fix(appsec/jetty): quote-aware Content-Disposition parser in PartHelper

jandro996 · jandro996 · commit 0ce4bf10842e · 2026-04-20T11:14:49.000+02:00
Splitting the header on ';' naively truncated filenames that contain
semicolons inside a quoted value, e.g. filename="shell;evil.php" would
produce "shell" instead of the full name. Replace the split() loop with
a quote-aware state-machine parser that skips semicolons inside quoted
strings and handles backslash-escaped characters. Add test cases for
semicolons in filenames, escaped quotes, and filename appearing before
other parameters.
diff --git a/dd-java-agent/instrumentation/jetty/jetty-appsec/jetty-appsec-8.1.3/src/main/java/datadog/trace/instrumentation/jetty8/PartHelper.java b/dd-java-agent/instrumentation/jetty/jetty-appsec/jetty-appsec-8.1.3/src/main/java/datadog/trace/instrumentation/jetty8/PartHelper.java
@@ -74,20 +74,55 @@ public static Map<String, List<String>> extractFormFields(Collection<?> parts) {
   /**
    * Extracts the {@code filename} value from a {@code Content-Disposition} header, or {@code null}
    * if the part has no filename (i.e. it is a plain form field).
+   *
+   * <p>Uses a quote-aware parser so that semicolons inside a quoted filename (e.g. {@code
+   * filename="shell;evil.php"}) are not mistaken for parameter separators.
    */
   static String filenameFromPart(Part part) {
     String cd = part.getHeader("Content-Disposition");
     if (cd == null) {
       return null;
     }
-    for (String token : cd.split(";")) {
-      token = token.trim();
-      if (token.startsWith("filename=")) {
-        String name = token.substring("filename=".length()).trim();
-        if (name.length() >= 2 && name.charAt(0) == '"' && name.charAt(name.length() - 1) == '"') {
-          name = name.substring(1, name.length() - 1);
+    int len = cd.length();
+    int i = 0;
+    while (i < len) {
+      // Skip separators between parameters
+      while (i < len && (cd.charAt(i) == ';' || cd.charAt(i) == ' ' || cd.charAt(i) == '\t')) {
+        i++;
+      }
+      if (i >= len) break;
+      // Read parameter name (up to '=' or ';')
+      int nameStart = i;
+      while (i < len && cd.charAt(i) != '=' && cd.charAt(i) != ';') {
+        i++;
+      }
+      boolean isFilename = "filename".equalsIgnoreCase(cd.substring(nameStart, i).trim());
+      if (i >= len || cd.charAt(i) == ';') {
+        // Value-less token (e.g. "form-data") — skip
+        continue;
+      }
+      i++; // skip '='
+      String value;
+      if (i < len && cd.charAt(i) == '"') {
+        i++; // skip opening quote
+        StringBuilder sb = new StringBuilder();
+        while (i < len && cd.charAt(i) != '"') {
+          if (cd.charAt(i) == '\\' && i + 1 < len) {
+            i++; // consume escape backslash, add next char literally
+          }
+          sb.append(cd.charAt(i++));
+        }
+        if (i < len) i++; // skip closing quote
+        value = sb.toString();
+      } else {
+        int valueStart = i;
+        while (i < len && cd.charAt(i) != ';') {
+          i++;
         }
-        return name.isEmpty() ? null : name;
+        value = cd.substring(valueStart, i).trim();
+      }
+      if (isFilename) {
+        return value.isEmpty() ? null : value;
       }
     }
     return null;
diff --git a/dd-java-agent/instrumentation/jetty/jetty-appsec/jetty-appsec-8.1.3/src/test/groovy/datadog/trace/instrumentation/jetty8/PartHelperTest.groovy b/dd-java-agent/instrumentation/jetty/jetty-appsec/jetty-appsec-8.1.3/src/test/groovy/datadog/trace/instrumentation/jetty8/PartHelperTest.groovy
@@ -107,6 +107,30 @@ class PartHelperTest extends Specification {
     PartHelper.filenameFromPart(p) == null
   }
 
+  def "filenameFromPart preserves semicolons inside a quoted filename"() {
+    given:
+    Part p = Stub(Part) { getHeader('Content-Disposition') >> 'form-data; name="file"; filename="shell;evil.php"' }
+
+    expect:
+    PartHelper.filenameFromPart(p) == 'shell;evil.php'
+  }
+
+  def "filenameFromPart handles escaped quote inside filename"() {
+    given:
+    Part p = Stub(Part) { getHeader('Content-Disposition') >> 'form-data; name="file"; filename="file\\"name.txt"' }
+
+    expect:
+    PartHelper.filenameFromPart(p) == 'file"name.txt'
+  }
+
+  def "filenameFromPart handles filename before other parameters"() {
+    given:
+    Part p = Stub(Part) { getHeader('Content-Disposition') >> 'form-data; filename="first.txt"; name="file"' }
+
+    expect:
+    PartHelper.filenameFromPart(p) == 'first.txt'
+  }
+
   // ── extractFormFields ───────────────────────────────────────────────────────
 
   def "extractFormFields returns empty map for null collection"() {
