Skip to content

feat(appsec): expose uploaded file content as new WAF address server.request.body.files_content for commons-fileupload#11137

Open
jandro996 wants to merge 12 commits intomasterfrom
alejandro.gonzalez/APPSEC-61875-file-upload-content
Open

feat(appsec): expose uploaded file content as new WAF address server.request.body.files_content for commons-fileupload#11137
jandro996 wants to merge 12 commits intomasterfrom
alejandro.gonzalez/APPSEC-61875-file-upload-content

Conversation

@jandro996
Copy link
Copy Markdown
Member

@jandro996 jandro996 commented Apr 16, 2026
edited
Loading

What Does This Do

  • Introduces the server.request.body.files_content address and requestFilesContent() event in the gateway API, wired through GatewayBridge andInstrumentationGateway
  • Extends ServletFileUpload.parseRequest() instrumentation (commons-fileupload) to read up to 4096 bytes of each uploaded file's content and fire the new WAF callback; blocks with a BlockingException on RequestBlockingAction; content event is skipped when the filenames event has already blocked the request

Additional Info

  • Content is capped at 4096 bytes per file to keep memory usage bounded
  • Number of files is capped at 25 files
  • This PR covers the gateway wiring and the commons-fileupload entry point. Coverage for other multipart stacks (Tomcat request.getParts(), Jetty, Liberty) will follow in successive PRs

Contributor Checklist

Jira ticket: APPSEC-61875

Note: Once your PR is ready to merge, add it to the merge queue by commenting /merge. /merge -c cancels the queue request. /merge -f --reason "reason" skips all merge queue checks; please use this judiciously, as some checks do not run at the PR-level. For more information, see this doc.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 16, 2026

Hi! 👋 Looks like you updated a Git Submodule.
If this was not intentional please make sure to:

@jandro996 jandro996 added type: enhancement Enhancements and improvements comp: asm waf Application Security Management (WAF) labels Apr 16, 2026
@jandro996
feat(appsec): expose uploaded file content as WAF address server.requ…
37e7d09 
…est.body.files_content

Introduces a new AppSec WAF address `server.request.body.files_content`
(`List<String>`) that exposes the content of each uploaded file in a
multipart/form-data request. Entries correspond positionally to the
existing `server.request.body.filenames` address. Content is capped at
4 096 bytes per file (ISO-8859-1) to keep memory usage bounded.

Changes:
- KnownAddresses: add REQUEST_FILES_CONTENT + forName() case
- Events: add requestFilesContent event (ID 31); FILE_WRITTEN bumped to 32
- InstrumentationGateway: register the new BiFunction case
- GatewayBridge: add onRequestFilesContent handler + DATA_DEPENDENCIES entry
- CommonsFileUploadAppSecModule: after firing filenames, fire content
  (skipped when the filenames event already blocked the request)
- Unit tests: GatewayBridgeSpecification, GatewayBridgeIGRegistrationSpecification,
  KnownAddressesSpecificationForkedTest
- Smoke test: 'block request based on malicious file upload content'
  verifies end-to-end blocking via a custom WAF rule on the new address

Closes APPSEC-61875
@jandro996 jandro996 force-pushed the alejandro.gonzalez/APPSEC-61875-file-upload-content branch from 0de9320 to 37e7d09 Compare April 16, 2026 14:12
@pr-commenter
Copy link
Copy Markdown

pr-commenter Bot commented Apr 16, 2026
edited
Loading

Benchmarks

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/APPSEC-61875-file-upload-content
git_commit_date 1776685998 1776863563
git_commit_sha 71f9713 63cdda0
release_version 1.62.0-SNAPSHOT~71f9713d93 1.62.0-SNAPSHOT~63cdda064c
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1776865251 1776865251
ci_job_id 1619520957 1619520957
ci_pipeline_id 109034560 109034560
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-0-0p3nlwx5 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-0-0p3nlwx5 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
module Agent Agent
parent None None

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 63 metrics, 8 unstable metrics.

Startup time reports for insecure-bank 
gantt
    title insecure-bank - global startup overhead: candidate=1.62.0-SNAPSHOT~63cdda064c, baseline=1.62.0-SNAPSHOT~71f9713d93

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.056 s) : 0, 1056467
Total [baseline] (8.812 s) : 0, 8811965
Agent [candidate] (1.055 s) : 0, 1055069
Total [candidate] (8.827 s) : 0, 8826835
section iast
Agent [baseline] (1.247 s) : 0, 1247204
Total [baseline] (9.559 s) : 0, 9559402
Agent [candidate] (1.233 s) : 0, 1233198
Total [candidate] (9.523 s) : 0, 9522936
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.056 s -
Agent iast 1.247 s 190.737 ms (18.1%)
Total tracing 8.812 s -
Total iast 9.559 s 747.437 ms (8.5%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.055 s -
Agent iast 1.233 s 178.129 ms (16.9%)
Total tracing 8.827 s -
Total iast 9.523 s 696.1 ms (7.9%) 
gantt
    title insecure-bank - break down per module: candidate=1.62.0-SNAPSHOT~63cdda064c, baseline=1.62.0-SNAPSHOT~71f9713d93

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.223 ms) : 0, 1223
crashtracking [candidate] (1.215 ms) : 0, 1215
BytebuddyAgent [baseline] (634.016 ms) : 0, 634016
BytebuddyAgent [candidate] (632.317 ms) : 0, 632317
AgentMeter [baseline] (29.52 ms) : 0, 29520
AgentMeter [candidate] (29.519 ms) : 0, 29519
GlobalTracer [baseline] (248.596 ms) : 0, 248596
GlobalTracer [candidate] (248.677 ms) : 0, 248677
AppSec [baseline] (32.369 ms) : 0, 32369
AppSec [candidate] (32.377 ms) : 0, 32377
Debugger [baseline] (59.133 ms) : 0, 59133
Debugger [candidate] (58.969 ms) : 0, 58969
Remote Config [baseline] (599.384 µs) : 0, 599
Remote Config [candidate] (594.057 µs) : 0, 594
Telemetry [baseline] (8.009 ms) : 0, 8009
Telemetry [candidate] (7.95 ms) : 0, 7950
Flare Poller [baseline] (6.78 ms) : 0, 6780
Flare Poller [candidate] (7.321 ms) : 0, 7321
section iast
crashtracking [baseline] (1.255 ms) : 0, 1255
crashtracking [candidate] (1.225 ms) : 0, 1225
BytebuddyAgent [baseline] (821.217 ms) : 0, 821217
BytebuddyAgent [candidate] (812.846 ms) : 0, 812846
AgentMeter [baseline] (11.63 ms) : 0, 11630
AgentMeter [candidate] (11.476 ms) : 0, 11476
GlobalTracer [baseline] (241.092 ms) : 0, 241092
GlobalTracer [candidate] (238.704 ms) : 0, 238704
IAST [baseline] (29.532 ms) : 0, 29532
IAST [candidate] (31.475 ms) : 0, 31475
AppSec [baseline] (29.849 ms) : 0, 29849
AppSec [candidate] (26.363 ms) : 0, 26363
Debugger [baseline] (64.421 ms) : 0, 64421
Debugger [candidate] (63.54 ms) : 0, 63540
Remote Config [baseline] (547.252 µs) : 0, 547
Remote Config [candidate] (521.194 µs) : 0, 521
Telemetry [baseline] (7.865 ms) : 0, 7865
Telemetry [candidate] (7.639 ms) : 0, 7639
Flare Poller [baseline] (3.427 ms) : 0, 3427
Flare Poller [candidate] (3.412 ms) : 0, 3412
Loading
Startup time reports for petclinic 
gantt
    title petclinic - global startup overhead: candidate=1.62.0-SNAPSHOT~63cdda064c, baseline=1.62.0-SNAPSHOT~71f9713d93

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.057 s) : 0, 1057093
Total [baseline] (11.11 s) : 0, 11110188
Agent [candidate] (1.056 s) : 0, 1055516
Total [candidate] (11.072 s) : 0, 11071883
section appsec
Agent [baseline] (1.27 s) : 0, 1270444
Total [baseline] (11.001 s) : 0, 11000925
Agent [candidate] (1.26 s) : 0, 1260349
Total [candidate] (11.031 s) : 0, 11030600
section iast
Agent [baseline] (1.24 s) : 0, 1240436
Total [baseline] (11.366 s) : 0, 11365621
Agent [candidate] (1.231 s) : 0, 1231433
Total [candidate] (11.295 s) : 0, 11295145
section profiling
Agent [baseline] (1.2 s) : 0, 1199872
Total [baseline] (11.13 s) : 0, 11130262
Agent [candidate] (1.19 s) : 0, 1190445
Total [candidate] (10.976 s) : 0, 10975855
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.057 s -
Agent appsec 1.27 s 213.351 ms (20.2%)
Agent iast 1.24 s 183.343 ms (17.3%)
Agent profiling 1.2 s 142.779 ms (13.5%)
Total tracing 11.11 s -
Total appsec 11.001 s -109.263 ms (-1.0%)
Total iast 11.366 s 255.434 ms (2.3%)
Total profiling 11.13 s 20.074 ms (0.2%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.056 s -
Agent appsec 1.26 s 204.833 ms (19.4%)
Agent iast 1.231 s 175.917 ms (16.7%)
Agent profiling 1.19 s 134.929 ms (12.8%)
Total tracing 11.072 s -
Total appsec 11.031 s -41.282 ms (-0.4%)
Total iast 11.295 s 223.262 ms (2.0%)
Total profiling 10.976 s -96.027 ms (-0.9%) 
gantt
    title petclinic - break down per module: candidate=1.62.0-SNAPSHOT~63cdda064c, baseline=1.62.0-SNAPSHOT~71f9713d93

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.226 ms) : 0, 1226
crashtracking [candidate] (1.223 ms) : 0, 1223
BytebuddyAgent [baseline] (633.325 ms) : 0, 633325
BytebuddyAgent [candidate] (631.892 ms) : 0, 631892
AgentMeter [baseline] (29.568 ms) : 0, 29568
AgentMeter [candidate] (29.566 ms) : 0, 29566
GlobalTracer [baseline] (248.768 ms) : 0, 248768
GlobalTracer [candidate] (248.828 ms) : 0, 248828
AppSec [baseline] (32.279 ms) : 0, 32279
AppSec [candidate] (32.348 ms) : 0, 32348
Debugger [baseline] (59.759 ms) : 0, 59759
Debugger [candidate] (59.843 ms) : 0, 59843
Remote Config [baseline] (595.318 µs) : 0, 595
Remote Config [candidate] (587.71 µs) : 0, 588
Telemetry [baseline] (8.022 ms) : 0, 8022
Telemetry [candidate] (7.981 ms) : 0, 7981
Flare Poller [baseline] (7.457 ms) : 0, 7457
Flare Poller [candidate] (7.284 ms) : 0, 7284
section appsec
crashtracking [baseline] (1.223 ms) : 0, 1223
crashtracking [candidate] (1.233 ms) : 0, 1233
BytebuddyAgent [baseline] (676.101 ms) : 0, 676101
BytebuddyAgent [candidate] (673.252 ms) : 0, 673252
AgentMeter [baseline] (12.314 ms) : 0, 12314
AgentMeter [candidate] (12.158 ms) : 0, 12158
GlobalTracer [baseline] (251.804 ms) : 0, 251804
GlobalTracer [candidate] (248.629 ms) : 0, 248629
IAST [baseline] (24.882 ms) : 0, 24882
IAST [candidate] (24.263 ms) : 0, 24263
AppSec [baseline] (188.904 ms) : 0, 188904
AppSec [candidate] (185.578 ms) : 0, 185578
Debugger [baseline] (66.535 ms) : 0, 66535
Debugger [candidate] (66.954 ms) : 0, 66954
Remote Config [baseline] (591.37 µs) : 0, 591
Remote Config [candidate] (575.077 µs) : 0, 575
Telemetry [baseline] (8.049 ms) : 0, 8049
Telemetry [candidate] (7.934 ms) : 0, 7934
Flare Poller [baseline] (3.598 ms) : 0, 3598
Flare Poller [candidate] (3.452 ms) : 0, 3452
section iast
crashtracking [baseline] (1.242 ms) : 0, 1242
crashtracking [candidate] (1.221 ms) : 0, 1221
BytebuddyAgent [baseline] (815.988 ms) : 0, 815988
BytebuddyAgent [candidate] (808.333 ms) : 0, 808333
AgentMeter [baseline] (11.53 ms) : 0, 11530
AgentMeter [candidate] (11.411 ms) : 0, 11411
GlobalTracer [baseline] (240.471 ms) : 0, 240471
GlobalTracer [candidate] (239.081 ms) : 0, 239081
IAST [baseline] (31.87 ms) : 0, 31870
IAST [candidate] (30.017 ms) : 0, 30017
AppSec [baseline] (27.427 ms) : 0, 27427
AppSec [candidate] (27.852 ms) : 0, 27852
Debugger [baseline] (63.947 ms) : 0, 63947
Debugger [candidate] (65.774 ms) : 0, 65774
Remote Config [baseline] (535.041 µs) : 0, 535
Remote Config [candidate] (533.073 µs) : 0, 533
Telemetry [baseline] (7.773 ms) : 0, 7773
Telemetry [candidate] (7.797 ms) : 0, 7797
Flare Poller [baseline] (3.442 ms) : 0, 3442
Flare Poller [candidate] (3.38 ms) : 0, 3380
section profiling
crashtracking [baseline] (1.204 ms) : 0, 1204
crashtracking [candidate] (1.178 ms) : 0, 1178
BytebuddyAgent [baseline] (701.955 ms) : 0, 701955
BytebuddyAgent [candidate] (696.201 ms) : 0, 696201
AgentMeter [baseline] (9.323 ms) : 0, 9323
AgentMeter [candidate] (9.29 ms) : 0, 9290
GlobalTracer [baseline] (209.526 ms) : 0, 209526
GlobalTracer [candidate] (208.035 ms) : 0, 208035
AppSec [baseline] (33.058 ms) : 0, 33058
AppSec [candidate] (32.748 ms) : 0, 32748
Debugger [baseline] (66.205 ms) : 0, 66205
Debugger [candidate] (65.577 ms) : 0, 65577
Remote Config [baseline] (582.869 µs) : 0, 583
Remote Config [candidate] (578.681 µs) : 0, 579
Telemetry [baseline] (7.88 ms) : 0, 7880
Telemetry [candidate] (7.817 ms) : 0, 7817
Flare Poller [baseline] (3.554 ms) : 0, 3554
Flare Poller [candidate] (3.52 ms) : 0, 3520
ProfilingAgent [baseline] (94.438 ms) : 0, 94438
ProfilingAgent [candidate] (94.03 ms) : 0, 94030
Profiling [baseline] (95.025 ms) : 0, 95025
Profiling [candidate] (94.592 ms) : 0, 94592
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/APPSEC-61875-file-upload-content
git_commit_date 1776685998 1776863563
git_commit_sha 71f9713 63cdda0
release_version 1.62.0-SNAPSHOT~71f9713d93 1.62.0-SNAPSHOT~63cdda064c
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1776865816 1776865816
ci_job_id 1619520959 1619520959
ci_pipeline_id 109034560 109034560
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-0-bkhj43wy 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-0-bkhj43wy 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 1 performance improvements and 3 performance regressions! Performance is the same for 16 metrics, 16 unstable metrics.

scenario Δ mean agg_http_req_duration_p50 Δ mean agg_http_req_duration_p95 Δ mean throughput candidate mean agg_http_req_duration_p50 candidate mean agg_http_req_duration_p95 candidate mean throughput baseline mean agg_http_req_duration_p50 baseline mean agg_http_req_duration_p95 baseline mean throughput
scenario:load:insecure-bank:iast_GLOBAL:high_load worse
[+146.989µs; +297.829µs] or [+5.244%; +10.626%]		 unstable
[-3.631ms; +12.601ms] or [-45.484%; +157.847%]		 unstable
[-215.964op/s; +71.777op/s] or [-16.782%; +5.577%]		 3.025ms 12.468ms 1214.812op/s 2.803ms 7.983ms 1286.906op/s
scenario:load:petclinic:code_origins:high_load worse
[+1.259ms; +1.986ms] or [+7.125%; +11.235%]		 worse
[+0.922ms; +2.072ms] or [+3.188%; +7.170%]		 unstable
[-46.336op/s; +5.336op/s] or [-17.894%; +2.061%]		 19.297ms 30.400ms 238.438op/s 17.674ms 28.903ms 258.938op/s
scenario:load:petclinic:iast:high_load better
[-1271.244µs; -433.090µs] or [-6.863%; -2.338%]		 same
[-1107.943µs; +144.451µs] or [-3.706%; +0.483%]		 unstable
[-17.831op/s; +35.144op/s] or [-7.152%; +14.096%]		 17.670ms 29.413ms 257.969op/s 18.522ms 29.895ms 249.312op/s
Request duration reports for insecure-bank 
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.62.0-SNAPSHOT~63cdda064c, baseline=1.62.0-SNAPSHOT~71f9713d93
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.238 ms) : 1226, 1250
.   : milestone, 1238,
iast (3.487 ms) : 3436, 3539
.   : milestone, 3487,
iast_FULL (6.011 ms) : 5950, 6071
.   : milestone, 6011,
iast_GLOBAL (3.562 ms) : 3509, 3615
.   : milestone, 3562,
profiling (2.198 ms) : 2179, 2218
.   : milestone, 2198,
tracing (1.975 ms) : 1958, 1993
.   : milestone, 1975,
section candidate
no_agent (1.253 ms) : 1241, 1265
.   : milestone, 1253,
iast (3.332 ms) : 3282, 3382
.   : milestone, 3332,
iast_FULL (6.123 ms) : 6060, 6186
.   : milestone, 6123,
iast_GLOBAL (3.786 ms) : 3716, 3856
.   : milestone, 3786,
profiling (2.176 ms) : 2156, 2196
.   : milestone, 2176,
tracing (1.913 ms) : 1895, 1931
.   : milestone, 1913,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.238 ms [1.226 ms, 1.25 ms] -
iast 3.487 ms [3.436 ms, 3.539 ms] 2.249 ms (181.7%)
iast_FULL 6.011 ms [5.95 ms, 6.071 ms] 4.772 ms (385.4%)
iast_GLOBAL 3.562 ms [3.509 ms, 3.615 ms] 2.324 ms (187.7%)
profiling 2.198 ms [2.179 ms, 2.218 ms] 960.212 µs (77.6%)
tracing 1.975 ms [1.958 ms, 1.993 ms] 737.136 µs (59.5%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.253 ms [1.241 ms, 1.265 ms] -
iast 3.332 ms [3.282 ms, 3.382 ms] 2.08 ms (166.0%)
iast_FULL 6.123 ms [6.06 ms, 6.186 ms] 4.87 ms (388.8%)
iast_GLOBAL 3.786 ms [3.716 ms, 3.856 ms] 2.533 ms (202.2%)
profiling 2.176 ms [2.156 ms, 2.196 ms] 923.336 µs (73.7%)
tracing 1.913 ms [1.895 ms, 1.931 ms] 660.455 µs (52.7%)
Request duration reports for petclinic 
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.62.0-SNAPSHOT~63cdda064c, baseline=1.62.0-SNAPSHOT~71f9713d93
    dateFormat X
    axisFormat %s
section baseline
no_agent (18.079 ms) : 17896, 18261
.   : milestone, 18079,
appsec (18.851 ms) : 18659, 19044
.   : milestone, 18851,
code_origins (18.018 ms) : 17841, 18195
.   : milestone, 18018,
iast (18.72 ms) : 18533, 18906
.   : milestone, 18720,
profiling (19.319 ms) : 19125, 19513
.   : milestone, 19319,
tracing (18.469 ms) : 18287, 18651
.   : milestone, 18469,
section candidate
no_agent (18.069 ms) : 17886, 18251
.   : milestone, 18069,
appsec (19.19 ms) : 18996, 19384
.   : milestone, 19190,
code_origins (19.574 ms) : 19382, 19766
.   : milestone, 19574,
iast (18.085 ms) : 17903, 18267
.   : milestone, 18085,
profiling (19.01 ms) : 18822, 19198
.   : milestone, 19010,
tracing (17.999 ms) : 17823, 18175
.   : milestone, 17999,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 18.079 ms [17.896 ms, 18.261 ms] -
appsec 18.851 ms [18.659 ms, 19.044 ms] 772.821 µs (4.3%)
code_origins 18.018 ms [17.841 ms, 18.195 ms] -61.006 µs (-0.3%)
iast 18.72 ms [18.533 ms, 18.906 ms] 641.03 µs (3.5%)
profiling 19.319 ms [19.125 ms, 19.513 ms] 1.24 ms (6.9%)
tracing 18.469 ms [18.287 ms, 18.651 ms] 390.454 µs (2.2%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 18.069 ms [17.886 ms, 18.251 ms] -
appsec 19.19 ms [18.996 ms, 19.384 ms] 1.122 ms (6.2%)
code_origins 19.574 ms [19.382 ms, 19.766 ms] 1.506 ms (8.3%)
iast 18.085 ms [17.903 ms, 18.267 ms] 16.035 µs (0.1%)
profiling 19.01 ms [18.822 ms, 19.198 ms] 941.387 µs (5.2%)
tracing 17.999 ms [17.823 ms, 18.175 ms] -70.074 µs (-0.4%)

Dacapo

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/APPSEC-61875-file-upload-content
git_commit_date 1776685998 1776863563
git_commit_sha 71f9713 63cdda0
release_version 1.62.0-SNAPSHOT~71f9713d93 1.62.0-SNAPSHOT~63cdda064c
See matching parameters
Baseline Candidate
application biojava biojava
ci_job_date 1776865596 1776865596
ci_job_id 1619520962 1619520962
ci_pipeline_id 109034560 109034560
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-0-ewci1o7t 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-0-ewci1o7t 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 1 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 0 unstable metrics.

scenario Δ mean execution_time candidate mean execution_time baseline mean execution_time
scenario:dacapo:tomcat:appsec better
[-1.460ms; -1.110ms] or [-38.084%; -28.952%]		 2.548ms 3.832ms
Execution time for biojava 
gantt
    title biojava - execution time [CI 0.99] : candidate=1.62.0-SNAPSHOT~63cdda064c, baseline=1.62.0-SNAPSHOT~71f9713d93
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.567 s) : 15567000, 15567000
.   : milestone, 15567000,
appsec (14.693 s) : 14693000, 14693000
.   : milestone, 14693000,
iast (18.669 s) : 18669000, 18669000
.   : milestone, 18669000,
iast_GLOBAL (17.807 s) : 17807000, 17807000
.   : milestone, 17807000,
profiling (14.771 s) : 14771000, 14771000
.   : milestone, 14771000,
tracing (14.854 s) : 14854000, 14854000
.   : milestone, 14854000,
section candidate
no_agent (15.443 s) : 15443000, 15443000
.   : milestone, 15443000,
appsec (15.014 s) : 15014000, 15014000
.   : milestone, 15014000,
iast (18.668 s) : 18668000, 18668000
.   : milestone, 18668000,
iast_GLOBAL (18.066 s) : 18066000, 18066000
.   : milestone, 18066000,
profiling (15.493 s) : 15493000, 15493000
.   : milestone, 15493000,
tracing (14.767 s) : 14767000, 14767000
.   : milestone, 14767000,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.567 s [15.567 s, 15.567 s] -
appsec 14.693 s [14.693 s, 14.693 s] -874.0 ms (-5.6%)
iast 18.669 s [18.669 s, 18.669 s] 3.102 s (19.9%)
iast_GLOBAL 17.807 s [17.807 s, 17.807 s] 2.24 s (14.4%)
profiling 14.771 s [14.771 s, 14.771 s] -796.0 ms (-5.1%)
tracing 14.854 s [14.854 s, 14.854 s] -713.0 ms (-4.6%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.443 s [15.443 s, 15.443 s] -
appsec 15.014 s [15.014 s, 15.014 s] -429.0 ms (-2.8%)
iast 18.668 s [18.668 s, 18.668 s] 3.225 s (20.9%)
iast_GLOBAL 18.066 s [18.066 s, 18.066 s] 2.623 s (17.0%)
profiling 15.493 s [15.493 s, 15.493 s] 50.0 ms (0.3%)
tracing 14.767 s [14.767 s, 14.767 s] -676.0 ms (-4.4%)
Execution time for tomcat 
gantt
    title tomcat - execution time [CI 0.99] : candidate=1.62.0-SNAPSHOT~63cdda064c, baseline=1.62.0-SNAPSHOT~71f9713d93
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.488 ms) : 1476, 1499
.   : milestone, 1488,
appsec (3.832 ms) : 3609, 4056
.   : milestone, 3832,
iast (2.272 ms) : 2203, 2342
.   : milestone, 2272,
iast_GLOBAL (2.33 ms) : 2259, 2401
.   : milestone, 2330,
profiling (2.1 ms) : 2045, 2155
.   : milestone, 2100,
tracing (2.077 ms) : 2023, 2130
.   : milestone, 2077,
section candidate
no_agent (1.486 ms) : 1474, 1497
.   : milestone, 1486,
appsec (2.548 ms) : 2493, 2603
.   : milestone, 2548,
iast (2.271 ms) : 2201, 2341
.   : milestone, 2271,
iast_GLOBAL (2.321 ms) : 2251, 2391
.   : milestone, 2321,
profiling (2.101 ms) : 2046, 2156
.   : milestone, 2101,
tracing (2.077 ms) : 2024, 2131
.   : milestone, 2077,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.488 ms [1.476 ms, 1.499 ms] -
appsec 3.832 ms [3.609 ms, 4.056 ms] 2.345 ms (157.6%)
iast 2.272 ms [2.203 ms, 2.342 ms] 784.373 µs (52.7%)
iast_GLOBAL 2.33 ms [2.259 ms, 2.401 ms] 842.423 µs (56.6%)
profiling 2.1 ms [2.045 ms, 2.155 ms] 612.052 µs (41.1%)
tracing 2.077 ms [2.023 ms, 2.13 ms] 588.919 µs (39.6%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.486 ms [1.474 ms, 1.497 ms] -
appsec 2.548 ms [2.493 ms, 2.603 ms] 1.062 ms (71.5%)
iast 2.271 ms [2.201 ms, 2.341 ms] 785.243 µs (52.9%)
iast_GLOBAL 2.321 ms [2.251 ms, 2.391 ms] 835.247 µs (56.2%)
profiling 2.101 ms [2.046 ms, 2.156 ms] 615.292 µs (41.4%)
tracing 2.077 ms [2.024 ms, 2.131 ms] 591.373 µs (39.8%)

@jandro996 jandro996 changed the title feat(appsec): expose uploaded file content as new WAF address (APPSEC-61875) feat(appsec): expose uploaded file content as new WAF address server.request.body.files_content Apr 17, 2026
@jandro996 jandro996 marked this pull request as ready for review April 17, 2026 07:50
@jandro996 jandro996 requested a review from a team as a code owner April 17, 2026 07:50
@jandro996 jandro996 changed the title feat(appsec): expose uploaded file content as new WAF address server.request.body.files_content feat(appsec): expose uploaded file content as new WAF address server.request.body.files_content for commons-fileupload Apr 17, 2026
chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Apr 17, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: baf17b2c8e

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread ...ain/java/datadog/trace/instrumentation/commons/fileupload/CommonsFileUploadAppSecModule.java Outdated
@jandro996 jandro996 force-pushed the alejandro.gonzalez/APPSEC-61875-file-upload-content branch from baf17b2 to 304846b Compare April 17, 2026 07:57
@jandro996 jandro996 force-pushed the alejandro.gonzalez/APPSEC-61875-file-upload-content branch from a36ff44 to 22d70a0 Compare April 17, 2026 12:55
@jandro996 jandro996 requested a review from a team as a code owner April 17, 2026 12:55
@jandro996
fix(appsec): extract readContent to helper class to fix muzzle failure
2076c7b 
The static readContent method in ParseRequestAdvice created a self-reference
in the inlined advice bytecode (invokestatic on CommonsFileUploadAppSecModule$ParseRequestAdvice)
that muzzle could not resolve in the application classloader, causing the
instrumentation to be silently skipped.

Moves readContent to a new FileItemContentReader helper class declared via
helperClassNames(), which muzzle skips and the HelperInjector injects into
the application classloader at runtime.
@jandro996 jandro996 force-pushed the alejandro.gonzalez/APPSEC-61875-file-upload-content branch from 4610028 to 2076c7b Compare April 17, 2026 14:20
@jandro996
fix(appsec): cap number of file contents sent to WAF at 25
f76f389 
Without a bound, uploading N files would pass up to N × 4096 bytes to the
WAF in a single call. MAX_FILES_TO_INSPECT = 25 limits total content to
at most 100 KB, consistent with the per-file MAX_CONTENT_BYTES cap.
@jandro996
Merge branch 'master' into alejandro.gonzalez/APPSEC-61875-file-uploa…
ab77c73 
…d-content
@jandro996
Merge branch 'master' into alejandro.gonzalez/APPSEC-61875-file-uploa…
92ed45d 
…d-content
@jandro996 jandro996 marked this pull request as draft April 22, 2026 12:03
@jandro996 jandro996 marked this pull request as ready for review April 22, 2026 12:48
chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Apr 22, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 92ed45d8a8

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread ...ain/java/datadog/trace/instrumentation/commons/fileupload/CommonsFileUploadAppSecModule.java Outdated
@jandro996
refactor(appsec): address PR review comments on commons-fileupload in…
b1c5bfb 
…strumentation

- Rename CommonsFileUploadAppSecModule to CommonsFileUploadAppSecInstrumentation
- Extract readContents() loop to FileItemContentReader for testability
- Add unit tests for readContents() including MAX_FILES_TO_INSPECT cap
- Parametrize readContent size boundary tests with where: block
- Fix incorrect positional-alignment claim in KnownAddresses Javadoc
- Fix FileItemContentReader Javadoc to describe purpose not deployment
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@manuel-alvarez-alvarez manuel-alvarez-alvarez manuel-alvarez-alvarez left review comments

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@claponcet claponcet Awaiting requested review from claponcet claponcet is a code owner automatically assigned from DataDog/asm-java

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

comp: asm waf Application Security Management (WAF) type: enhancement Enhancements and improvements

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jandro996 @manuel-alvarez-alvarez