Add filter_body plugin for request/response body content filtering #12740
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This plugin provides streaming body content inspection with configurable pattern matching and actions. It can be used to detect and mitigate CVE exploits and other malicious content patterns. Features: - YAML-based configuration with rule definitions using filter/action schema - Header-based filtering (AND logic between headers, OR within patterns) - Case-insensitive header matching, case-sensitive body patterns - Configurable actions per rule: log, block, add_header (with multiple headers) - Support for both request and response body inspection - Streaming transform with lookback buffer for cross-boundary patterns - Optional max_content_length to skip large bodies - Configurable HTTP methods (request) and status codes (response) - Per-rule metrics counters for monitoring matches - Support for <rule_name> substitution in header values Actions: - log: Log pattern matches via TSError - block: Set 403 Forbidden status and return error response - add_header: Add custom headers to server request or client response Includes: - Comprehensive RST documentation - README.md quick reference - ATSReplayTest autests for request/response filtering scenarios Co-authored-by: Brian Neradt <[email protected]>
bneradt
requested changes
Dec 8, 2025
Contributor
bneradt
left a comment
bneradt
left a comment
There was a problem hiding this comment.
Do we want the README.md since we have the public-facing doc? I suppose the idea of the README is that it would be more dev-centric rather than user focused?
Cast block_avail to size_t before subtracting search_offset to resolve constructor ambiguity between size_t, unsigned, ssize_t, and int overloads. This matches the casting pattern used elsewhere in the same function.
Due to the streaming nature of request body inspection, the response status for blocked requests may be either 403 or 502 depending on timing: - 403 if blocking happens before origin connection - 502 if blocking happens after request headers sent to origin The blocking action is still verified via log message checks. Removing the status expectation prevents test flakiness.
bneradt
previously approved these changes
Dec 9, 2025
Documentation improvements: - Add 'experimental' to first sentence of description - Remove trailing periods from bullet points in Features - Clarify lookback buffer explanation - Reorder features (optional items at end) - Clarify experimental plugin build flags - Fix Block Action description with accurate behavior: * Request blocking: both connections closed, no response to client * Response blocking: status already sent, client gets partial body - Add response blocking to Limitations section Cleanup: - Remove filter_body_plan.md planning document
Address review feedback to use placeholder for consistency. Add explanation that <rule_name> should be replaced with the name from the configuration.
bryancall
force-pushed
the
filter_body_plugin_squashed
branch
from
f91b932 to
a620995
Compare
jasmine-nahrain
approved these changes
Jan 8, 2026
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This plugin provides streaming body content inspection with configurable pattern matching and actions. It can be used to detect and mitigate CVE exploits and other malicious content patterns.
Features
<rule_name>substitution in header valuesActions
Includes
Co-authored-by: Brian Neradt [email protected]