close appsec transactions after processing request (#3515)

2025-05-11 20:36:12 +02:00 · 2025-03-17 11:36:14 +01:00 · 2025-03-17 11:36:14 +01:00 · 663dad048b
commit 663dad048b
parent cab99643d1
3 changed files with 29 additions and 1 deletions
--- a/pkg/acquisition/modules/appsec/appsec_rules_test.go
+++ b/pkg/acquisition/modules/appsec/appsec_rules_test.go
@ -3,6 +3,8 @@ package appsecacquisition
 import (
 	"net/http"
 	"net/url"
+	"os"
+	"path/filepath"
 	"testing"

 	log "github.com/sirupsen/logrus"
@ -346,7 +348,7 @@ func TestAppsecRuleMatches(t *testing.T) {
 			input_request: appsec.ParsedRequest{
 				ClientIP:   "1.2.3.4",
 				RemoteAddr: "127.0.0.1",
-				Method:     "GET",
+				Method:     "POST",
 				URI:        "/urllll",
 				Headers:    http.Header{"Content-Type": []string{"multipart/form-data; boundary=boundary"}},
 				Body: []byte(`
@ -368,6 +370,11 @@ toto

 				require.Len(t, responses, 1)
 				require.True(t, responses[0].InBandInterrupt)
+
+				// Might fail if you have artifacts from previous tests, but good enough 99% of the time
+				tmpFiles, err := filepath.Glob(filepath.Join(os.TempDir(), "crzmp*"))
+				require.NoError(t, err)
+				require.Empty(t, tmpFiles)
 			},
 		},
 		{
--- a/pkg/acquisition/modules/appsec/appsec_runner.go
+++ b/pkg/acquisition/modules/appsec/appsec_runner.go
@ -355,6 +355,10 @@ func (r *AppsecRunner) handleRequest(request *appsec.ParsedRequest) {
 	err := r.ProcessInBandRules(request)
 	if err != nil {
 		logger.Errorf("unable to process InBand rules: %s", err)
+		err = request.Tx.Close()
+		if err != nil {
+			logger.Errorf("unable to close inband transaction: %s", err)
+		}
 		return
 	}

@ -366,6 +370,11 @@ func (r *AppsecRunner) handleRequest(request *appsec.ParsedRequest) {
 		r.handleInBandInterrupt(request)
 	}

+	err = request.Tx.Close()
+	if err != nil {
+		r.logger.Errorf("unable to close inband transaction: %s", err)
+	}
+
 	// send back the result to the HTTP handler for the InBand part
 	request.ResponseChannel <- r.AppsecRuntime.Response

@ -385,6 +394,10 @@ func (r *AppsecRunner) handleRequest(request *appsec.ParsedRequest) {
 		err = r.ProcessOutOfBandRules(request)
 		if err != nil {
 			logger.Errorf("unable to process OutOfBand rules: %s", err)
+			err = request.Tx.Close()
+			if err != nil {
+				logger.Errorf("unable to close outband transaction: %s", err)
+			}
 			return
 		}

@ -395,6 +408,10 @@ func (r *AppsecRunner) handleRequest(request *appsec.ParsedRequest) {
 			r.handleOutBandInterrupt(request)
 		}
 	}
+	err = request.Tx.Close()
+	if err != nil {
+		r.logger.Errorf("unable to close outband transaction: %s", err)
+	}
 	// time spent to process inband AND out of band rules
 	globalParsingElapsed := time.Since(startGlobalParsing)
 	AppsecGlobalParsingHistogram.With(prometheus.Labels{"source": request.RemoteAddrNormalized, "appsec_engine": request.AppsecEngine}).Observe(globalParsingElapsed.Seconds())
--- a/pkg/appsec/tx.go
+++ b/pkg/appsec/tx.go
@ -91,3 +91,7 @@ func (t *ExtendedTransaction) MatchedRules() []types.MatchedRule {
 func (t *ExtendedTransaction) ID() string {
 	return t.Tx.ID()
 }
+
+func (t *ExtendedTransaction) Close() error {
+	return t.Tx.Close()
+}