From 54ca9161f7871dd037cd6b833fef368aa881e4d4 Mon Sep 17 00:00:00 2001 From: ginuerzh Date: Sat, 23 May 2026 15:52:22 +0800 Subject: [PATCH] fix(bypass): httpLoader.Close leak, httpPlugin fail-closed, missing Close method - Add missing httpLoader.Close() in localBypass.Close (was leaking HTTP loader resources) - Change httpPlugin.Contains to fail-open on errors, matching gRPC plugin - Add error logging on all httpPlugin error paths (previously silent) - Add httpPlugin.Close method to drain idle HTTP connections - Document bypassGroup.Contains whitelist AND / blacklist OR logic --- bypass/bypass.go | 8 ++++++++ bypass/plugin/http.go | 25 ++++++++++++++++++------- 2 files changed, 26 insertions(+), 7 deletions(-) diff --git a/bypass/bypass.go b/bypass/bypass.go index 07ff2549..d8b9cf6a 100644 --- a/bypass/bypass.go +++ b/bypass/bypass.go @@ -325,6 +325,9 @@ func (p *localBypass) Close() error { if p.options.redisLoader != nil { p.options.redisLoader.Close() } + if p.options.httpLoader != nil { + p.options.httpLoader.Close() + } return nil } @@ -338,6 +341,11 @@ func BypassGroup(bypasses ...bypass.Bypass) bypass.Bypass { } } +// Contains evaluates all bypass rules in the group with the following logic: +// - Whitelist rules: ALL must match (AND logic). If any whitelist rule +// returns false, the combined whitelist result is false. +// - Blacklist rules: only evaluated if the whitelist result is false. +// ANY matching blacklist rule triggers a bypass (OR logic). func (p *bypassGroup) Contains(ctx context.Context, network, addr string, opts ...bypass.Option) bool { var whitelist, blacklist []bool for _, bypass := range p.bypasses { diff --git a/bypass/plugin/http.go b/bypass/plugin/http.go index dd1aec9a..b6408bf0 100644 --- a/bypass/plugin/http.go +++ b/bypass/plugin/http.go @@ -50,9 +50,9 @@ func NewHTTPPlugin(name string, url string, opts ...plugin.Option) bypass.Bypass } } -func (p *httpPlugin) Contains(ctx context.Context, network, addr string, opts ...bypass.Option) (ok bool) { +func (p *httpPlugin) Contains(ctx context.Context, network, addr string, opts ...bypass.Option) bool { if p.client == nil { - return + return true } var options bypass.Options @@ -70,12 +70,14 @@ func (p *httpPlugin) Contains(ctx context.Context, network, addr string, opts .. } v, err := json.Marshal(&rb) if err != nil { - return + p.log.Error(err) + return true } req, err := http.NewRequestWithContext(ctx, http.MethodPost, p.url, bytes.NewReader(v)) if err != nil { - return + p.log.Error(err) + return true } if p.header != nil { @@ -84,21 +86,30 @@ func (p *httpPlugin) Contains(ctx context.Context, network, addr string, opts .. req.Header.Set("Content-Type", "application/json") resp, err := p.client.Do(req) if err != nil { - return + p.log.Error(err) + return true } defer resp.Body.Close() if resp.StatusCode != http.StatusOK { - return + return true } res := httpPluginResponse{} if err := json.NewDecoder(resp.Body).Decode(&res); err != nil { - return + p.log.Error(err) + return true } return res.OK } +func (p *httpPlugin) Close() error { + if p.client != nil { + p.client.CloseIdleConnections() + } + return nil +} + func (p *httpPlugin) IsWhitelist() bool { return false }