github_mirrors/attachment
3
0
Fork 1
mirror of https://github.com/openappsec/attachment.git synced 2025-12-31 13:49:09 +03:00
Code Issues Packages Projects Releases Wiki Activity

testing

Browse Source
This commit is contained in:
wiaamm
2025-12-06 17:03:33 +02:00
parent 816683f0b6
commit a518cbe70c
1 changed files with 9 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files

60
attachments/kong/plugins/open-appsec-waf-kong-plugin/handler.lua
View File

@@ -40,8 +40,6 @@ function NanoHandler.access(conf)
kong.log.err("Failed to handle start transaction - failing open") kong.log.err("Failed to handle start transaction - failing open")
nano.fini_session(session_data) nano.fini_session(session_data)
nano.cleanup_all() nano.cleanup_all()
--collectgarbage("restart")
--collectgarbage("collect")
kong.ctx.plugin.session_data = nil kong.ctx.plugin.session_data = nil
kong.ctx.plugin.session_id = nil kong.ctx.plugin.session_id = nil
return return
@@ -52,8 +50,6 @@ function NanoHandler.access(conf)
kong.log.err("Failed to handle request headers - failing open") kong.log.err("Failed to handle request headers - failing open")
nano.fini_session(session_data) nano.fini_session(session_data)
nano.cleanup_all() nano.cleanup_all()
--collectgarbage("restart")
--collectgarbage("collect")
kong.ctx.plugin.session_data = nil kong.ctx.plugin.session_data = nil
kong.ctx.plugin.session_id = nil kong.ctx.plugin.session_id = nil
return return
@@ -68,7 +64,6 @@ function NanoHandler.access(conf)
local result = nano.handle_custom_response(session_data, response) local result = nano.handle_custom_response(session_data, response)
nano.fini_session(session_data) nano.fini_session(session_data)
nano.cleanup_all() nano.cleanup_all()
--collectgarbage("restart")
kong.ctx.plugin.session_data = nil kong.ctx.plugin.session_data = nil
kong.ctx.plugin.session_id = nil kong.ctx.plugin.session_id = nil
return result return result
@@ -83,24 +78,22 @@ function NanoHandler.access(conf)
local result = nano.handle_custom_response(session_data, response) local result = nano.handle_custom_response(session_data, response)
nano.fini_session(session_data) nano.fini_session(session_data)
nano.cleanup_all() nano.cleanup_all()
--collectgarbage("restart")
kong.ctx.plugin.session_data = nil kong.ctx.plugin.session_data = nil
kong.ctx.plugin.session_id = nil kong.ctx.plugin.session_id = nil
return result return result
end end
else else
kong.log.err("Request body not in memory, attempting to read from buffer/file") kong.log.debug("Request body not in memory, attempting to read from buffer/file")
local body_data = ngx.var.request_body local body_data = ngx.var.request_body
if body_data and #body_data > 0 then if body_data and #body_data > 0 then
kong.log.err("Found request body in nginx var, size: ", #body_data) kong.log.debug("Found request body in nginx var, size: ", #body_data)
verdict, response = nano.send_body(session_id, session_data, body_data, nano.HttpChunkType.HTTP_REQUEST_BODY) verdict, response = nano.send_body(session_id, session_data, body_data, nano.HttpChunkType.HTTP_REQUEST_BODY)
if verdict == nano.AttachmentVerdict.DROP then if verdict == nano.AttachmentVerdict.DROP then
kong.ctx.plugin.blocked = true kong.ctx.plugin.blocked = true
local result = nano.handle_custom_response(session_data, response) local result = nano.handle_custom_response(session_data, response)
nano.fini_session(session_data) nano.fini_session(session_data)
nano.cleanup_all() nano.cleanup_all()
--collectgarbage("restart")
kong.ctx.plugin.session_data = nil kong.ctx.plugin.session_data = nil
kong.ctx.plugin.session_id = nil kong.ctx.plugin.session_id = nil
return result return result
@@ -108,7 +101,7 @@ function NanoHandler.access(conf)
else else
local body_file = ngx.var.request_body_file local body_file = ngx.var.request_body_file
if body_file then if body_file then
kong.log.err("Reading request body from file: ", body_file) kong.log.debug("Reading request body from file: ", body_file)
local file = io.open(body_file, "rb") local file = io.open(body_file, "rb")
if file then if file then
local entire_body = file:read("*all") local entire_body = file:read("*all")
@@ -117,24 +110,23 @@ function NanoHandler.access(conf)
if not entire_body then if not entire_body then
kong.log.err("Failed to read body file: ", body_file) kong.log.err("Failed to read body file: ", body_file)
elseif entire_body and #entire_body > 0 then elseif entire_body and #entire_body > 0 then
kong.log.err("Sending entire body of size ", #entire_body, " bytes to C module") kong.log.debug("Sending entire body of size ", #entire_body, " bytes to C module")
verdict, response = nano.send_body(session_id, session_data, entire_body, nano.HttpChunkType.HTTP_REQUEST_BODY) verdict, response = nano.send_body(session_id, session_data, entire_body, nano.HttpChunkType.HTTP_REQUEST_BODY)
if verdict == nano.AttachmentVerdict.DROP then if verdict == nano.AttachmentVerdict.DROP then
kong.ctx.plugin.blocked = true kong.ctx.plugin.blocked = true
local result = nano.handle_custom_response(session_data, response) local result = nano.handle_custom_response(session_data, response)
nano.fini_session(session_data) nano.fini_session(session_data)
nano.cleanup_all() nano.cleanup_all()
collectgarbage("restart")
kong.ctx.plugin.session_data = nil kong.ctx.plugin.session_data = nil
kong.ctx.plugin.session_id = nil kong.ctx.plugin.session_id = nil
return result return result
end end
else else
kong.log.err("Empty body file") kong.log.debug("Empty body file")
end end
end end
else else
kong.log.err("Request body expected but no body data or file available") kong.log.warn("Request body expected but no body data or file available")
end end
end end
end end
@@ -148,7 +140,6 @@ function NanoHandler.access(conf)
kong.log.err("Error ending request inspection: ", pcall_verdict, " - failing open") kong.log.err("Error ending request inspection: ", pcall_verdict, " - failing open")
nano.fini_session(session_data) nano.fini_session(session_data)
nano.cleanup_all() nano.cleanup_all()
--collectgarbage("restart")
kong.ctx.plugin.session_data = nil kong.ctx.plugin.session_data = nil
kong.ctx.plugin.session_id = nil kong.ctx.plugin.session_id = nil
return return
@@ -161,7 +152,6 @@ function NanoHandler.access(conf)
local result = nano.handle_custom_response(session_data, response) local result = nano.handle_custom_response(session_data, response)
nano.fini_session(session_data) nano.fini_session(session_data)
nano.cleanup_all() nano.cleanup_all()
--collectgarbage("restart")
kong.ctx.plugin.session_data = nil kong.ctx.plugin.session_data = nil
kong.ctx.plugin.session_id = nil kong.ctx.plugin.session_id = nil
return result return result
@@ -173,7 +163,6 @@ function NanoHandler.access(conf)
local result = nano.handle_custom_response(session_data, response) local result = nano.handle_custom_response(session_data, response)
nano.fini_session(session_data) nano.fini_session(session_data)
nano.cleanup_all() nano.cleanup_all()
--collectgarbage("restart")
kong.ctx.plugin.session_data = nil kong.ctx.plugin.session_data = nil
kong.ctx.plugin.session_id = nil kong.ctx.plugin.session_id = nil
return result return result
@@ -232,44 +221,22 @@ function NanoHandler.body_filter(conf)
local session_data = ctx.session_data local session_data = ctx.session_data
if not session_id or not session_data or ctx.session_finalized then if not session_id or not session_data or ctx.session_finalized then
kong.log.err("No session data found or session already finalized in body_filter")
return return
end end
-- Initialize timeout tracking on first call
if not ctx.body_filter_start_time then
kong.log.err("Initializing body filter start time")
ctx.body_filter_start_time = ngx.now()
end
-- Check for timeout (150 seconds)
local elapsed_time = ngx.now() - ctx.body_filter_start_time
if elapsed_time > 150 then
kong.log.err("Body filter timeout after ", elapsed_time, " seconds - failing open")
nano.fini_session(session_data)
nano.cleanup_all()
-- collectgarbage("restart")
-- collectgarbage("collect") -- Force immediate collection
ctx.session_finalized = true
ctx.session_data = nil
ctx.session_id = nil
return
end
-- Get current chunk only, not entire body -- Get current chunk only, not entire body
local chunk = ngx.arg[1] local chunk = ngx.arg[1]
local eof = ngx.arg[2] local eof = ngx.arg[2]
if chunk and #chunk > 0 then if chunk and #chunk > 0 then
-- Initialize if not exists
ctx.body_buffer_chunk = ctx.body_buffer_chunk or 0
kong.log.err("Processing response body chunk #", ctx.body_buffer_chunk, " bytes, EOF: ", tostring(eof))
ctx.body_seen = true ctx.body_seen = true
-- Process chunk by chunk to avoid loading entire large body into memory -- Process chunk by chunk to avoid loading entire large body into memory
local verdict, response, modifications = nano.send_body(session_id, session_data, chunk, nano.HttpChunkType.HTTP_RESPONSE_BODY) local verdict, response, modifications = nano.send_body(session_id, session_data, chunk, nano.HttpChunkType.HTTP_RESPONSE_BODY)
-- Initialize if not exists
ctx.body_buffer_chunk = ctx.body_buffer_chunk or 0
-- Handle body modifications if any -- Handle body modifications if any
if modifications then if modifications then
chunk = nano.handle_body_modifications(chunk, modifications, ctx.body_buffer_chunk) chunk = nano.handle_body_modifications(chunk, modifications, ctx.body_buffer_chunk)
@@ -285,8 +252,6 @@ function NanoHandler.body_filter(conf)
nano.fini_session(session_data) nano.fini_session(session_data)
-- Clean up allocated memory -- Clean up allocated memory
nano.cleanup_all() nano.cleanup_all()
--collectgarbage("restart")
--collectgarbage("collect") -- Force immediate collection
ctx.session_data = nil ctx.session_data = nil
ctx.session_id = nil ctx.session_id = nil
ngx.arg[1] = "" ngx.arg[1] = ""
@@ -301,10 +266,7 @@ function NanoHandler.body_filter(conf)
-- Handle end of stream -- Handle end of stream
if eof then if eof then
kong.log.err("End of response body stream reached, body_seen: ", tostring(ctx.body_seen), ", expect_body: ", tostring(ctx.expect_body))
-- Always finalize at EOF, whether we saw body chunks or expected no body
if ctx.body_seen or ctx.expect_body == false then if ctx.body_seen or ctx.expect_body == false then
kong.log.err("Ending response body inspection")
local verdict, response = nano.end_inspection(session_id, session_data, nano.HttpChunkType.HTTP_RESPONSE_END) local verdict, response = nano.end_inspection(session_id, session_data, nano.HttpChunkType.HTTP_RESPONSE_END)
if verdict == nano.AttachmentVerdict.DROP then if verdict == nano.AttachmentVerdict.DROP then
ctx.blocked = true ctx.blocked = true
@@ -313,8 +275,6 @@ function NanoHandler.body_filter(conf)
nano.fini_session(session_data) nano.fini_session(session_data)
-- Clean up allocated memory -- Clean up allocated memory
nano.cleanup_all() nano.cleanup_all()
-- collectgarbage("restart")
--collectgarbage("collect") -- Force immediate collection
ctx.session_data = nil ctx.session_data = nil
ctx.session_id = nil ctx.session_id = nil
ngx.arg[1] = "" ngx.arg[1] = ""
@@ -325,8 +285,6 @@ function NanoHandler.body_filter(conf)
nano.fini_session(session_data) nano.fini_session(session_data)
-- Clean up allocated memory -- Clean up allocated memory
nano.cleanup_all() nano.cleanup_all()
--collectgarbage("restart")
--collectgarbage("collect") -- Force immediate collection
ctx.session_finalized = true ctx.session_finalized = true
ctx.session_data = nil ctx.session_data = nil
ctx.session_id = nil ctx.session_id = nil