fix(ProcessResponseBody): Avoids multiple calls, discussion about OnH…

…ttpStreamDone call (#193)
corazawaf · May 24, 2023 · fe78932 · fe78932
1 parent 8c429fb
commit fe78932
Showing 1 changed file with 14 additions and 12 deletions.
diff --git a/wasmplugin/plugin.go b/wasmplugin/plugin.go
@@ -487,18 +487,19 @@ func (ctx *httpContext) OnHttpResponseBody(bodySize int, endOfStream bool) types
 	if !tx.IsResponseBodyAccessible() {
 		ctx.logger.Debug().Msg("Skipping response body inspection, SecResponseBodyAccess is off.")
 		// ProcessResponseBody is performed for phase 4 rules, checking already populated variables
-		ctx.processedResponseBody = true
-		interruption, err := tx.ProcessResponseBody()
-		if err != nil {
-			ctx.logger.Error().Err(err).Msg("Failed to process response body")
-			return types.ActionContinue
-		}
-
-		if interruption != nil {
-			// Proxy-wasm can not anymore deny the response. The best interruption is emptying the body
-			// Coraza Multiphase evaluation will help here avoiding late interruptions
-			ctx.bodyReadIndex = bodySize // hacky: bodyReadIndex stores the body size that has to be replaced
-			return ctx.handleInterruption(interruptionPhaseHttpResponseBody, interruption)
+		if !ctx.processedResponseBody {
+			interruption, err := tx.ProcessResponseBody()
+			if err != nil {
+				ctx.logger.Error().Err(err).Msg("Failed to process response body")
+				return types.ActionContinue
+			}
+			ctx.processedResponseBody = true
+			if interruption != nil {
+				// Proxy-wasm can not anymore deny the response. The best interruption is emptying the body
+				// Coraza Multiphase evaluation will help here avoiding late interruptions
+				ctx.bodyReadIndex = bodySize // hacky: bodyReadIndex stores the body size that has to be replaced
+				return ctx.handleInterruption(interruptionPhaseHttpResponseBody, interruption)
+			}
 		}
 		return types.ActionContinue
 	}
@@ -559,6 +560,7 @@ func (ctx *httpContext) OnHttpStreamDone() {
 			// phase that still need to be executed. If they haven't been executed yet, and there has not been a previous
 			// interruption, now is the time.
 			if !ctx.processedResponseBody {
+				ctx.logger.Info().Msg("Running ProcessResponseBody in OnHttpStreamDone, triggered actions will not be enforced. Further logs are for detection only purposes")
 				ctx.processedResponseBody = true
 				_, err := tx.ProcessResponseBody()
 				if err != nil {