mirror of
https://github.com/openappsec/attachment.git
synced 2025-12-31 13:49:09 +03:00
Fix kong response body (#49)
* fix large response body * fix large response body * fix response body * fix response body * fix response body * fix response body * fix response body * fix response body * fix response body * fix response body * fix response body * fix response body * fix response body * fix response body * fix response body * fix response body * fix response body * fix response body * fix specific path * return correct path * fresh start * fix send_bodu in lua_attachment_wrapper.c * change branch * add timeout * add timeout * remove the header filter * try chunk hashing * proper fini session * add more check * try setting last chunk * remove finilizing session * return to basic version * proper fini of session data * add some check for internal traffic * envoy functionality... * proper fini session * proper fini session * fini session on accept also * for testing change the log level * remove fini session from header * remove fini session from header * remove fini session from header * remove inpect check * fix wrong close statement * correct inspection_complete handling * fix oom * fix oom * fix oom * fix oom * fix oom * fix init attachment * nano_ffi free memoty * GC implementation * optimize * clean * increase timeout * increase timeout * using is_session_fini, the commit before this one is working ... * returning to last working version ... * just for testing * fix block page * fix block page * fix block page * fix block page * fix block page * fix fini session * add collect(stop) * return to default * fix oom caused by using freed values * fix oom caused by using freed values * add large response body handling * implement timeout * implement timeout * remove GC * testing * add end_inspection * remove comments * ngx.arg[1] = nil * Skip inspection for health checks and internal requests * add new flag for bypass inspections * move ngx.arg[1] to the beginning * try without coolectgarbage * remove internal traffic check * remove internal traffic check * I don't know * I don't know * try add chunk assignment * check why data session is nil in header but availablein body * remove end inspection * remove logs * ctx.timeout_passthrough * remove ctx.timeout_passthrough * add GC * remove the logs * return the logs * last modification.... * add logs * revert to working version * remove stupid cat * fini_session only in log phase * last try * remove processed_requests * remove unused variable * remove nano_ffi changes * add debuging message for testing * get worker workers inside the init_attachmetn * test now * move check * add accept * add accept * remove endinspection * fix typo * get req body in chunks * test body chunks: * add timeout in req body * fixing * add logs for test * fix accept verdic in body_filter * add more logs * fix ngx time * add more logs * add getter functions for timeout * add more logs * ready for review * use right content-length * add missing content-length update * try content-length nil * add nil to header filter * revert shcema changes * try exit in header filter * try content-length nil * remove the test * refuse connection when prevnet occures in response body --------- Co-authored-by: wiaamm <wiaamm@checkpoint.com>
This commit is contained in:
wiaam-mhameed
GitHub
@@ -5,7 +5,6 @@ local nano = {}
|
||||
|
||||
nano.session_counter = 0
|
||||
nano.attachments = {}
|
||||
nano.num_workers = ngx.worker.count() or 1
|
||||
nano.allocated_strings = {}
|
||||
nano.allocate_headers = {}
|
||||
nano.allocated_metadata = {}
|
||||
@@ -82,13 +81,14 @@ function nano.generate_session_id()
|
||||
return tonumber(string.format("%d%05d", worker_id, nano.session_counter))
|
||||
end
|
||||
|
||||
function nano.handle_custom_response(session_data, response)
|
||||
-- Returns: status_code, body, headers
|
||||
function nano.get_custom_response_data(session_data, response)
|
||||
local worker_id = ngx.worker.id()
|
||||
local attachment = nano.attachments[worker_id]
|
||||
|
||||
if not attachment then
|
||||
kong.log.warn("Cannot handle custom response: Attachment not available for worker ", worker_id, " - failing open")
|
||||
return kong.response.exit(200, "Request allowed due to attachment unavailability")
|
||||
return 200, "Request allowed due to attachment unavailability", {}
|
||||
end
|
||||
|
||||
local response_type = nano_attachment.get_web_response_type(attachment, session_data, response)
|
||||
@@ -100,18 +100,19 @@ function nano.handle_custom_response(session_data, response)
|
||||
code = 403
|
||||
end
|
||||
kong.log.debug("Response code only: ", code)
|
||||
return kong.response.exit(code, "")
|
||||
return code, "", {}
|
||||
end
|
||||
|
||||
if response_type == nano.WebResponseType.REDIRECT_WEB_RESPONSE then
|
||||
local location = nano_attachment.get_redirect_page(attachment, session_data, response)
|
||||
return kong.response.exit(307, "", { ["Location"] = location })
|
||||
local code = nano_attachment.get_response_code(response) or 307
|
||||
return code, "", { ["Location"] = location }
|
||||
end
|
||||
|
||||
local block_page = nano_attachment.get_block_page(attachment, session_data, response)
|
||||
if not block_page then
|
||||
kong.log.err("Failed to retrieve custom block page for session ", session_data)
|
||||
return kong.response.exit(500, { message = "Internal Server Error" })
|
||||
kong.log.debug("Failed to retrieve custom block page for session ", session_data)
|
||||
return 403, "", {}
|
||||
end
|
||||
local code = nano_attachment.get_response_code(response)
|
||||
if not code or code < 100 or code > 599 then
|
||||
@@ -119,8 +120,13 @@ function nano.handle_custom_response(session_data, response)
|
||||
code = 403
|
||||
end
|
||||
kong.log.debug("Block page response with code: ", code)
|
||||
return kong.response.exit(code, block_page, { ["Content-Type"] = "text/html" })
|
||||
return code, block_page, { ["Content-Type"] = "text/html" }
|
||||
end
|
||||
|
||||
-- Wrapper for backward compatibility - calls kong.response.exit() in access phase
|
||||
function nano.handle_custom_response(session_data, response)
|
||||
local code, body, headers = nano.get_custom_response_data(session_data, response)
|
||||
return kong.response.exit(code, body, headers)
|
||||
end
|
||||
|
||||
|
||||
@@ -178,15 +184,15 @@ end
|
||||
|
||||
function nano.init_attachment()
|
||||
local worker_id = ngx.worker.id()
|
||||
local num_workers = ngx.worker.count() or 1 -- Get count dynamically
|
||||
local attachment, err
|
||||
local retries = 3
|
||||
|
||||
for attempt = 1, retries do
|
||||
attachment, err = nano_attachment.init_nano_attachment(worker_id, nano.num_workers)
|
||||
attachment, err = nano_attachment.init_nano_attachment(worker_id, num_workers)
|
||||
if attachment then
|
||||
break
|
||||
end
|
||||
|
||||
kong.log.err("Worker ", worker_id, " failed to initialize attachment (attempt ", attempt, "/", retries, "): ", err)
|
||||
end
|
||||
|
||||
@@ -228,8 +234,8 @@ function nano.is_session_finalized(session_data)
|
||||
local attachment = nano.attachments[worker_id]
|
||||
|
||||
if not attachment or not session_data then
|
||||
kong.log.err("Cannot check session finalization: Invalid attachment or session_data")
|
||||
return false
|
||||
kong.log.debug("Cannot check session finalization: Invalid attachment or session_data")
|
||||
return true
|
||||
end
|
||||
|
||||
return nano_attachment.is_session_finalized(attachment, session_data)
|
||||
@@ -256,7 +262,6 @@ function nano.handle_start_transaction()
|
||||
)
|
||||
|
||||
table.insert(nano.allocated_metadata, metadata)
|
||||
|
||||
collectgarbage("stop")
|
||||
|
||||
return metadata
|
||||
@@ -295,7 +300,6 @@ function nano.handleHeaders(headers)
|
||||
end
|
||||
|
||||
nano_attachment.setHeaderCount(header_data, index)
|
||||
|
||||
return header_data
|
||||
end
|
||||
|
||||
@@ -468,7 +472,7 @@ function nano.end_inspection(session_id, session_data, chunk_type)
|
||||
end
|
||||
|
||||
if not session_data then
|
||||
kong.log.err("Cannot end inspection: Invalid session_data for session ", session_id)
|
||||
kong.log.debug("Cannot end inspection: Invalid session_data for session ", session_id)
|
||||
return nano.AttachmentVerdict.INSPECT, nil
|
||||
end
|
||||
|
||||
@@ -481,4 +485,30 @@ function nano.end_inspection(session_id, session_data, chunk_type)
|
||||
return verdict, response
|
||||
end
|
||||
|
||||
return nano
|
||||
function nano.get_request_processing_timeout_sec()
|
||||
local worker_id = ngx.worker.id()
|
||||
local attachment = nano.attachments[worker_id]
|
||||
|
||||
if not attachment then
|
||||
kong.log.warn("Attachment not available for worker ", worker_id, " - using default timeout")
|
||||
return 3
|
||||
end
|
||||
|
||||
local timeout_msec = nano_attachment.get_request_processing_timeout_msec(attachment)
|
||||
return timeout_msec / 1000.0
|
||||
end
|
||||
|
||||
function nano.get_response_processing_timeout_sec()
|
||||
local worker_id = ngx.worker.id()
|
||||
local attachment = nano.attachments[worker_id]
|
||||
|
||||
if not attachment then
|
||||
kong.log.warn("Attachment not available for worker ", worker_id, " - using default timeout")
|
||||
return 3
|
||||
end
|
||||
|
||||
local timeout_msec = nano_attachment.get_response_processing_timeout_msec(attachment)
|
||||
return timeout_msec / 1000.0
|
||||
end
|
||||
|
||||
return nano
|
||||
Reference in New Issue
Block a user