fix block page

2025-12-31 13:49:09 +03:00 · 2025-12-03 10:18:10 +02:00
parent 349c6eea17
commit 8b036e639a
2 changed files with 32 additions and 30 deletions
--- a/attachments/kong/plugins/open-appsec-waf-kong-plugin/handler.lua
+++ b/attachments/kong/plugins/open-appsec-waf-kong-plugin/handler.lua
@@ -82,6 +82,8 @@ function NanoHandler.access(conf)
        kong.ctx.plugin.inspection_complete = true
        local result = nano.handle_custom_response(session_data, response)
        kong.log.err("Block page result: ", result)
+        -- Free response AFTER using it
+        nano.free_response_immediate(response)
        nano.fini_session(session_data)
        kong.ctx.plugin.session_id = nil
        kong.ctx.plugin.session_data = nil
@@ -98,6 +100,8 @@ function NanoHandler.access(conf)
                kong.ctx.plugin.inspection_complete = true
                local result = nano.handle_custom_response(session_data, response)
                kong.log.err("Block page result: ", result)
+                -- Free response AFTER using it
+                nano.free_response_immediate(response)
                nano.fini_session(session_data)
                kong.ctx.plugin.session_id = nil
                kong.ctx.plugin.session_data = nil
@@ -119,6 +123,8 @@ function NanoHandler.access(conf)
                    kong.ctx.plugin.inspection_complete = true
                    local result = nano.handle_custom_response(session_data, response)
                    kong.log.err("Block page result: ", result)
+                    -- Free response AFTER using it
+                    nano.free_response_immediate(response)
                    nano.fini_session(session_data)
                    kong.ctx.plugin.session_id = nil
                    kong.ctx.plugin.session_data = nil
@@ -145,6 +151,8 @@ function NanoHandler.access(conf)
                                kong.ctx.plugin.inspection_complete = true
                                local result = nano.handle_custom_response(session_data, response)
                                kong.log.err("Block page result: ", result)
+                                -- Free response AFTER using it
+                                nano.free_response_immediate(response)
                                nano.fini_session(session_data)
                                kong.ctx.plugin.session_id = nil
                                kong.ctx.plugin.session_data = nil
@@ -186,6 +194,8 @@ function NanoHandler.access(conf)
        kong.ctx.plugin.inspection_complete = true
        local result = nano.handle_custom_response(session_data, response)
        kong.log.err("Block page result: ", result)
+        -- Free response AFTER using it
+        nano.free_response_immediate(response)
        nano.fini_session(session_data)
        kong.ctx.plugin.session_id = nil
        kong.ctx.plugin.session_data = nil
@@ -231,6 +241,8 @@ function NanoHandler.header_filter(conf)
        ctx.inspection_complete = true
        local result = nano.handle_custom_response(ctx.session_data, response)
        kong.log.err("Block page result: ", result)
+        -- Free response AFTER using it
+        nano.free_response_immediate(response)
        nano.fini_session(ctx.session_data)
        ctx.session_id = nil
        ctx.session_data = nil
@@ -309,8 +321,9 @@ function NanoHandler.body_filter(conf)
                ctx.inspection_complete = true
                local result = nano.handle_custom_response(ctx.session_data, response)
                kong.log.err("Block page result: ", result)
+                -- Free response AFTER using it
+                nano.free_response_immediate(response)
                nano.fini_session(ctx.session_data)
-                collectgarbage("collect")
                ctx.session_id = nil
                ctx.session_data = nil
                return result
@@ -353,8 +366,9 @@ function NanoHandler.body_filter(conf)
                    ctx.inspection_complete = true
                    local result = nano.handle_custom_response(ctx.session_data, response)
                    kong.log.err("Block page result: ", result)
+                    -- Free response AFTER using it
+                    nano.free_response_immediate(response)
                    nano.fini_session(ctx.session_data)
-                    collectgarbage("collect")
                    ctx.session_id = nil
                    ctx.session_data = nil
                    return result
--- a/attachments/kong/plugins/open-appsec-waf-kong-plugin/nano_ffi.lua
+++ b/attachments/kong/plugins/open-appsec-waf-kong-plugin/nano_ffi.lua
@@ -351,12 +351,10 @@ function nano.send_data(session_id, session_data, meta_data, header_data, contai

    local verdict, response = nano_attachment.send_data(attachment, session_id, session_data, chunk_type, meta_data, header_data, contains_body)

-    if response then
-        if verdict == nano.AttachmentVerdict.DROP then
-            table.insert(nano.allocated_responses, response)
-        else
-            nano.free_response_immediate(response)
-        end
+    -- For DROP verdicts, caller must manually free response after using it
+    -- For other verdicts, free immediately
+    if response and verdict ~= nano.AttachmentVerdict.DROP then
+        nano.free_response_immediate(response)
    end

    return verdict, response
@@ -373,16 +371,10 @@ function nano.send_body(session_id, session_data, body_chunk, chunk_type)

    local verdict, response, modifications = nano_attachment.send_body(attachment, session_id, session_data, body_chunk, chunk_type)

-    -- CRITICAL OPTIMIZATION: Free response immediately if not needed for DROP handling
-    -- Only DROP verdicts need the response object for custom response generation
-    if response then
-        if verdict == nano.AttachmentVerdict.DROP then
-            -- Keep response for handle_custom_response() - will be freed in cleanup_all()
-            table.insert(nano.allocated_responses, response)
-        else
-            -- INSPECT or ACCEPT verdict - free immediately to prevent memory accumulation
-            nano.free_response_immediate(response)
-        end
+    -- For DROP verdicts, caller must manually free response after using it
+    -- For other verdicts, free immediately to prevent memory accumulation
+    if response and verdict ~= nano.AttachmentVerdict.DROP then
+        nano.free_response_immediate(response)
    end

    return verdict, response, modifications
@@ -460,12 +452,10 @@ function nano.send_response_headers(session_id, session_data, headers, status_co
        content_length
    )

-    if response then
-        if verdict == nano.AttachmentVerdict.DROP then
-            table.insert(nano.allocated_responses, response)
-        else
-            nano.free_response_immediate(response)
-        end
+    -- For DROP verdicts, caller must manually free response after using it
+    -- For other verdicts, free immediately
+    if response and verdict ~= nano.AttachmentVerdict.DROP then
+        nano.free_response_immediate(response)
    end

    return verdict, response
@@ -560,12 +550,10 @@ function nano.end_inspection(session_id, session_data, chunk_type)

    local verdict, response = nano_attachment.end_inspection(attachment, session_id, session_data, chunk_type)

-    if response then
-        if verdict == nano.AttachmentVerdict.DROP then
-            table.insert(nano.allocated_responses, response)
-        else
-            nano.free_response_immediate(response)
-        end
+    -- For DROP verdicts, caller must manually free response after using it
+    -- For other verdicts, free immediately
+    if response and verdict ~= nano.AttachmentVerdict.DROP then
+        nano.free_response_immediate(response)
    end

    return verdict, response