From 83b3b0af0a33062200790f0bea05937204411c20 Mon Sep 17 00:00:00 2001 From: wiaamm Date: Sat, 6 Dec 2025 13:40:00 +0200 Subject: [PATCH] fix oom caused by using freed values --- .../open-appsec-waf-kong-plugin/handler.lua | 80 +++++++++++++++---- .../open-appsec-waf-kong-plugin/nano_ffi.lua | 11 +++ 2 files changed, 76 insertions(+), 15 deletions(-) diff --git a/attachments/kong/plugins/open-appsec-waf-kong-plugin/handler.lua b/attachments/kong/plugins/open-appsec-waf-kong-plugin/handler.lua index 66f14f6..41dd5d5 100755 --- a/attachments/kong/plugins/open-appsec-waf-kong-plugin/handler.lua +++ b/attachments/kong/plugins/open-appsec-waf-kong-plugin/handler.lua @@ -37,21 +37,35 @@ function NanoHandler.access(conf) local meta_data = nano.handle_start_transaction() if not meta_data then - kong.log.err("Failed to handle start transaction - failing open") + kong.log.err("Failed to handle start transaction - failing open") + nano.fini_session(session_data) + nano.cleanup_all() + kong.ctx.plugin.session_data = nil + kong.ctx.plugin.session_id = nil return end local req_headers = nano.handleHeaders(headers) + if not req_headers then + kong.log.err("Failed to handle request headers - failing open") + nano.fini_session(session_data) + nano.cleanup_all() + kong.ctx.plugin.session_data = nil + kong.ctx.plugin.session_id = nil + return + end local has_content_length = tonumber(ngx.var.http_content_length) and tonumber(ngx.var.http_content_length) > 0 local contains_body = has_content_length and 1 or 0 local verdict, response = nano.send_data(session_id, session_data, meta_data, req_headers, contains_body, nano.HttpChunkType.HTTP_REQUEST_FILTER) if verdict == nano.AttachmentVerdict.DROP then - nano.fini_session(session_data) kong.ctx.plugin.blocked = true local result = nano.handle_custom_response(session_data, response) + nano.fini_session(session_data) nano.cleanup_all() + kong.ctx.plugin.session_data = nil + kong.ctx.plugin.session_id = nil return result end @@ -60,10 +74,12 @@ function NanoHandler.access(conf) if body and #body > 0 then verdict, response = nano.send_body(session_id, session_data, body, nano.HttpChunkType.HTTP_REQUEST_BODY) if verdict == nano.AttachmentVerdict.DROP then - nano.fini_session(session_data) kong.ctx.plugin.blocked = true local result = nano.handle_custom_response(session_data, response) + nano.fini_session(session_data) nano.cleanup_all() + kong.ctx.plugin.session_data = nil + kong.ctx.plugin.session_id = nil return result end else @@ -74,9 +90,13 @@ function NanoHandler.access(conf) kong.log.debug("Found request body in nginx var, size: ", #body_data) verdict, response = nano.send_body(session_id, session_data, body_data, nano.HttpChunkType.HTTP_REQUEST_BODY) if verdict == nano.AttachmentVerdict.DROP then - nano.fini_session(session_data) kong.ctx.plugin.blocked = true - return nano.handle_custom_response(session_data, response) + local result = nano.handle_custom_response(session_data, response) + nano.fini_session(session_data) + nano.cleanup_all() + kong.ctx.plugin.session_data = nil + kong.ctx.plugin.session_id = nil + return result end else local body_file = ngx.var.request_body_file @@ -87,14 +107,18 @@ function NanoHandler.access(conf) local entire_body = file:read("*all") file:close() - if entire_body and #entire_body > 0 then + if not entire_body then + kong.log.err("Failed to read body file: ", body_file) + elseif entire_body and #entire_body > 0 then kong.log.debug("Sending entire body of size ", #entire_body, " bytes to C module") verdict, response = nano.send_body(session_id, session_data, entire_body, nano.HttpChunkType.HTTP_REQUEST_BODY) if verdict == nano.AttachmentVerdict.DROP then - nano.fini_session(session_data) kong.ctx.plugin.blocked = true local result = nano.handle_custom_response(session_data, response) + nano.fini_session(session_data) nano.cleanup_all() + kong.ctx.plugin.session_data = nil + kong.ctx.plugin.session_id = nil return result end else @@ -107,31 +131,40 @@ function NanoHandler.access(conf) end end - local ok, verdict, response = pcall(function() + local verdict, respopcall_verdictnse = nano.AttachmentVerdict.INSPECT, nil + local ok, , pcall_response = pcall(function() return nano.end_inspection(session_id, session_data, nano.HttpChunkType.HTTP_REQUEST_END) end) if not ok then - kong.log.err("Error ending request inspection: ", verdict, " - failing open") + kong.log.err("Error ending request inspection: ", pcall_verdict, " - failing open")open") nano.fini_session(session_data) nano.cleanup_all() + kong.ctx.plugin.session_data = nil + kong.ctx.plugin.session_id = nil return end + verdict, response = pcall_verdict, pcall_response + if verdict == nano.AttachmentVerdict.DROP then - nano.fini_session(session_data) kong.ctx.plugin.blocked = true local result = nano.handle_custom_response(session_data, response) + nano.fini_session(session_data) nano.cleanup_all() + kong.ctx.plugin.session_data = nil + kong.ctx.plugin.session_id = nil return result end else verdict, response = nano.end_inspection(session_id, session_data, nano.HttpChunkType.HTTP_REQUEST_END) if verdict == nano.AttachmentVerdict.DROP then - nano.fini_session(session_data) kong.ctx.plugin.blocked = true local result = nano.handle_custom_response(session_data, response) + nano.fini_session(session_data) nano.cleanup_all() + kong.ctx.plugin.session_data = nil + kong.ctx.plugin.session_id = nil return result end end @@ -155,15 +188,24 @@ function NanoHandler.header_filter(conf) local headers = kong.response.get_headers() local header_data = nano.handleHeaders(headers) + + if not header_data then + kong.log.err("Failed to handle response headers - failing open") + return + end + local status_code = kong.response.get_status() local content_length = tonumber(headers["content-length"]) or 0 local verdict, response = nano.send_response_headers(session_id, session_data, header_data, status_code, content_length) if verdict == nano.AttachmentVerdict.DROP then kong.ctx.plugin.blocked = true + local result = nano.handle_custom_response(session_data, response) nano.fini_session(session_data) nano.cleanup_all() - return nano.handle_custom_response(session_data, response) + kong.ctx.plugin.session_data = nil + kong.ctx.plugin.session_id = nil + return result end ctx.expect_body = not (status_code == 204 or status_code == 304 or (100 <= status_code and status_code < 200) or content_length == 0) @@ -184,7 +226,7 @@ function NanoHandler.body_filter(conf) local body = kong.response.get_raw_body() - if body then + if body and #body > 0 then ctx.body_seen = true local verdict, response, modifications = nano.send_body(session_id, session_data, body, nano.HttpChunkType.HTTP_RESPONSE_BODY) @@ -200,11 +242,14 @@ function NanoHandler.body_filter(conf) ctx.body_buffer_chunk = ctx.body_buffer_chunk + 1 if verdict == nano.AttachmentVerdict.DROP then - nano.fini_session(session_data) + ctx.blocked = true ctx.session_finalized = true local result = nano.handle_custom_response(session_data, response) + nano.fini_session(session_data) -- Clean up allocated memory nano.cleanup_all() + ctx.session_data = nil + ctx.session_id = nil return result end return @@ -213,11 +258,14 @@ function NanoHandler.body_filter(conf) if ctx.body_seen or ctx.expect_body == false then local verdict, response = nano.end_inspection(session_id, session_data, nano.HttpChunkType.HTTP_RESPONSE_END) if verdict == nano.AttachmentVerdict.DROP then - nano.fini_session(session_data) + ctx.blocked = true ctx.session_finalized = true local result = nano.handle_custom_response(session_data, response) + nano.fini_session(session_data) -- Clean up allocated memory nano.cleanup_all() + ctx.session_data = nil + ctx.session_id = nil return result end @@ -225,6 +273,8 @@ function NanoHandler.body_filter(conf) -- Clean up allocated memory nano.cleanup_all() ctx.session_finalized = true + ctx.session_data = nil + ctx.session_id = nil end end diff --git a/attachments/kong/plugins/open-appsec-waf-kong-plugin/nano_ffi.lua b/attachments/kong/plugins/open-appsec-waf-kong-plugin/nano_ffi.lua index eec1213..d8049dc 100755 --- a/attachments/kong/plugins/open-appsec-waf-kong-plugin/nano_ffi.lua +++ b/attachments/kong/plugins/open-appsec-waf-kong-plugin/nano_ffi.lua @@ -91,6 +91,11 @@ function nano.handle_custom_response(session_data, response) return kong.response.exit(200, "Request allowed due to attachment unavailability") end + if not session_data or not response then + kong.log.err("Invalid session_data or response in handle_custom_response") + return kong.response.exit(500, "Internal Server Error") + end + local response_type = nano_attachment.get_web_response_type(attachment, session_data, response) if response_type == nano.WebResponseType.RESPONSE_CODE_ONLY then @@ -264,6 +269,12 @@ end function nano.handleHeaders(headers) local header_data = nano_attachment.allocHttpHeaders() + + if not header_data then + kong.log.err("Failed to allocate HTTP headers") + return nil + end + table.insert(nano.allocate_headers, header_data) local index = 0