github_mirrors/attachment
3
0
Fork 1
mirror of https://github.com/openappsec/attachment.git synced 2025-11-21 03:16:41 +03:00
Code Issues Packages Projects Releases Wiki Activity

fix response body

Browse Source
This commit is contained in:
wiaamm
2025-11-19 11:51:22 +02:00
parent b1d974cea2
commit 6e5c61b954
3 changed files with 61 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
attachments/kong/plugins/open-appsec-waf-kong-plugin/handler.lua
View File

@@ -157,13 +157,10 @@ function NanoHandler.header_filter(conf)
local status_code = kong.response.get_status() local status_code = kong.response.get_status()
local content_length = tonumber(headers["content-length"]) or 0 local content_length = tonumber(headers["content-length"]) or 0
-- For responses that will be streamed in chunks via body_filter, pass 0 content_length kong.log.debug("[header_filter] Session: ", session_id, " | Status: ", status_code, " | Content-Length: ", content_length)
-- to prevent nano service from trying to read the entire body at once
local nano_content_length = 0
kong.log.debug("[header_filter] Session: ", session_id, " | Status: ", status_code, " | Content-Length: ", content_length, " | Nano Content-Length: ", nano_content_length) -- Send response headers WITHOUT content_length (like nginx does)
local verdict, response = nano.send_response_headers(session_id, session_data, header_data, status_code, 0)
local verdict, response = nano.send_response_headers(session_id, session_data, header_data, status_code, nano_content_length)
if verdict == nano.AttachmentVerdict.DROP then if verdict == nano.AttachmentVerdict.DROP then
kong.log.warn("[header_filter] Response headers verdict DROP for session: ", session_id) kong.log.warn("[header_filter] Response headers verdict DROP for session: ", session_id)
kong.ctx.plugin.blocked = true kong.ctx.plugin.blocked = true
@@ -172,6 +169,16 @@ function NanoHandler.header_filter(conf)
return nano.handle_custom_response(session_data, response) return nano.handle_custom_response(session_data, response)
end end
-- Send content_length separately (like nginx does)
verdict, response = nano.send_content_length(session_id, session_data, content_length)
if verdict == nano.AttachmentVerdict.DROP then
kong.log.warn("[header_filter] Content length verdict DROP for session: ", session_id)
kong.ctx.plugin.blocked = true
nano.fini_session(session_data)
nano.cleanup_all()
return nano.handle_custom_response(session_data, response)
end
ctx.expect_body = not (status_code == 204 or status_code == 304 or (100 <= status_code and status_code < 200) or content_length == 0) ctx.expect_body = not (status_code == 204 or status_code == 304 or (100 <= status_code and status_code < 200) or content_length == 0)
kong.log.debug("[header_filter] Session: ", session_id, " | Expect body: ", ctx.expect_body) kong.log.debug("[header_filter] Session: ", session_id, " | Expect body: ", ctx.expect_body)

25
attachments/kong/plugins/open-appsec-waf-kong-plugin/lua_attachment_wrapper.c
View File

@@ -498,6 +498,30 @@ static int lua_send_response_headers(lua_State *L) {
return 2; return 2;
} }
static int lua_send_content_length(lua_State *L) {
NanoAttachment* attachment = (NanoAttachment*) lua_touserdata(L, 1);
SessionID session_id = luaL_checkinteger(L, 2);
HttpSessionData *session_data = (HttpSessionData*) lua_touserdata(L, 3);
uint64_t content_length = luaL_checkinteger(L, 4);
if (!attachment || !session_data) {
lua_pushstring(L, "Error: Invalid attachment or session_data");
return lua_error(L);
}
AttachmentData attachment_data;
attachment_data.session_id = session_id;
attachment_data.session_data = session_data;
attachment_data.chunk_type = CONTENT_LENGTH;
attachment_data.data = &content_length;
AttachmentVerdictResponse* res_ptr = malloc(sizeof(AttachmentVerdictResponse));
*res_ptr = SendDataNanoAttachment(attachment, &attachment_data);
lua_pushinteger(L, res_ptr->verdict);
lua_pushlightuserdata(L, res_ptr);
return 2;
}
static int lua_free_verdict_response(lua_State *L) { static int lua_free_verdict_response(lua_State *L) {
AttachmentVerdictResponse *response = (AttachmentVerdictResponse *)lua_touserdata(L, 1); AttachmentVerdictResponse *response = (AttachmentVerdictResponse *)lua_touserdata(L, 1);
if (!response) return 0; if (!response) return 0;
@@ -518,6 +542,7 @@ static const struct luaL_Reg nano_attachment_lib[] = {
{"setHeaderElement", lua_setHeaderElement}, {"setHeaderElement", lua_setHeaderElement},
{"send_data", lua_send_data}, {"send_data", lua_send_data},
{"send_response_headers", lua_send_response_headers}, {"send_response_headers", lua_send_response_headers},
{"send_content_length", lua_send_content_length},
{"fini_session", lua_fini_session}, {"fini_session", lua_fini_session},
{"is_session_finalized", lua_is_session_finalized}, {"is_session_finalized", lua_is_session_finalized},
{"init_session", lua_init_session}, {"init_session", lua_init_session},

23
attachments/kong/plugins/open-appsec-waf-kong-plugin/nano_ffi.lua
View File

@@ -412,6 +412,29 @@ function nano.send_response_headers(session_id, session_data, headers, status_co
return verdict, response return verdict, response
end end
function nano.send_content_length(session_id, session_data, content_length)
local worker_id = ngx.worker.id()
local attachment = nano.attachments[worker_id]
if not attachment then
kong.log.warn("Attachment not available for worker ", worker_id, " - failing open")
return nano.AttachmentVerdict.INSPECT
end
local verdict, response = nano_attachment.send_content_length(
attachment,
session_id,
session_data,
content_length
)
if response then
table.insert(nano.allocated_responses, response)
end
return verdict, response
end
function nano.handle_header_modifications(headers, modifications) function nano.handle_header_modifications(headers, modifications)
if not modifications then if not modifications then
return headers return headers