6180aea3d4c12a6b4a7c207e8f026443e6e6cca7 Mon Sep 17 00:00:00 2001
From: wiaamm <wiaamm@checkpoint.com>
Date: Mon, 24 Nov 2025 09:55:57 +0200
Subject: [PATCH] fix specific path

---
 .../open-appsec-waf-kong-plugin/handler.lua   | 31 +++++++++++++++++++
 .../open-appsec-waf-kong-plugin/schema.lua    |  1 +
 2 files changed, 32 insertions(+)

diff --git a/attachments/kong/plugins/open-appsec-waf-kong-plugin/handler.lua b/attachments/kong/plugins/open-appsec-waf-kong-plugin/handler.lua
index 5b2a269..fffd1df 100755
--- a/attachments/kong/plugins/open-appsec-waf-kong-plugin/handler.lua
+++ b/attachments/kong/plugins/open-appsec-waf-kong-plugin/handler.lua
@@ -165,6 +165,11 @@ function NanoHandler.header_filter(conf)
     end
 
     ctx.expect_body = not (status_code == 204 or status_code == 304 or (100 <= status_code and status_code < 200) or content_length == 0)
+    
+    -- Initialize response body processing start time for timeout tracking
+    if ctx.expect_body then
+        ctx.res_body_start_time = ngx.now() * 1000  -- Convert to milliseconds
+    end
 end
 
 function NanoHandler.body_filter(conf)
@@ -183,10 +188,27 @@ function NanoHandler.body_filter(conf)
     local chunk = ngx.arg[1]
     local eof   = ngx.arg[2]
 
+    -- Check if response body processing has timed out
+    if ctx.res_body_start_time and not ctx.res_body_timeout_triggered then
+        local elapsed_time = (ngx.now() * 1000) - ctx.res_body_start_time
+        local timeout = conf.res_body_thread_timeout_msec or 150
+        
+        if elapsed_time > timeout then
+            ctx.res_body_timeout_triggered = true
+            kong.log.warn("Response body processing timeout exceeded (", elapsed_time, "ms > ", timeout, "ms). Failing open - skipping body inspection.")
+        end
+    end
+
     -- Handle body chunks
     if chunk and #chunk > 0 then
         ctx.body_seen = true
 
+        -- If timeout triggered, skip nano inspection and just pass through
+        if ctx.res_body_timeout_triggered then
+            -- Just pass the chunk through without inspection
+            return
+        end
+
         -- Initialize chunk index if not exists
         if not ctx.body_buffer_chunk then
             ctx.body_buffer_chunk = 0
@@ -218,6 +240,15 @@ function NanoHandler.body_filter(conf)
     -- Handle end of response
     if eof then
         if ctx.body_seen or ctx.expect_body == false then
+            -- If timeout was triggered, finalize without sending end inspection
+            if ctx.res_body_timeout_triggered then
+                nano.fini_session(session_data)
+                nano.cleanup_all()
+                ctx.session_finalized = true
+                kong.log.debug("Response body inspection skipped due to timeout. Session finalized.")
+                return
+            end
+            
             local verdict, response = nano.end_inspection(session_id, session_data, nano.HttpChunkType.HTTP_RESPONSE_END)
             if verdict == nano.AttachmentVerdict.DROP then
                 nano.fini_session(session_data)
diff --git a/attachments/kong/plugins/open-appsec-waf-kong-plugin/schema.lua b/attachments/kong/plugins/open-appsec-waf-kong-plugin/schema.lua
index 0d722ee..60ebcdd 100755
--- a/attachments/kong/plugins/open-appsec-waf-kong-plugin/schema.lua
+++ b/attachments/kong/plugins/open-appsec-waf-kong-plugin/schema.lua
@@ -16,6 +16,7 @@ return {
         type = "record",
         fields = {
           { debug = { type = "boolean", default = false } },
+          { res_body_thread_timeout_msec = { type = "number", default = 150, gt = 0 } },
         },
       },
     },