github_mirrors/attachment
3
0
Fork 1
mirror of https://github.com/openappsec/attachment.git synced 2025-06-28 16:41:03 +03:00
Code Issues Packages Projects Releases Wiki Activity
attachment/attachments/kong/handler.lua
Daniel-Eisenberg 882dc4c187
Add kong plugin (#36) 
* add kong plugin to open-appsec

* fix url in rockspec file

* add the attachment prefix to the paths

* check

* fix branch

---------

Co-authored-by: wiaamm <wiaamm@checkpoint.com>
2025-06-24 14:58:41 +03:00

172 lines
6.1 KiB
Lua
Executable File
Raw Blame History

local nano = require "kong.plugins.open-appsec-waf-kong-plugin.nano_ffi"
local kong = kong
local NanoHandler = {}
NanoHandler.PRIORITY = 3000
NanoHandler.VERSION = "1.0.0"
NanoHandler.sessions = {}
NanoHandler.processed_requests = {} -- Track processed requests
-- **Handles worker initialization**
function NanoHandler.init_worker()
nano.init_attachment()
end
-- **Handles Request Headers (DecodeHeaders Equivalent)**
function NanoHandler.access(conf)
local headers = kong.request.get_headers()
local session_id = nano.generate_session_id()
kong.service.request.set_header("x-session-id", tostring(session_id))
if NanoHandler.processed_requests[session_id] then
kong.ctx.plugin.blocked = true
return
end
local session_data = nano.init_session(session_id)
if not session_data then
kong.log.err("Failed to initialize session")
kong.ctx.plugin.blocked = true
return kong.response.exit(500, { message = "Session Initialization Failed" })
end
kong.ctx.plugin.session_data = session_data
kong.ctx.plugin.session_id = session_id
local meta_data = nano.handle_start_transaction()
local req_headers = nano.handleHeaders(headers)
local has_content_length = tonumber(ngx.var.http_content_length) and tonumber(ngx.var.http_content_length) > 0
local contains_body = has_content_length and 1 or 0
local verdict, response = nano.send_data(session_id, session_data, meta_data, req_headers, contains_body, nano.HttpChunkType.HTTP_REQUEST_FILTER)
if verdict == nano.AttachmentVerdict.DROP then
nano.fini_session(session_data)
kong.ctx.plugin.blocked = true
return nano.handle_custom_response(session_data, response)
end
if contains_body == 1 then
local body = kong.request.get_raw_body()
if body and #body > 0 then
verdict, response = nano.send_body(session_id, session_data, body, nano.HttpChunkType.HTTP_REQUEST_BODY)
if verdict == nano.AttachmentVerdict.DROP then
nano.fini_session(session_data)
kong.ctx.plugin.blocked = true
return nano.handle_custom_response(session_data, response)
end
end
local ok, verdict, response = pcall(function()
return nano.end_inspection(session_id, session_data, nano.HttpChunkType.HTTP_REQUEST_END)
end)
if not ok then
kong.log.err("Error ending request inspection: ", verdict)
nano.fini_session(session_data)
kong.ctx.plugin.blocked = true
return kong.response.exit(500, { message = "Error completing request processing" })
end
if verdict == nano.AttachmentVerdict.DROP then
nano.fini_session(session_data)
kong.ctx.plugin.blocked = true
return nano.handle_custom_response(session_data, response)
end
else
verdict, response = nano.end_inspection(session_id, session_data, nano.HttpChunkType.HTTP_REQUEST_END)
if verdict == nano.AttachmentVerdict.DROP then
nano.fini_session(session_data)
kong.ctx.plugin.blocked = true
return nano.handle_custom_response(session_data, response)
end
end
NanoHandler.processed_requests[session_id] = true
end
function NanoHandler.header_filter(conf)
local ctx = kong.ctx.plugin
if ctx.blocked then
return
end
local session_id = ctx.session_id
local session_data = ctx.session_data
if not session_id or not session_data then
kong.log.err("No session data found in header_filter")
return
end
local headers = kong.response.get_headers()
local header_data = nano.handleHeaders(headers)
local status_code = kong.response.get_status()
local content_length = tonumber(headers["content-length"]) or 0
local verdict, response = nano.send_response_headers(session_id, session_data, header_data, status_code, content_length)
if verdict == nano.AttachmentVerdict.DROP then
kong.ctx.plugin.blocked = true
nano.fini_session(session_data)
return nano.handle_custom_response(session_data, response)
end
ctx.expect_body = not (status_code == 204 or status_code == 304 or (100 <= status_code and status_code < 200) or content_length == 0)
end
function NanoHandler.body_filter(conf)
local ctx = kong.ctx.plugin
if ctx.blocked then
return
end
local session_id = ctx.session_id
local session_data = ctx.session_data
if not session_id or not session_data or ctx.session_finalized then
return
end
local body = kong.response.get_raw_body()
if body then
ctx.body_seen = true
local verdict, response, modifications = nano.send_body(session_id, session_data, body, nano.HttpChunkType.HTTP_RESPONSE_BODY)
-- Initialize if not exists
ctx.body_buffer_chunk = ctx.body_buffer_chunk or 0
-- Handle body modifications if any
if modifications then
body = nano.handle_body_modifications(body, modifications, ctx.body_buffer_chunk)
kong.response.set_raw_body(body)
end
ctx.body_buffer_chunk = ctx.body_buffer_chunk + 1
if verdict == nano.AttachmentVerdict.DROP then
nano.fini_session(session_data)
ctx.session_finalized = true
return nano.handle_custom_response(session_data, response)
end
return
end
if ctx.body_seen or ctx.expect_body == false then
local verdict, response = nano.end_inspection(session_id, session_data, nano.HttpChunkType.HTTP_RESPONSE_END)
if verdict == nano.AttachmentVerdict.DROP then
nano.fini_session(session_data)
ctx.session_finalized = true
return nano.handle_custom_response(session_data, response)
end
nano.fini_session(session_data)
ctx.session_finalized = true
end
end
return NanoHandler
Reference in New Issue View Git Blame Copy Permalink