Add server.request.body.filenames support for Tomcat and Netty 4.1 (#10973)

Add server.request.body.filenames instrumentation for Tomcat, Netty 4.1, and Liberty

try/catch it to be safe

refactor due to #10973 (comment)

Address review comments: PartHelper, ParameterCollector safety, fix precedence bug

Merge branch 'master' into alejandro.gonzalez/APPSEC-61873-2

Co-authored-by: devflow.devflow-routing-intake <devflow.devflow-routing-intake@kubernetes.us1.ddbuild.io>

Author: jandro996

dd-java-agent/instrumentation-testing/src/main/groovy/datadog/trace/agent/test/base/HttpServerTest.groovy

@@ -135,6 +135,7 @@ abstract class HttpServerTest<SERVER> extends WithHttpServer<SERVER> {
     ss.registerCallback(events.requestBodyStart(), callbacks.requestBodyStartCb)
     ss.registerCallback(events.requestBodyDone(), callbacks.requestBodyEndCb)
     ss.registerCallback(events.requestBodyProcessed(), callbacks.requestBodyObjectCb)
+    ss.registerCallback(events.requestFilesFilenames(), callbacks.requestFilesFilenamesCb)
     ss.registerCallback(events.responseBody(), callbacks.responseBodyObjectCb)
     ss.registerCallback(events.responseStarted(), callbacks.responseStartedCb)
     ss.registerCallback(events.responseHeader(), callbacks.responseHeaderCb)
@@ -367,6 +368,10 @@ abstract class HttpServerTest<SERVER> extends WithHttpServer<SERVER> {
     false
   }
 
+  boolean testBodyFilenames() {
+    false
+  }
+
   boolean testBodyJson() {
     false
   }
@@ -1618,6 +1623,29 @@ abstract class HttpServerTest<SERVER> extends WithHttpServer<SERVER> {
     }
   }
 
+  def 'test instrumentation gateway file upload filenames'() {
+    setup:
+    assumeTrue(testBodyFilenames())
+    RequestBody fileBody = RequestBody.create(MediaType.parse('application/octet-stream'), 'file content')
+    def body = new MultipartBody.Builder()
+    .setType(MultipartBody.FORM)
+    .addFormDataPart('file', 'evil.php', fileBody)
+    .build()
+    def httpRequest = request(BODY_MULTIPART, 'POST', body).build()
+    def response = client.newCall(httpRequest).execute()
+
+    when:
+    TEST_WRITER.waitForTraces(1)
+
+    then:
+    TEST_WRITER.get(0).any {
+      it.getTag('request.body.filenames') == "[evil.php]"
+    }
+
+    cleanup:
+    response.close()
+  }
+
   def 'test instrumentation gateway json request body'() {
     setup:
     assumeTrue(testBodyJson())
@@ -2552,6 +2580,7 @@ abstract class HttpServerTest<SERVER> extends WithHttpServer<SERVER> {
       boolean responseHeadersInTags
       boolean responseBodyTag
       Object responseBody
+      List<String> uploadedFilenames
     }
 
     static final String stringOrEmpty(String string) {
@@ -2719,6 +2748,15 @@ abstract class HttpServerTest<SERVER> extends WithHttpServer<SERVER> {
       }
     } as BiFunction<RequestContext, Object, Flow<Void>>)
 
+    final BiFunction<RequestContext, List<String>, Flow<Void>> requestFilesFilenamesCb =
+    ({
+      RequestContext rqCtxt, List<String> filenames ->
+      rqCtxt.traceSegment.setTagTop('request.body.filenames', filenames as String)
+      Context context = rqCtxt.getData(RequestContextSlot.APPSEC)
+      context.uploadedFilenames = filenames
+      Flow.ResultFlow.empty()
+    } as BiFunction<RequestContext, List<String>, Flow<Void>>)
+
     final BiFunction<RequestContext, Object, Flow<Void>> responseBodyObjectCb =
     ({
       RequestContext rqCtxt, Object obj ->

dd-java-agent/instrumentation/liberty/liberty-20.0/src/main/java/datadog/trace/instrumentation/liberty20/GetPartsInstrumentation.java

@@ -0,0 +1,89 @@
+package datadog.trace.instrumentation.liberty20;
+
+import static datadog.trace.agent.tooling.bytebuddy.matcher.NameMatchers.named;
+import static datadog.trace.api.gateway.Events.EVENTS;
+import static net.bytebuddy.matcher.ElementMatchers.isMethod;
+import static net.bytebuddy.matcher.ElementMatchers.isPublic;
+import static net.bytebuddy.matcher.ElementMatchers.takesArguments;
+
+import com.google.auto.service.AutoService;
+import datadog.appsec.api.blocking.BlockingException;
+import datadog.trace.advice.ActiveRequestContext;
+import datadog.trace.advice.RequiresRequestContext;
+import datadog.trace.agent.tooling.Instrumenter;
+import datadog.trace.agent.tooling.InstrumenterModule;
+import datadog.trace.api.gateway.BlockResponseFunction;
+import datadog.trace.api.gateway.CallbackProvider;
+import datadog.trace.api.gateway.Flow;
+import datadog.trace.api.gateway.RequestContext;
+import datadog.trace.api.gateway.RequestContextSlot;
+import datadog.trace.bootstrap.instrumentation.api.AgentTracer;
+import java.util.Collection;
+import java.util.List;
+import java.util.function.BiFunction;
+import net.bytebuddy.asm.Advice;
+
+@AutoService(InstrumenterModule.class)
+public class GetPartsInstrumentation extends InstrumenterModule.AppSec
+    implements Instrumenter.ForKnownTypes, Instrumenter.HasMethodAdvice {
+
+  public GetPartsInstrumentation() {
+    super("liberty");
+  }
+
+  @Override
+  public String[] knownMatchingTypes() {
+    return new String[] {
+      "com.ibm.ws.webcontainer.srt.SRTServletRequest",
+      "com.ibm.ws.webcontainer31.srt.SRTServletRequest31",
+    };
+  }
+
+  @Override
+  public String[] helperClassNames() {
+    return new String[] {"datadog.trace.instrumentation.liberty20.PartHelper"};
+  }
+
+  @Override
+  public void methodAdvice(MethodTransformer transformer) {
+    transformer.applyAdvice(
+        isMethod().and(named("getParts")).and(isPublic()).and(takesArguments(0)),
+        GetPartsInstrumentation.class.getName() + "$GetFilenamesAdvice");
+  }
+
+  @RequiresRequestContext(RequestContextSlot.APPSEC)
+  public static class GetFilenamesAdvice {
+    @Advice.OnMethodExit(suppress = Throwable.class, onThrowable = Throwable.class)
+    static void after(
+        @Advice.Return Collection<?> parts,
+        @ActiveRequestContext RequestContext reqCtx,
+        @Advice.Thrown(readOnly = false) Throwable t) {
+      if (t != null) {
+        return;
+      }
+      List<String> filenames = PartHelper.extractFilenames(parts);
+      if (filenames.isEmpty()) {
+        return;
+      }
+      CallbackProvider cbp = AgentTracer.get().getCallbackProvider(RequestContextSlot.APPSEC);
+      BiFunction<RequestContext, List<String>, Flow<Void>> callback =
+          cbp.getCallback(EVENTS.requestFilesFilenames());
+      if (callback == null) {
+        return;
+      }
+      Flow<Void> flow = callback.apply(reqCtx, filenames);
+      Flow.Action action = flow.getAction();
+      if (action instanceof Flow.Action.RequestBlockingAction) {
+        Flow.Action.RequestBlockingAction rba = (Flow.Action.RequestBlockingAction) action;
+        BlockResponseFunction brf = reqCtx.getBlockResponseFunction();
+        if (brf != null) {
+          brf.tryCommitBlockingResponse(reqCtx.getTraceSegment(), rba);
+          if (t == null) {
+            t = new BlockingException("Blocked request (multipart file upload)");
+            reqCtx.getTraceSegment().effectivelyBlocked();
+          }
+        }
+      }
+    }
+  }
+}

dd-java-agent/instrumentation/liberty/liberty-20.0/src/main/java/datadog/trace/instrumentation/liberty20/PartHelper.java

@@ -0,0 +1,74 @@
+package datadog.trace.instrumentation.liberty20;
+
+import java.lang.reflect.Method;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.List;
+
+public class PartHelper {
+
+  public static List<String> extractFilenames(Collection<?> parts) {
+    if (parts == null || parts.isEmpty()) {
+      return Collections.emptyList();
+    }
+    Class<?> partClass = parts.iterator().next().getClass();
+    Method getSubmittedFileName = resolveMethod(partClass, "getSubmittedFileName");
+    Method getHeader = resolveMethod(partClass, "getHeader", String.class);
+
+    List<String> filenames = new ArrayList<>();
+    for (Object part : parts) {
+      String name = getSubmittedFilename(getSubmittedFileName, part);
+      if (name == null) {
+        name = getFilenameFromContentDisposition(getHeader, part);
+      }
+      if (name != null && !name.isEmpty()) {
+        filenames.add(name);
+      }
+    }
+    return filenames;
+  }
+
+  private static Method resolveMethod(Class<?> clazz, String name, Class<?>... params) {
+    try {
+      return clazz.getMethod(name, params);
+    } catch (Exception ignored) {
+      return null;
+    }
+  }
+
+  private static String getSubmittedFilename(Method method, Object part) {
+    if (method == null) {
+      return null;
+    }
+    try {
+      return (String) method.invoke(part);
+    } catch (Exception ignored) {
+      return null;
+    }
+  }
+
+  private static String getFilenameFromContentDisposition(Method getHeader, Object part) {
+    if (getHeader == null) {
+      return null;
+    }
+    try {
+      String cd = (String) getHeader.invoke(part, "content-disposition");
+      if (cd == null) {
+        return null;
+      }
+      for (String tok : cd.split(";")) {
+        tok = tok.trim();
+        if (tok.startsWith("filename=")) {
+          String name = tok.substring(9).trim();
+          if (name.startsWith("\"") && name.endsWith("\"")) {
+            name = name.substring(1, name.length() - 1);
+          }
+          return name;
+        }
+      }
+    } catch (Exception ignored) {
+    }
+    return null;
+  }
+}

dd-java-agent/instrumentation/liberty/liberty-20.0/src/test/groovy/datadog/trace/instrumentation/liberty20/Liberty20Test.groovy

@@ -121,6 +121,11 @@ abstract class Liberty20Test extends HttpServerTest<Server> {
     true
   }
 
+  @Override
+  boolean testBodyFilenames() {
+    true
+  }
+
   @Override
   boolean testSessionId() {
     true

dd-java-agent/instrumentation/liberty/liberty-23.0/src/test/groovy/datadog/trace/instrumentation/liberty23/Liberty23Test.groovy

@@ -111,6 +111,11 @@ abstract class Liberty23Test extends HttpServerTest<Server> {
     true
   }
 
+  @Override
+  boolean testBodyFilenames() {
+    true
+  }
+
   @Override
   boolean testSessionId() {
     true

dd-java-agent/instrumentation/netty/netty-4.1/src/main/java/datadog/trace/instrumentation/netty41/HttpPostRequestDecoderInstrumentation.java

@@ -20,6 +20,7 @@
 import datadog.trace.bootstrap.instrumentation.api.AgentTracer;
 import io.netty.handler.codec.http.EmptyHttpHeaders;
 import io.netty.handler.codec.http.multipart.Attribute;
+import io.netty.handler.codec.http.multipart.FileUpload;
 import io.netty.handler.codec.http.multipart.InterfaceHttpData;
 import io.netty.handler.codec.http.multipart.InterfaceHttpPostRequestDecoder;
 import java.io.IOException;
@@ -98,6 +99,7 @@ static void after(
       RuntimeException exc = null;
 
       Map<String, List<String>> attributes = new LinkedHashMap<>();
+      List<String> filenames = new ArrayList<>();
       for (InterfaceHttpData data : thiz.getBodyHttpDatas()) {
         if (data.getHttpDataType() == InterfaceHttpData.HttpDataType.Attribute) {
           String name = data.getName();
@@ -111,6 +113,11 @@ static void after(
           } catch (IOException e) {
             exc = new UndeclaredThrowableException(e);
           }
+        } else if (data.getHttpDataType() == InterfaceHttpData.HttpDataType.FileUpload) {
+          String filename = ((FileUpload) data).getFilename();
+          if (filename != null && !filename.isEmpty()) {
+            filenames.add(filename);
+          }
         }
       }
 
@@ -125,6 +132,24 @@ static void after(
         thr = new BlockingException("Blocked request (multipart/urlencoded post data)");
       }
 
+      if (!filenames.isEmpty()) {
+        BiFunction<RequestContext, List<String>, Flow<Void>> filenamesCb =
+            cbp.getCallback(EVENTS.requestFilesFilenames());
+        if (filenamesCb != null) {
+          Flow<Void> filenamesFlow = filenamesCb.apply(requestContext, filenames);
+          Flow.Action filenamesAction = filenamesFlow.getAction();
+          if (thr == null && filenamesAction instanceof Flow.Action.RequestBlockingAction) {
+            Flow.Action.RequestBlockingAction rba =
+                (Flow.Action.RequestBlockingAction) filenamesAction;
+            BlockResponseFunction brf = requestContext.getBlockResponseFunction();
+            if (brf != null) {
+              brf.tryCommitBlockingResponse(requestContext.getTraceSegment(), rba);
+            }
+            thr = new BlockingException("Blocked request (multipart file upload)");
+          }
+        }
+      }
+
       if (exc != null) {
         // for it to be logged
         throw exc;

dd-java-agent/instrumentation/ratpack-1.5/src/test/groovy/server/RatpackHttpServerTest.groovy

@@ -72,6 +72,11 @@ class RatpackHttpServerTest extends HttpServerTest<EmbeddedApp> {
     true
   }
 
+  @Override
+  boolean testBodyFilenames() {
+    true
+  }
+
   @Override
   boolean testBodyJson() {
     true

dd-java-agent/instrumentation/servlet/javax-servlet/javax-servlet-3.0/src/test/groovy/TomcatServlet3Test.groovy

@@ -365,6 +365,11 @@ class TomcatServlet3TestSync extends TomcatServlet3Test {
     true
   }
 
+  @Override
+  boolean testBodyFilenames() {
+    true
+  }
+
   @Override
   Class<Servlet> servlet() {
     TestServlet3.Sync

dd-java-agent/instrumentation/tomcat/tomcat-5.5/src/latestDepTest/groovy/TomcatServletTest.groovy

@@ -59,6 +59,11 @@ class TomcatServletTest extends AbstractServletTest<Tomcat, Context> {
     true
   }
 
+  @Override
+  boolean testBodyFilenames() {
+    true
+  }
+
   @Override
   boolean testBlockingOnResponse() {
     true