diff --git a/attachments/kong/plugins/open-appsec-waf-kong-plugin/handler.lua b/attachments/kong/plugins/open-appsec-waf-kong-plugin/handler.lua index b71b54a..0234c22 100755 --- a/attachments/kong/plugins/open-appsec-waf-kong-plugin/handler.lua +++ b/attachments/kong/plugins/open-appsec-waf-kong-plugin/handler.lua @@ -82,8 +82,6 @@ function NanoHandler.access(conf) kong.ctx.plugin.inspection_complete = true local result = nano.handle_custom_response(session_data, response) nano.fini_session(session_data) - -- Free response AFTER using it, then cleanup all resources - nano.free_response_immediate(response) nano.cleanup_all() kong.ctx.plugin.session_id = nil kong.ctx.plugin.session_data = nil @@ -100,7 +98,6 @@ function NanoHandler.access(conf) kong.ctx.plugin.inspection_complete = true local result = nano.handle_custom_response(session_data, response) nano.fini_session(session_data) - nano.free_response_immediate(response) nano.cleanup_all() kong.ctx.plugin.session_id = nil kong.ctx.plugin.session_data = nil @@ -122,7 +119,6 @@ function NanoHandler.access(conf) kong.ctx.plugin.inspection_complete = true local result = nano.handle_custom_response(session_data, response) nano.fini_session(session_data) - nano.free_response_immediate(response) nano.cleanup_all() kong.ctx.plugin.session_id = nil kong.ctx.plugin.session_data = nil @@ -149,7 +145,6 @@ function NanoHandler.access(conf) kong.ctx.plugin.inspection_complete = true local result = nano.handle_custom_response(session_data, response) nano.fini_session(session_data) - nano.free_response_immediate(response) nano.cleanup_all() kong.ctx.plugin.session_id = nil kong.ctx.plugin.session_data = nil @@ -191,7 +186,6 @@ function NanoHandler.access(conf) kong.ctx.plugin.inspection_complete = true local result = nano.handle_custom_response(session_data, response) nano.fini_session(session_data) - nano.free_response_immediate(response) nano.cleanup_all() kong.ctx.plugin.session_id = nil kong.ctx.plugin.session_data = nil @@ -237,7 +231,6 @@ function NanoHandler.header_filter(conf) ctx.inspection_complete = true local result = nano.handle_custom_response(ctx.session_data, response) nano.fini_session(ctx.session_data) - nano.free_response_immediate(response) nano.cleanup_all() ctx.session_id = nil ctx.session_data = nil @@ -316,7 +309,6 @@ function NanoHandler.body_filter(conf) ctx.inspection_complete = true local result = nano.handle_custom_response(ctx.session_data, response) nano.fini_session(ctx.session_data) - nano.free_response_immediate(response) nano.cleanup_all() ctx.session_id = nil ctx.session_data = nil @@ -360,7 +352,6 @@ function NanoHandler.body_filter(conf) ctx.inspection_complete = true local result = nano.handle_custom_response(ctx.session_data, response) nano.fini_session(ctx.session_data) - nano.free_response_immediate(response) nano.cleanup_all() ctx.session_id = nil ctx.session_data = nil diff --git a/attachments/kong/plugins/open-appsec-waf-kong-plugin/nano_ffi.lua b/attachments/kong/plugins/open-appsec-waf-kong-plugin/nano_ffi.lua index 94c2a5d..1839d5c 100755 --- a/attachments/kong/plugins/open-appsec-waf-kong-plugin/nano_ffi.lua +++ b/attachments/kong/plugins/open-appsec-waf-kong-plugin/nano_ffi.lua @@ -350,10 +350,8 @@ function nano.send_data(session_id, session_data, meta_data, header_data, contai local verdict, response = nano_attachment.send_data(attachment, session_id, session_data, chunk_type, meta_data, header_data, contains_body) - -- For DROP verdicts, caller must manually free response after using it - -- For other verdicts, free immediately - if response and verdict ~= nano.AttachmentVerdict.DROP then - nano.free_response_immediate(response) + if response then + table.insert(nano.allocated_responses, response) end return verdict, response @@ -370,10 +368,8 @@ function nano.send_body(session_id, session_data, body_chunk, chunk_type) local verdict, response, modifications = nano_attachment.send_body(attachment, session_id, session_data, body_chunk, chunk_type) - -- For DROP verdicts, caller must manually free response after using it - -- For other verdicts, free immediately to prevent memory accumulation - if response and verdict ~= nano.AttachmentVerdict.DROP then - nano.free_response_immediate(response) + if response then + table.insert(nano.allocated_responses, response) end return verdict, response, modifications @@ -446,10 +442,8 @@ function nano.send_response_headers(session_id, session_data, headers, status_co content_length ) - -- For DROP verdicts, caller must manually free response after using it - -- For other verdicts, free immediately - if response and verdict ~= nano.AttachmentVerdict.DROP then - nano.free_response_immediate(response) + if response then + table.insert(nano.allocated_responses, response) end return verdict, response @@ -544,10 +538,8 @@ function nano.end_inspection(session_id, session_data, chunk_type) local verdict, response = nano_attachment.end_inspection(attachment, session_id, session_data, chunk_type) - -- For DROP verdicts, caller must manually free response after using it - -- For other verdicts, free immediately - if response and verdict ~= nano.AttachmentVerdict.DROP then - nano.free_response_immediate(response) + if response then + table.insert(nano.allocated_responses, response) end return verdict, response