fix(appsec): distinguish empty filename from absent filename in PartHelper

filenameFromPart() was returning null for both 'no filename parameter' and
'filename=""', causing extractFormFields() to buffer the full body of file
inputs submitted with no file chosen (filename=""). An empty <input type=file>
is still a file part, not a form field. Return "" instead of null so that
callers using != null correctly skip those parts without reading their content.

Update tests to assert "" for empty-filename cases and add regression tests
for extractFormFields/extractFilenames with empty-filename parts.

Note: the second AI comment about getPart(String) double-firing was not
implemented. The bytecode shows the internal call is to
MultiPartInputStream.getParts() (not Request.getParts()), so GetFilenamesAdvice
(which instruments Request.getParts()) is never triggered during a getPart()
call. There is no double-firing.

Author: jandro996

dd-java-agent/instrumentation/jetty/jetty-appsec/jetty-appsec-8.1.3/src/main/java/datadog/trace/instrumentation/jetty8/PartHelper.java

@@ -122,7 +122,10 @@ static String filenameFromPart(Part part) {
         value = cd.substring(valueStart, i).trim();
       }
       if (isFilename) {
-        return value.isEmpty() ? null : value;
+        // Return empty string (not null) so callers can distinguish "filename present but empty"
+        // from "no filename parameter". extractFormFields() uses != null to skip file parts,
+        // so empty string correctly prevents buffering a file-upload body with filename="".
+        return value;
       }
     }
     return null;

dd-java-agent/instrumentation/jetty/jetty-appsec/jetty-appsec-8.1.3/src/test/groovy/datadog/trace/instrumentation/jetty8/PartHelperTest.groovy

@@ -91,20 +91,36 @@ class PartHelperTest extends Specification {
     PartHelper.filenameFromPart(p) == 'photo.jpg'
   }
 
-  def "filenameFromPart returns null for empty quoted filename"() {
+  def "filenameFromPart returns empty string for empty quoted filename"() {
     given:
     Part p = Stub(Part) { getHeader('Content-Disposition') >> 'form-data; name="file"; filename=""' }
 
     expect:
-    PartHelper.filenameFromPart(p) == null
+    PartHelper.filenameFromPart(p) == ''
   }
 
-  def "filenameFromPart returns null for empty unquoted filename"() {
+  def "filenameFromPart returns empty string for empty unquoted filename"() {
     given:
     Part p = Stub(Part) { getHeader('Content-Disposition') >> 'form-data; name="file"; filename=' }
 
     expect:
-    PartHelper.filenameFromPart(p) == null
+    PartHelper.filenameFromPart(p) == ''
+  }
+
+  def "extractFormFields skips part with empty filename"() {
+    given:
+    def parts = [emptyFilenamePart('field')]
+
+    expect:
+    PartHelper.extractFormFields(parts) == [:]
+  }
+
+  def "extractFilenames skips empty filename"() {
+    given:
+    def parts = [emptyFilenamePart('field')]
+
+    expect:
+    PartHelper.extractFilenames(parts) == []
   }
 
   def "filenameFromPart preserves semicolons inside a quoted filename"() {
@@ -192,4 +208,11 @@ class PartHelperTest extends Specification {
     p.getHeader('Content-Disposition') >> "form-data; name=\"file\"; filename=\"${filename}\""
     return p
   }
+
+  /** Creates a stub Part that has filename="" — a file input submitted with no file chosen. */
+  private Part emptyFilenamePart(String name) {
+    Part p = Stub(Part)
+    p.getHeader('Content-Disposition') >> "form-data; name=\"${name}\"; filename=\"\""
+    return p
+  }
 }