Skip to content

Transaction Close() does not reset all state fields before returning to sync.Pool #1515

New issue
New issue
Open
#1516
Open
Transaction Close() does not reset all state fields before returning to sync.Pool#1515
#1516
Assignees
jptossocopilot-swe-agent
@jptosso

Description

@jptosso
jptosso
opened on Mar 6, 2026

Description:

Close() at internal/corazawaf/transaction.go:1561-1601 puts the transaction back into sync.Pool via defer tx.WAF.txPool.Put(tx) but does NOT reset several fields:

  • tx.matchedRules — old matched rules leak into reused transactions
  • tx.interruption — previous interruption persists
  • tx.Skip, tx.SkipAfter, tx.AllowType — stale rule-skip state
  • tx.audit — audit flag from previous request
  • tx.lastPhase — phase tracking from previous request

While newTransaction() in waf.go does reset these, the defer Put() means the transaction is always returned to the pool, even on error paths, with potentially dirty state. If newTransaction() logic ever changes, stale state will leak between requests.

Steps:

  • Reset matchedRules, interruption, Skip, SkipAfter, AllowType, audit, lastPhase in Close() before the defer Put()

Files: internal/corazawaf/transaction.go

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions