corazawaf · jptosso · Apr 3, 2026 · Apr 3, 2026 · Apr 3, 2026 · Apr 3, 2026
diff --git a/coraza.i b/coraza.i
@@ -184,11 +184,13 @@ int coraza_set_debug_log_callback(coraza_waf_config_t cfg, PyObject *cb) {
 %typemap(jstype) (const unsigned char *data, int length) "byte[]"
 %typemap(javain) (const unsigned char *data, int length) "$javainput"
 %typemap(in)     (const unsigned char *data, int length) {
-    $1 = (unsigned char *)JCALL2(GetByteArrayElements, jenv, $input, NULL);
+    /* GetArrayLength must be called before GetPrimitiveArrayCritical: no other
+     * JNI calls are permitted while a critical section is open. */
     $2 = (int)JCALL1(GetArrayLength, jenv, $input);
+    $1 = (unsigned char *)JCALL2(GetPrimitiveArrayCritical, jenv, $input, NULL);
 }
 %typemap(argout) (const unsigned char *data, int length) {
-    JCALL3(ReleaseByteArrayElements, jenv, $input, (jbyte *)$1, JNI_ABORT);
+    JCALL3(ReleasePrimitiveArrayCritical, jenv, $input, (jbyte *)$1, JNI_ABORT);
 }
 
 /*
@@ -212,28 +214,59 @@ typedef struct {
     jmethodID mid;
 } _swig_java_cb_ctx_t;
 
+/*
+ * Obtain a JNIEnv for the current thread, attaching it as a daemon if needed.
+ *
+ * Attachment is cached per OS thread via __thread storage so repeated calls on
+ * the same thread skip the GetEnv round-trip.  Attached threads are detached
+ * automatically by _swig_jni_detach_thread, which is registered as a
+ * pthread destructor on first attachment and fires when the OS thread exits.
+ *
+ * Returns NULL if attachment fails (JVM overloaded or shutting down); callers
+ * must check before dereferencing env.
+ */
+#include <pthread.h>
+
+static pthread_key_t  _swig_jni_tls_key;
+static pthread_once_t _swig_jni_tls_once = PTHREAD_ONCE_INIT;
+
+static void _swig_jni_detach_thread(void *jvm_ptr) {
+    if (jvm_ptr)
+        ((JavaVM *)jvm_ptr)->DetachCurrentThread((JavaVM *)jvm_ptr);
+}
-static void _swig_jni_detach_thread(void *jvm_ptr) {
-    if (jvm_ptr)
-        ((JavaVM *)jvm_ptr)->DetachCurrentThread((JavaVM *)jvm_ptr);
-}
+static void _swig_jni_detach_thread(void *jvm_ptr) {
+    if (jvm_ptr) {
+        JavaVM *jvm = (JavaVM *)jvm_ptr;
+        (*jvm)->DetachCurrentThread(jvm);
+    }
+}
-static void _swig_jni_detach_thread(void *jvm_ptr) {
-    if (jvm_ptr)
-        ((JavaVM *)jvm_ptr)->DetachCurrentThread((JavaVM *)jvm_ptr);
-}
+static void _swig_jni_detach_thread(void *jvm_ptr) {
+    if (jvm_ptr) {
+        JavaVM *jvm = (JavaVM *)jvm_ptr;
+        (*jvm)->DetachCurrentThread(jvm);
+    }
+}
+
+static void _swig_jni_tls_init(void) {
+    pthread_key_create(&_swig_jni_tls_key, _swig_jni_detach_thread);
+}
+
+static JNIEnv *_swig_ensure_jni_env(JavaVM *jvm) {
+    JNIEnv *env = NULL;
+    jint rc = (*jvm)->GetEnv(jvm, (void **)&env, JNI_VERSION_1_6);
+    if (rc == JNI_OK)
+        return env;
+    if (rc != JNI_EDETACHED)
+        return NULL; /* JVM error — caller must handle NULL */
+    if ((*jvm)->AttachCurrentThreadAsDaemon(jvm, (void **)&env, NULL) != JNI_OK)
+        return NULL;
+    /* Register DetachCurrentThread to run when this OS thread exits. */
+    pthread_once(&_swig_jni_tls_once, _swig_jni_tls_init);
+    pthread_setspecific(_swig_jni_tls_key, jvm);
+    return env;
+}
+
 static void _swig_java_error_trampoline(void *ctx, coraza_matched_rule_t rule) {
     _swig_java_cb_ctx_t *jctx = (_swig_java_cb_ctx_t *)ctx;
-    JNIEnv *env = NULL;
-    jboolean attached = JNI_FALSE;
-    if ((*jctx->jvm)->GetEnv(jctx->jvm, (void **)&env, JNI_VERSION_1_6) == JNI_EDETACHED) {
-        (*jctx->jvm)->AttachCurrentThreadAsDaemon(jctx->jvm, (void **)&env, NULL);
-        attached = JNI_TRUE;
-    }
+    JNIEnv *env = _swig_ensure_jni_env(jctx->jvm);
+    if (!env) return;
     (*env)->CallVoidMethod(env, jctx->obj, jctx->mid, (jlong)(uintptr_t)rule);
     if ((*env)->ExceptionCheck(env)) (*env)->ExceptionDescribe(env);
-    if (attached) (*jctx->jvm)->DetachCurrentThread(jctx->jvm);
 }
 
 static void _swig_java_debug_trampoline(void *ctx, coraza_debug_log_level_t level,
                                          const char *msg, const char *fields) {
     _swig_java_cb_ctx_t *jctx = (_swig_java_cb_ctx_t *)ctx;
-    JNIEnv *env = NULL;
-    jboolean attached = JNI_FALSE;
-    if ((*jctx->jvm)->GetEnv(jctx->jvm, (void **)&env, JNI_VERSION_1_6) == JNI_EDETACHED) {
-        (*jctx->jvm)->AttachCurrentThreadAsDaemon(jctx->jvm, (void **)&env, NULL);
-        attached = JNI_TRUE;
-    }
+    JNIEnv *env = _swig_ensure_jni_env(jctx->jvm);
+    if (!env) return;
     jstring jmsg    = (*env)->NewStringUTF(env, msg    ? msg    : "");
     jstring jfields = (*env)->NewStringUTF(env, fields ? fields : "");
     /* NewStringUTF returns NULL on OOM; skip the call rather than crash. */
@@ -243,7 +276,6 @@ static void _swig_java_debug_trampoline(void *ctx, coraza_debug_log_level_t leve
     if (jmsg)    (*env)->DeleteLocalRef(env, jmsg);
     if (jfields) (*env)->DeleteLocalRef(env, jfields);
     if ((*env)->ExceptionCheck(env)) (*env)->ExceptionDescribe(env);
-    if (attached) (*jctx->jvm)->DetachCurrentThread(jctx->jvm);
 }
 
 JNIEXPORT jint JNICALL Java_coraza_coraza_1set_1error_1callback(
@@ -353,7 +385,25 @@ typedef enum coraza_severity_t {
 
 /*
  * Function declarations
+ *
+ * Release the Python GIL for calls that cross into Go and do real work, so
+ * other Python threads can run concurrently.  coraza_append_request_body and
+ * coraza_append_response_body are intentionally excluded: the Python typemap
+ * extracts a raw pointer via PyBytes_AS_STRING / PyByteArray_AS_STRING and
+ * that pointer must remain valid for the duration of the call — releasing the
+ * GIL would allow another thread to resize or deallocate the buffer.
  */
+#ifdef SWIGPYTHON
+%thread coraza_new_waf;
+%thread coraza_rules_merge;
+%thread coraza_process_connection;
+%thread coraza_process_uri;
+%thread coraza_process_request_headers;
+%thread coraza_process_request_body;
+%thread coraza_process_response_headers;
+%thread coraza_process_response_body;
+%thread coraza_process_logging;
+#endif
 
 extern coraza_waf_config_t coraza_new_waf_config();
 extern int coraza_rules_add_file(coraza_waf_config_t c, const char *file);

diff --git a/libcoraza/coraza.go b/libcoraza/coraza.go
@@ -294,7 +294,9 @@ func coraza_process_logging(t C.coraza_transaction_t) C.int {
 //export coraza_append_request_body
 func coraza_append_request_body(t C.coraza_transaction_t, data *C.uchar, length C.int) C.int {
 	tx := fromRaw[types.Transaction](t)
-	if _, _, err := tx.WriteRequestBody(C.GoBytes(unsafe.Pointer(data), length)); err != nil {
+	// unsafe.Slice creates a Go slice header over the C buffer without copying.
+	// Safe because WriteRequestBody does not retain the slice after returning.
+	if _, _, err := tx.WriteRequestBody(unsafe.Slice((*byte)(unsafe.Pointer(data)), length)); err != nil {
 		return 1
 	}
 	return 0
@@ -317,7 +319,7 @@ func coraza_add_response_header(t C.coraza_transaction_t, name *C.char, name_len
 //export coraza_append_response_body
 func coraza_append_response_body(t C.coraza_transaction_t, data *C.uchar, length C.int) C.int {
 	tx := fromRaw[types.Transaction](t)
-	if _, _, err := tx.WriteResponseBody(C.GoBytes(unsafe.Pointer(data), length)); err != nil {
+	if _, _, err := tx.WriteResponseBody(unsafe.Slice((*byte)(unsafe.Pointer(data)), length)); err != nil {
 		return 1
 	}
 	return 0
@@ -385,9 +387,8 @@ func coraza_request_body_from_file(t C.coraza_transaction_t, file *C.char) C.int
 		return 1
 	}
 	defer f.Close()
-	// we read the file in chunks and send it to the engine
+	buf := make([]byte, 32*1024)
 	for {
-		buf := make([]byte, 1024)
 		n, err := f.Read(buf)
 		if err != nil {
 			if err == io.EOF {