fix response body

2025-11-20 19:06:41 +03:00 · 2025-11-19 11:51:22 +02:00
parent b1d974cea2
commit 6e5c61b954
3 changed files with 61 additions and 6 deletions
--- a/attachments/kong/plugins/open-appsec-waf-kong-plugin/handler.lua
+++ b/attachments/kong/plugins/open-appsec-waf-kong-plugin/handler.lua
@@ -157,13 +157,10 @@ function NanoHandler.header_filter(conf)
    local status_code = kong.response.get_status()
    local content_length = tonumber(headers["content-length"]) or 0

-    -- For responses that will be streamed in chunks via body_filter, pass 0 content_length
-    -- to prevent nano service from trying to read the entire body at once
-    local nano_content_length = 0
+    kong.log.debug("[header_filter] Session: ", session_id, " | Status: ", status_code, " | Content-Length: ", content_length)

-    kong.log.debug("[header_filter] Session: ", session_id, " | Status: ", status_code, " | Content-Length: ", content_length, " | Nano Content-Length: ", nano_content_length)
-
-    local verdict, response = nano.send_response_headers(session_id, session_data, header_data, status_code, nano_content_length)
+    -- Send response headers WITHOUT content_length (like nginx does)
+    local verdict, response = nano.send_response_headers(session_id, session_data, header_data, status_code, 0)
    if verdict == nano.AttachmentVerdict.DROP then
        kong.log.warn("[header_filter] Response headers verdict DROP for session: ", session_id)
        kong.ctx.plugin.blocked = true
@@ -172,6 +169,16 @@ function NanoHandler.header_filter(conf)
        return nano.handle_custom_response(session_data, response)
    end

+    -- Send content_length separately (like nginx does)
+    verdict, response = nano.send_content_length(session_id, session_data, content_length)
+    if verdict == nano.AttachmentVerdict.DROP then
+        kong.log.warn("[header_filter] Content length verdict DROP for session: ", session_id)
+        kong.ctx.plugin.blocked = true
+        nano.fini_session(session_data)
+        nano.cleanup_all()
+        return nano.handle_custom_response(session_data, response)
+    end
+
    ctx.expect_body = not (status_code == 204 or status_code == 304 or (100 <= status_code and status_code < 200) or content_length == 0)
    
    kong.log.debug("[header_filter] Session: ", session_id, " | Expect body: ", ctx.expect_body)
--- a/attachments/kong/plugins/open-appsec-waf-kong-plugin/lua_attachment_wrapper.c
+++ b/attachments/kong/plugins/open-appsec-waf-kong-plugin/lua_attachment_wrapper.c
@@ -498,6 +498,30 @@ static int lua_send_response_headers(lua_State *L) {
    return 2;
 }

+static int lua_send_content_length(lua_State *L) {
+    NanoAttachment* attachment = (NanoAttachment*) lua_touserdata(L, 1);
+    SessionID session_id = luaL_checkinteger(L, 2);
+    HttpSessionData *session_data = (HttpSessionData*) lua_touserdata(L, 3);
+    uint64_t content_length = luaL_checkinteger(L, 4);
+
+    if (!attachment || !session_data) {
+        lua_pushstring(L, "Error: Invalid attachment or session_data");
+        return lua_error(L);
+    }
+
+    AttachmentData attachment_data;
+    attachment_data.session_id = session_id;
+    attachment_data.session_data = session_data;
+    attachment_data.chunk_type = CONTENT_LENGTH;
+    attachment_data.data = &content_length;
+
+    AttachmentVerdictResponse* res_ptr = malloc(sizeof(AttachmentVerdictResponse));
+    *res_ptr = SendDataNanoAttachment(attachment, &attachment_data);
+    lua_pushinteger(L, res_ptr->verdict);
+    lua_pushlightuserdata(L, res_ptr);
+    return 2;
+}
+
 static int lua_free_verdict_response(lua_State *L) {
    AttachmentVerdictResponse *response = (AttachmentVerdictResponse *)lua_touserdata(L, 1);
    if (!response) return 0;
@@ -518,6 +542,7 @@ static const struct luaL_Reg nano_attachment_lib[] = {
    {"setHeaderElement", lua_setHeaderElement},
    {"send_data", lua_send_data},
    {"send_response_headers", lua_send_response_headers},
+    {"send_content_length", lua_send_content_length},
    {"fini_session", lua_fini_session},
    {"is_session_finalized", lua_is_session_finalized},
    {"init_session", lua_init_session},
--- a/attachments/kong/plugins/open-appsec-waf-kong-plugin/nano_ffi.lua
+++ b/attachments/kong/plugins/open-appsec-waf-kong-plugin/nano_ffi.lua
@@ -412,6 +412,29 @@ function nano.send_response_headers(session_id, session_data, headers, status_co
    return verdict, response
 end

+function nano.send_content_length(session_id, session_data, content_length)
+    local worker_id = ngx.worker.id()
+    local attachment = nano.attachments[worker_id]
+
+    if not attachment then
+        kong.log.warn("Attachment not available for worker ", worker_id, " - failing open")
+        return nano.AttachmentVerdict.INSPECT
+    end
+
+    local verdict, response = nano_attachment.send_content_length(
+        attachment,
+        session_id,
+        session_data,
+        content_length
+    )
+
+    if response then
+        table.insert(nano.allocated_responses, response)
+    end
+
+    return verdict, response
+end
+
 function nano.handle_header_modifications(headers, modifications)
    if not modifications then
        return headers