Skip to content

feat(appsec): expose uploaded file content as new WAF address server.request.body.files_content for commons-fileupload#11137

Open
jandro996 wants to merge 9 commits intomasterfrom
alejandro.gonzalez/APPSEC-61875-file-upload-content
Open

feat(appsec): expose uploaded file content as new WAF address server.request.body.files_content for commons-fileupload#11137
jandro996 wants to merge 9 commits intomasterfrom
alejandro.gonzalez/APPSEC-61875-file-upload-content

Conversation

@jandro996
Copy link
Copy Markdown
Member

@jandro996 jandro996 commented Apr 16, 2026
edited
Loading

What Does This Do

  • Introduces the server.request.body.files_content address and requestFilesContent() event in the gateway API, wired through GatewayBridge andInstrumentationGateway
  • Extends ServletFileUpload.parseRequest() instrumentation (commons-fileupload) to read up to 4096 bytes of each uploaded file's content and fire the new WAF callback; blocks with a BlockingException on RequestBlockingAction; content event is skipped when the filenames event has already blocked the request

Additional Info

  • Content is capped at 4096 bytes per file to keep memory usage bounded
  • Number of files is capped at 25 files
  • This PR covers the gateway wiring and the commons-fileupload entry point. Coverage for other multipart stacks (Tomcat request.getParts(), Jetty, Liberty) will follow in successive PRs

Contributor Checklist

Jira ticket: APPSEC-61875

Note: Once your PR is ready to merge, add it to the merge queue by commenting /merge. /merge -c cancels the queue request. /merge -f --reason "reason" skips all merge queue checks; please use this judiciously, as some checks do not run at the PR-level. For more information, see this doc.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 16, 2026

Hi! 👋 Looks like you updated a Git Submodule.
If this was not intentional please make sure to:

@jandro996 jandro996 added type: enhancement Enhancements and improvements comp: asm waf Application Security Management (WAF) labels Apr 16, 2026
@jandro996
feat(appsec): expose uploaded file content as WAF address server.requ…
37e7d09 
…est.body.files_content

Introduces a new AppSec WAF address `server.request.body.files_content`
(`List<String>`) that exposes the content of each uploaded file in a
multipart/form-data request. Entries correspond positionally to the
existing `server.request.body.filenames` address. Content is capped at
4 096 bytes per file (ISO-8859-1) to keep memory usage bounded.

Changes:
- KnownAddresses: add REQUEST_FILES_CONTENT + forName() case
- Events: add requestFilesContent event (ID 31); FILE_WRITTEN bumped to 32
- InstrumentationGateway: register the new BiFunction case
- GatewayBridge: add onRequestFilesContent handler + DATA_DEPENDENCIES entry
- CommonsFileUploadAppSecModule: after firing filenames, fire content
  (skipped when the filenames event already blocked the request)
- Unit tests: GatewayBridgeSpecification, GatewayBridgeIGRegistrationSpecification,
  KnownAddressesSpecificationForkedTest
- Smoke test: 'block request based on malicious file upload content'
  verifies end-to-end blocking via a custom WAF rule on the new address

Closes APPSEC-61875
@jandro996 jandro996 force-pushed the alejandro.gonzalez/APPSEC-61875-file-upload-content branch from 0de9320 to 37e7d09 Compare April 16, 2026 14:12
@pr-commenter
Copy link
Copy Markdown

pr-commenter bot commented Apr 16, 2026
edited
Loading

Benchmarks

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/APPSEC-61875-file-upload-content
git_commit_date 1776685998 1776686338
git_commit_sha 71f9713 92ed45d
release_version 1.62.0-SNAPSHOT~71f9713d93 1.62.0-SNAPSHOT~92ed45d8a8
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1776688213 1776688213
ci_job_id 1610276671 1610276671
ci_pipeline_id 108524496 108524496
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-1-oe8rj3vh 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-1-oe8rj3vh 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
module Agent Agent
parent None None

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 60 metrics, 11 unstable metrics.

Startup time reports for insecure-bank 
gantt
    title insecure-bank - global startup overhead: candidate=1.62.0-SNAPSHOT~92ed45d8a8, baseline=1.62.0-SNAPSHOT~71f9713d93

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.071 s) : 0, 1070782
Total [baseline] (8.873 s) : 0, 8873480
Agent [candidate] (1.055 s) : 0, 1055142
Total [candidate] (8.824 s) : 0, 8824488
section iast
Agent [baseline] (1.229 s) : 0, 1228929
Total [baseline] (9.571 s) : 0, 9570763
Agent [candidate] (1.231 s) : 0, 1231252
Total [candidate] (9.558 s) : 0, 9557987
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.071 s -
Agent iast 1.229 s 158.146 ms (14.8%)
Total tracing 8.873 s -
Total iast 9.571 s 697.283 ms (7.9%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.055 s -
Agent iast 1.231 s 176.109 ms (16.7%)
Total tracing 8.824 s -
Total iast 9.558 s 733.5 ms (8.3%) 
gantt
    title insecure-bank - break down per module: candidate=1.62.0-SNAPSHOT~92ed45d8a8, baseline=1.62.0-SNAPSHOT~71f9713d93

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.266 ms) : 0, 1266
crashtracking [candidate] (1.222 ms) : 0, 1222
BytebuddyAgent [baseline] (641.403 ms) : 0, 641403
BytebuddyAgent [candidate] (632.84 ms) : 0, 632840
AgentMeter [baseline] (29.972 ms) : 0, 29972
AgentMeter [candidate] (29.516 ms) : 0, 29516
GlobalTracer [baseline] (251.715 ms) : 0, 251715
GlobalTracer [candidate] (248.303 ms) : 0, 248303
AppSec [baseline] (32.993 ms) : 0, 32993
AppSec [candidate] (32.511 ms) : 0, 32511
Debugger [baseline] (59.958 ms) : 0, 59958
Debugger [candidate] (58.837 ms) : 0, 58837
Remote Config [baseline] (600.293 µs) : 0, 600
Remote Config [candidate] (586.016 µs) : 0, 586
Telemetry [baseline] (8.192 ms) : 0, 8192
Telemetry [candidate] (8.697 ms) : 0, 8697
Flare Poller [baseline] (8.273 ms) : 0, 8273
Flare Poller [candidate] (6.538 ms) : 0, 6538
section iast
crashtracking [baseline] (1.244 ms) : 0, 1244
crashtracking [candidate] (1.218 ms) : 0, 1218
BytebuddyAgent [baseline] (807.737 ms) : 0, 807737
BytebuddyAgent [candidate] (811.217 ms) : 0, 811217
AgentMeter [baseline] (11.363 ms) : 0, 11363
AgentMeter [candidate] (11.473 ms) : 0, 11473
GlobalTracer [baseline] (238.669 ms) : 0, 238669
GlobalTracer [candidate] (237.875 ms) : 0, 237875
IAST [baseline] (28.322 ms) : 0, 28322
IAST [candidate] (29.099 ms) : 0, 29099
AppSec [baseline] (30.124 ms) : 0, 30124
AppSec [candidate] (29.098 ms) : 0, 29098
Debugger [baseline] (62.862 ms) : 0, 62862
Debugger [candidate] (63.624 ms) : 0, 63624
Remote Config [baseline] (536.169 µs) : 0, 536
Remote Config [candidate] (529.786 µs) : 0, 530
Telemetry [baseline] (7.751 ms) : 0, 7751
Telemetry [candidate] (7.662 ms) : 0, 7662
Flare Poller [baseline] (3.41 ms) : 0, 3410
Flare Poller [candidate] (3.448 ms) : 0, 3448
Loading
Startup time reports for petclinic 
gantt
    title petclinic - global startup overhead: candidate=1.62.0-SNAPSHOT~92ed45d8a8, baseline=1.62.0-SNAPSHOT~71f9713d93

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.062 s) : 0, 1061904
Total [baseline] (11.081 s) : 0, 11081376
Agent [candidate] (1.058 s) : 0, 1057889
Total [candidate] (10.986 s) : 0, 10986189
section appsec
Agent [baseline] (1.258 s) : 0, 1257511
Total [baseline] (10.968 s) : 0, 10968156
Agent [candidate] (1.262 s) : 0, 1261763
Total [candidate] (11.011 s) : 0, 11010659
section iast
Agent [baseline] (1.231 s) : 0, 1230679
Total [baseline] (11.292 s) : 0, 11291646
Agent [candidate] (1.231 s) : 0, 1231238
Total [candidate] (11.311 s) : 0, 11311242
section profiling
Agent [baseline] (1.197 s) : 0, 1197479
Total [baseline] (11.042 s) : 0, 11042041
Agent [candidate] (1.18 s) : 0, 1179907
Total [candidate] (10.923 s) : 0, 10923066
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.062 s -
Agent appsec 1.258 s 195.607 ms (18.4%)
Agent iast 1.231 s 168.775 ms (15.9%)
Agent profiling 1.197 s 135.575 ms (12.8%)
Total tracing 11.081 s -
Total appsec 10.968 s -113.22 ms (-1.0%)
Total iast 11.292 s 210.27 ms (1.9%)
Total profiling 11.042 s -39.335 ms (-0.4%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.058 s -
Agent appsec 1.262 s 203.874 ms (19.3%)
Agent iast 1.231 s 173.349 ms (16.4%)
Agent profiling 1.18 s 122.018 ms (11.5%)
Total tracing 10.986 s -
Total appsec 11.011 s 24.471 ms (0.2%)
Total iast 11.311 s 325.053 ms (3.0%)
Total profiling 10.923 s -63.123 ms (-0.6%) 
gantt
    title petclinic - break down per module: candidate=1.62.0-SNAPSHOT~92ed45d8a8, baseline=1.62.0-SNAPSHOT~71f9713d93

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.225 ms) : 0, 1225
crashtracking [candidate] (1.234 ms) : 0, 1234
BytebuddyAgent [baseline] (634.441 ms) : 0, 634441
BytebuddyAgent [candidate] (632.475 ms) : 0, 632475
AgentMeter [baseline] (29.567 ms) : 0, 29567
AgentMeter [candidate] (29.464 ms) : 0, 29464
GlobalTracer [baseline] (249.21 ms) : 0, 249210
GlobalTracer [candidate] (248.654 ms) : 0, 248654
AppSec [baseline] (32.488 ms) : 0, 32488
AppSec [candidate] (32.528 ms) : 0, 32528
Debugger [baseline] (60.173 ms) : 0, 60173
Debugger [candidate] (59.751 ms) : 0, 59751
Remote Config [baseline] (621.778 µs) : 0, 622
Remote Config [candidate] (591.234 µs) : 0, 591
Telemetry [baseline] (8.064 ms) : 0, 8064
Telemetry [candidate] (7.977 ms) : 0, 7977
Flare Poller [baseline] (9.904 ms) : 0, 9904
Flare Poller [candidate] (8.923 ms) : 0, 8923
section appsec
crashtracking [baseline] (1.217 ms) : 0, 1217
crashtracking [candidate] (1.238 ms) : 0, 1238
BytebuddyAgent [baseline] (672.452 ms) : 0, 672452
BytebuddyAgent [candidate] (675.223 ms) : 0, 675223
AgentMeter [baseline] (12.083 ms) : 0, 12083
AgentMeter [candidate] (12.16 ms) : 0, 12160
GlobalTracer [baseline] (248.556 ms) : 0, 248556
GlobalTracer [candidate] (247.834 ms) : 0, 247834
IAST [baseline] (24.223 ms) : 0, 24223
IAST [candidate] (24.16 ms) : 0, 24160
AppSec [baseline] (186.433 ms) : 0, 186433
AppSec [candidate] (186.504 ms) : 0, 186504
Debugger [baseline] (64.538 ms) : 0, 64538
Debugger [candidate] (66.178 ms) : 0, 66178
Remote Config [baseline] (571.4 µs) : 0, 571
Remote Config [candidate] (591.261 µs) : 0, 591
Telemetry [baseline] (7.737 ms) : 0, 7737
Telemetry [candidate] (7.874 ms) : 0, 7874
Flare Poller [baseline] (3.425 ms) : 0, 3425
Flare Poller [candidate] (3.484 ms) : 0, 3484
section iast
crashtracking [baseline] (1.212 ms) : 0, 1212
crashtracking [candidate] (1.218 ms) : 0, 1218
BytebuddyAgent [baseline] (807.331 ms) : 0, 807331
BytebuddyAgent [candidate] (808.904 ms) : 0, 808904
AgentMeter [baseline] (11.379 ms) : 0, 11379
AgentMeter [candidate] (11.4 ms) : 0, 11400
GlobalTracer [baseline] (238.377 ms) : 0, 238377
GlobalTracer [candidate] (238.839 ms) : 0, 238839
IAST [baseline] (27.621 ms) : 0, 27621
IAST [candidate] (29.029 ms) : 0, 29029
AppSec [baseline] (28.992 ms) : 0, 28992
AppSec [candidate] (30.206 ms) : 0, 30206
Debugger [baseline] (67.736 ms) : 0, 67736
Debugger [candidate] (63.959 ms) : 0, 63959
Remote Config [baseline] (557.55 µs) : 0, 558
Remote Config [candidate] (527.943 µs) : 0, 528
Telemetry [baseline] (7.892 ms) : 0, 7892
Telemetry [candidate] (7.756 ms) : 0, 7756
Flare Poller [baseline] (3.498 ms) : 0, 3498
Flare Poller [candidate] (3.409 ms) : 0, 3409
section profiling
crashtracking [baseline] (1.186 ms) : 0, 1186
crashtracking [candidate] (1.167 ms) : 0, 1167
BytebuddyAgent [baseline] (700.205 ms) : 0, 700205
BytebuddyAgent [candidate] (688.149 ms) : 0, 688149
AgentMeter [baseline] (9.221 ms) : 0, 9221
AgentMeter [candidate] (9.146 ms) : 0, 9146
GlobalTracer [baseline] (208.887 ms) : 0, 208887
GlobalTracer [candidate] (206.43 ms) : 0, 206430
AppSec [baseline] (33.143 ms) : 0, 33143
AppSec [candidate] (32.8 ms) : 0, 32800
Debugger [baseline] (66.381 ms) : 0, 66381
Debugger [candidate] (65.539 ms) : 0, 65539
Remote Config [baseline] (580.517 µs) : 0, 581
Remote Config [candidate] (573.533 µs) : 0, 574
Telemetry [baseline] (7.95 ms) : 0, 7950
Telemetry [candidate] (7.755 ms) : 0, 7755
Flare Poller [baseline] (3.565 ms) : 0, 3565
Flare Poller [candidate] (3.557 ms) : 0, 3557
ProfilingAgent [baseline] (94.587 ms) : 0, 94587
ProfilingAgent [candidate] (93.915 ms) : 0, 93915
Profiling [baseline] (95.154 ms) : 0, 95154
Profiling [candidate] (94.475 ms) : 0, 94475
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/APPSEC-61875-file-upload-content
git_commit_date 1776685998 1776686338
git_commit_sha 71f9713 92ed45d
release_version 1.62.0-SNAPSHOT~71f9713d93 1.62.0-SNAPSHOT~92ed45d8a8
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1776688697 1776688697
ci_job_id 1610276672 1610276672
ci_pipeline_id 108524496 108524496
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-0-rsl3u07t 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-0-rsl3u07t 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 0 performance improvements and 1 performance regressions! Performance is the same for 16 metrics, 19 unstable metrics.

scenario Δ mean agg_http_req_duration_p50 Δ mean agg_http_req_duration_p95 Δ mean throughput candidate mean agg_http_req_duration_p50 candidate mean agg_http_req_duration_p95 candidate mean throughput baseline mean agg_http_req_duration_p50 baseline mean agg_http_req_duration_p95 baseline mean throughput
scenario:load:insecure-bank:profiling:high_load worse
[+46.636µs; +181.711µs] or [+2.725%; +10.616%]		 unstable
[-684.963µs; +990.996µs] or [-13.217%; +19.122%]		 unstable
[-450.015op/s; +90.577op/s] or [-20.863%; +4.199%]		 1.826ms 5.335ms 1977.281op/s 1.712ms 5.182ms 2157.000op/s
Request duration reports for insecure-bank 
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.62.0-SNAPSHOT~92ed45d8a8, baseline=1.62.0-SNAPSHOT~71f9713d93
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.237 ms) : 1225, 1249
.   : milestone, 1237,
iast (3.286 ms) : 3241, 3331
.   : milestone, 3286,
iast_FULL (5.863 ms) : 5804, 5921
.   : milestone, 5863,
iast_GLOBAL (3.732 ms) : 3669, 3795
.   : milestone, 3732,
profiling (2.095 ms) : 2076, 2115
.   : milestone, 2095,
tracing (1.855 ms) : 1839, 1870
.   : milestone, 1855,
section candidate
no_agent (1.242 ms) : 1230, 1254
.   : milestone, 1242,
iast (3.42 ms) : 3379, 3461
.   : milestone, 3420,
iast_FULL (6.042 ms) : 5980, 6104
.   : milestone, 6042,
iast_GLOBAL (3.75 ms) : 3688, 3812
.   : milestone, 3750,
profiling (2.291 ms) : 2270, 2313
.   : milestone, 2291,
tracing (1.92 ms) : 1903, 1937
.   : milestone, 1920,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.237 ms [1.225 ms, 1.249 ms] -
iast 3.286 ms [3.241 ms, 3.331 ms] 2.049 ms (165.6%)
iast_FULL 5.863 ms [5.804 ms, 5.921 ms] 4.626 ms (373.9%)
iast_GLOBAL 3.732 ms [3.669 ms, 3.795 ms] 2.495 ms (201.7%)
profiling 2.095 ms [2.076 ms, 2.115 ms] 858.496 µs (69.4%)
tracing 1.855 ms [1.839 ms, 1.87 ms] 617.564 µs (49.9%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.242 ms [1.23 ms, 1.254 ms] -
iast 3.42 ms [3.379 ms, 3.461 ms] 2.178 ms (175.4%)
iast_FULL 6.042 ms [5.98 ms, 6.104 ms] 4.8 ms (386.6%)
iast_GLOBAL 3.75 ms [3.688 ms, 3.812 ms] 2.508 ms (202.0%)
profiling 2.291 ms [2.27 ms, 2.313 ms] 1.05 ms (84.5%)
tracing 1.92 ms [1.903 ms, 1.937 ms] 678.296 µs (54.6%)
Request duration reports for petclinic 
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.62.0-SNAPSHOT~92ed45d8a8, baseline=1.62.0-SNAPSHOT~71f9713d93
    dateFormat X
    axisFormat %s
section baseline
no_agent (18.149 ms) : 17965, 18333
.   : milestone, 18149,
appsec (18.776 ms) : 18585, 18966
.   : milestone, 18776,
code_origins (17.719 ms) : 17547, 17891
.   : milestone, 17719,
iast (17.842 ms) : 17666, 18019
.   : milestone, 17842,
profiling (18.528 ms) : 18344, 18712
.   : milestone, 18528,
tracing (18.033 ms) : 17851, 18215
.   : milestone, 18033,
section candidate
no_agent (18.243 ms) : 18057, 18428
.   : milestone, 18243,
appsec (18.7 ms) : 18514, 18886
.   : milestone, 18700,
code_origins (17.603 ms) : 17432, 17773
.   : milestone, 17603,
iast (17.706 ms) : 17530, 17882
.   : milestone, 17706,
profiling (18.761 ms) : 18571, 18950
.   : milestone, 18761,
tracing (17.843 ms) : 17668, 18018
.   : milestone, 17843,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 18.149 ms [17.965 ms, 18.333 ms] -
appsec 18.776 ms [18.585 ms, 18.966 ms] 626.754 µs (3.5%)
code_origins 17.719 ms [17.547 ms, 17.891 ms] -430.131 µs (-2.4%)
iast 17.842 ms [17.666 ms, 18.019 ms] -306.525 µs (-1.7%)
profiling 18.528 ms [18.344 ms, 18.712 ms] 378.612 µs (2.1%)
tracing 18.033 ms [17.851 ms, 18.215 ms] -115.788 µs (-0.6%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 18.243 ms [18.057 ms, 18.428 ms] -
appsec 18.7 ms [18.514 ms, 18.886 ms] 457.301 µs (2.5%)
code_origins 17.603 ms [17.432 ms, 17.773 ms] -639.995 µs (-3.5%)
iast 17.706 ms [17.53 ms, 17.882 ms] -536.726 µs (-2.9%)
profiling 18.761 ms [18.571 ms, 18.95 ms] 518.092 µs (2.8%)
tracing 17.843 ms [17.668 ms, 18.018 ms] -399.692 µs (-2.2%)

Dacapo

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/APPSEC-61875-file-upload-content
git_commit_date 1776685998 1776686338
git_commit_sha 71f9713 92ed45d
release_version 1.62.0-SNAPSHOT~71f9713d93 1.62.0-SNAPSHOT~92ed45d8a8
See matching parameters
Baseline Candidate
application biojava biojava
ci_job_date 1776688388 1776688388
ci_job_id 1610276673 1610276673
ci_pipeline_id 108524496 108524496
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-0-ula4flpt 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-0-ula4flpt 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 1 unstable metrics.

Execution time for tomcat 
gantt
    title tomcat - execution time [CI 0.99] : candidate=1.62.0-SNAPSHOT~92ed45d8a8, baseline=1.62.0-SNAPSHOT~71f9713d93
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.481 ms) : 1470, 1493
.   : milestone, 1481,
appsec (3.738 ms) : 3524, 3953
.   : milestone, 3738,
iast (2.269 ms) : 2199, 2338
.   : milestone, 2269,
iast_GLOBAL (2.321 ms) : 2251, 2391
.   : milestone, 2321,
profiling (2.095 ms) : 2040, 2149
.   : milestone, 2095,
tracing (2.068 ms) : 2015, 2121
.   : milestone, 2068,
section candidate
no_agent (1.485 ms) : 1473, 1496
.   : milestone, 1485,
appsec (3.795 ms) : 3574, 4017
.   : milestone, 3795,
iast (2.267 ms) : 2198, 2337
.   : milestone, 2267,
iast_GLOBAL (2.313 ms) : 2243, 2383
.   : milestone, 2313,
profiling (2.092 ms) : 2038, 2147
.   : milestone, 2092,
tracing (2.064 ms) : 2010, 2117
.   : milestone, 2064,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.481 ms [1.47 ms, 1.493 ms] -
appsec 3.738 ms [3.524 ms, 3.953 ms] 2.257 ms (152.4%)
iast 2.269 ms [2.199 ms, 2.338 ms] 787.33 µs (53.2%)
iast_GLOBAL 2.321 ms [2.251 ms, 2.391 ms] 839.643 µs (56.7%)
profiling 2.095 ms [2.04 ms, 2.149 ms] 613.313 µs (41.4%)
tracing 2.068 ms [2.015 ms, 2.121 ms] 586.871 µs (39.6%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.485 ms [1.473 ms, 1.496 ms] -
appsec 3.795 ms [3.574 ms, 4.017 ms] 2.311 ms (155.6%)
iast 2.267 ms [2.198 ms, 2.337 ms] 782.562 µs (52.7%)
iast_GLOBAL 2.313 ms [2.243 ms, 2.383 ms] 828.351 µs (55.8%)
profiling 2.092 ms [2.038 ms, 2.147 ms] 607.524 µs (40.9%)
tracing 2.064 ms [2.01 ms, 2.117 ms] 578.868 µs (39.0%)
Execution time for biojava 
gantt
    title biojava - execution time [CI 0.99] : candidate=1.62.0-SNAPSHOT~92ed45d8a8, baseline=1.62.0-SNAPSHOT~71f9713d93
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.654 s) : 15654000, 15654000
.   : milestone, 15654000,
appsec (14.84 s) : 14840000, 14840000
.   : milestone, 14840000,
iast (18.383 s) : 18383000, 18383000
.   : milestone, 18383000,
iast_GLOBAL (18.042 s) : 18042000, 18042000
.   : milestone, 18042000,
profiling (15.455 s) : 15455000, 15455000
.   : milestone, 15455000,
tracing (14.72 s) : 14720000, 14720000
.   : milestone, 14720000,
section candidate
no_agent (14.945 s) : 14945000, 14945000
.   : milestone, 14945000,
appsec (14.787 s) : 14787000, 14787000
.   : milestone, 14787000,
iast (18.743 s) : 18743000, 18743000
.   : milestone, 18743000,
iast_GLOBAL (18.42 s) : 18420000, 18420000
.   : milestone, 18420000,
profiling (14.879 s) : 14879000, 14879000
.   : milestone, 14879000,
tracing (15.079 s) : 15079000, 15079000
.   : milestone, 15079000,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.654 s [15.654 s, 15.654 s] -
appsec 14.84 s [14.84 s, 14.84 s] -814.0 ms (-5.2%)
iast 18.383 s [18.383 s, 18.383 s] 2.729 s (17.4%)
iast_GLOBAL 18.042 s [18.042 s, 18.042 s] 2.388 s (15.3%)
profiling 15.455 s [15.455 s, 15.455 s] -199.0 ms (-1.3%)
tracing 14.72 s [14.72 s, 14.72 s] -934.0 ms (-6.0%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 14.945 s [14.945 s, 14.945 s] -
appsec 14.787 s [14.787 s, 14.787 s] -158.0 ms (-1.1%)
iast 18.743 s [18.743 s, 18.743 s] 3.798 s (25.4%)
iast_GLOBAL 18.42 s [18.42 s, 18.42 s] 3.475 s (23.3%)
profiling 14.879 s [14.879 s, 14.879 s] -66.0 ms (-0.4%)
tracing 15.079 s [15.079 s, 15.079 s] 134.0 ms (0.9%)

@jandro996 jandro996 changed the title feat(appsec): expose uploaded file content as new WAF address (APPSEC-61875) feat(appsec): expose uploaded file content as new WAF address server.request.body.files_content Apr 17, 2026
@jandro996 jandro996 marked this pull request as ready for review April 17, 2026 07:50
@jandro996 jandro996 requested a review from a team as a code owner April 17, 2026 07:50
@jandro996 jandro996 changed the title feat(appsec): expose uploaded file content as new WAF address server.request.body.files_content feat(appsec): expose uploaded file content as new WAF address server.request.body.files_content for commons-fileupload Apr 17, 2026
chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Apr 17, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: baf17b2c8e

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread ...ain/java/datadog/trace/instrumentation/commons/fileupload/CommonsFileUploadAppSecModule.java Outdated
@jandro996 jandro996 force-pushed the alejandro.gonzalez/APPSEC-61875-file-upload-content branch from baf17b2 to 304846b Compare April 17, 2026 07:57
@jandro996 jandro996 force-pushed the alejandro.gonzalez/APPSEC-61875-file-upload-content branch from a36ff44 to 22d70a0 Compare April 17, 2026 12:55
@jandro996 jandro996 requested a review from a team as a code owner April 17, 2026 12:55
@jandro996
fix(appsec): extract readContent to helper class to fix muzzle failure
2076c7b 
The static readContent method in ParseRequestAdvice created a self-reference
in the inlined advice bytecode (invokestatic on CommonsFileUploadAppSecModule$ParseRequestAdvice)
that muzzle could not resolve in the application classloader, causing the
instrumentation to be silently skipped.

Moves readContent to a new FileItemContentReader helper class declared via
helperClassNames(), which muzzle skips and the HelperInjector injects into
the application classloader at runtime.
@jandro996 jandro996 force-pushed the alejandro.gonzalez/APPSEC-61875-file-upload-content branch from 4610028 to 2076c7b Compare April 17, 2026 14:20
@jandro996
fix(appsec): cap number of file contents sent to WAF at 25
f76f389 
Without a bound, uploading N files would pass up to N × 4096 bytes to the
WAF in a single call. MAX_FILES_TO_INSPECT = 25 limits total content to
at most 100 KB, consistent with the per-file MAX_CONTENT_BYTES cap.
@jandro996
Merge branch 'master' into alejandro.gonzalez/APPSEC-61875-file-uploa…
ab77c73 
…d-content
@jandro996
Merge branch 'master' into alejandro.gonzalez/APPSEC-61875-file-uploa…
92ed45d 
…d-content
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@manuel-alvarez-alvarez manuel-alvarez-alvarez manuel-alvarez-alvarez left review comments

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@claponcet claponcet Awaiting requested review from claponcet claponcet is a code owner automatically assigned from DataDog/asm-java

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

comp: asm waf Application Security Management (WAF) type: enhancement Enhancements and improvements

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jandro996 @manuel-alvarez-alvarez