refactor(appsec): unify file content limits via Config for DD_APPSEC_MAX_FILE_CONTENT_BYTES/COUNT

Replace hardcoded constants MAX_CONTENT_BYTES=4096 and MAX_FILES_TO_INSPECT=25
(duplicated across commons-fileupload, Netty, and Tomcat) with two Config-backed
variables: appsec.max.file-content.bytes and appsec.max.file-content.count.

Author: jandro996

dd-java-agent/instrumentation-testing/src/main/groovy/datadog/trace/agent/test/base/HttpServerTest.groovy

@@ -1683,7 +1683,7 @@ abstract class HttpServerTest<SERVER> extends WithHttpServer<SERVER> {
   def 'test instrumentation gateway file upload content truncated at max size'() {
     setup:
     assumeTrue(testBodyFilesContent())
-    def maxContentBytes = 4096
+    def maxContentBytes = Config.get().getAppSecMaxFileContentBytes()
     def body = new MultipartBody.Builder()
     .setType(MultipartBody.FORM)
     .addFormDataPart('file', 'large.bin',
@@ -1708,7 +1708,7 @@ abstract class HttpServerTest<SERVER> extends WithHttpServer<SERVER> {
   def 'test instrumentation gateway file upload content max files limit'() {
     setup:
     assumeTrue(testBodyFilesContent())
-    def maxFilesToInspect = 25
+    def maxFilesToInspect = Config.get().getAppSecMaxFileContentCount()
     def bodyBuilder = new MultipartBody.Builder().setType(MultipartBody.FORM)
     (1..maxFilesToInspect + 1).each {
       i ->

dd-java-agent/instrumentation/commons-fileupload-1.5/src/main/java/datadog/trace/instrumentation/commons/fileupload/FileItemContentReader.java

@@ -1,14 +1,15 @@
 package datadog.trace.instrumentation.commons.fileupload;
 
+import datadog.trace.api.Config;
 import java.io.IOException;
 import java.io.InputStream;
 import java.nio.charset.StandardCharsets;
 import org.apache.commons.fileupload.FileItem;
 
 /** Reads uploaded file content for WAF inspection. */
 public final class FileItemContentReader {
-  public static final int MAX_CONTENT_BYTES = 4096;
-  public static final int MAX_FILES_TO_INSPECT = 25;
+  public static final int MAX_CONTENT_BYTES = Config.get().getAppSecMaxFileContentBytes();
+  public static final int MAX_FILES_TO_INSPECT = Config.get().getAppSecMaxFileContentCount();
 
   public static String readContent(FileItem fileItem) {
     try (InputStream is = fileItem.getInputStream()) {

dd-java-agent/instrumentation/netty/netty-4.1/src/main/java/datadog/trace/instrumentation/netty41/HttpPostRequestDecoderInstrumentation.java

@@ -12,6 +12,7 @@
 import datadog.trace.agent.tooling.Instrumenter;
 import datadog.trace.agent.tooling.InstrumenterModule;
 import datadog.trace.agent.tooling.muzzle.Reference;
+import datadog.trace.api.Config;
 import datadog.trace.api.gateway.BlockResponseFunction;
 import datadog.trace.api.gateway.CallbackProvider;
 import datadog.trace.api.gateway.Flow;
@@ -87,7 +88,7 @@ public void methodAdvice(MethodTransformer transformer) {
 
   @RequiresRequestContext(RequestContextSlot.APPSEC)
   static class ParseBodyAdvice {
-    private static final int MAX_FILES_TO_INSPECT = 25;
+    private static final int MAX_FILES_TO_INSPECT = Config.get().getAppSecMaxFileContentCount();
 
     @Advice.OnMethodExit(suppress = Throwable.class, onThrowable = Throwable.class)
     static void after(

dd-java-agent/instrumentation/netty/netty-4.1/src/main/java/datadog/trace/instrumentation/netty41/NettyFileUploadContentReader.java

@@ -1,13 +1,14 @@
 package datadog.trace.instrumentation.netty41;
 
+import datadog.trace.api.Config;
 import io.netty.buffer.ByteBuf;
 import io.netty.handler.codec.http.multipart.FileUpload;
 import java.io.FileInputStream;
 import java.nio.charset.StandardCharsets;
 
 /** Reads uploaded file content from a Netty {@link FileUpload} for WAF inspection. */
 public final class NettyFileUploadContentReader {
-  public static final int MAX_CONTENT_BYTES = 4096;
+  public static final int MAX_CONTENT_BYTES = Config.get().getAppSecMaxFileContentBytes();
 
   public static String readContent(FileUpload fileUpload) {
     try {

dd-java-agent/instrumentation/tomcat/tomcat-appsec/tomcat-appsec-7.0/src/main/java/datadog/trace/instrumentation/tomcat7/ParameterCollector.java

@@ -1,5 +1,6 @@
 package datadog.trace.instrumentation.tomcat7;
 
+import datadog.trace.api.Config;
 import java.io.InputStream;
 import java.lang.reflect.Method;
 import java.nio.charset.StandardCharsets;
@@ -59,8 +60,8 @@ public List<String> getContents() {
   }
 
   class ParameterCollectorImpl implements ParameterCollector {
-    private static final int MAX_CONTENT_BYTES = 4096;
-    private static final int MAX_FILES_TO_INSPECT = 25;
+    private static final int MAX_CONTENT_BYTES = Config.get().getAppSecMaxFileContentBytes();
+    private static final int MAX_FILES_TO_INSPECT = Config.get().getAppSecMaxFileContentCount();
 
     private final boolean inspectContent;
     private Map<String, List<String>> map;

dd-trace-api/src/main/java/datadog/trace/api/ConfigDefaults.java

@@ -144,6 +144,8 @@ public final class ConfigDefaults {
   static final int DEFAULT_APPSEC_MAX_STACK_TRACE_DEPTH = 32;
   static final int DEFAULT_APPSEC_MAX_COLLECTED_HEADERS = 50;
   static final int DEFAULT_APPSEC_BODY_PARSING_SIZE_LIMIT = 10_000_000;
+  static final int DEFAULT_APPSEC_MAX_FILE_CONTENT_BYTES = 4096;
+  static final int DEFAULT_APPSEC_MAX_FILE_CONTENT_COUNT = 25;
   static final String DEFAULT_IAST_ENABLED = "false";
   static final boolean DEFAULT_IAST_DEBUG_ENABLED = false;
   public static final int DEFAULT_IAST_MAX_CONCURRENT_REQUESTS = 4;

dd-trace-api/src/main/java/datadog/trace/api/config/AppSecConfig.java

@@ -50,6 +50,8 @@ public final class AppSecConfig {
   public static final String APPSEC_MAX_STACK_TRACE_DEPTH = "appsec.max.stack-trace.depth";
   public static final String APPSEC_MAX_STACKTRACE_DEPTH_DEPRECATED =
       "appsec.max.stacktrace.depth"; // old non-standard as a fallback alias
+  public static final String APPSEC_MAX_FILE_CONTENT_BYTES = "appsec.max.file-content.bytes";
+  public static final String APPSEC_MAX_FILE_CONTENT_COUNT = "appsec.max.file-content.count";
 
   private AppSecConfig() {}
 }

internal-api/src/main/java/datadog/trace/api/Config.java

@@ -12,6 +12,8 @@
 import static datadog.trace.api.ConfigDefaults.DEFAULT_API_SECURITY_MAX_DOWNSTREAM_REQUEST_BODY_ANALYSIS;
 import static datadog.trace.api.ConfigDefaults.DEFAULT_API_SECURITY_SAMPLE_DELAY;
 import static datadog.trace.api.ConfigDefaults.DEFAULT_APPSEC_BODY_PARSING_SIZE_LIMIT;
+import static datadog.trace.api.ConfigDefaults.DEFAULT_APPSEC_MAX_FILE_CONTENT_BYTES;
+import static datadog.trace.api.ConfigDefaults.DEFAULT_APPSEC_MAX_FILE_CONTENT_COUNT;
 import static datadog.trace.api.ConfigDefaults.DEFAULT_APPSEC_MAX_STACK_TRACES;
 import static datadog.trace.api.ConfigDefaults.DEFAULT_APPSEC_MAX_STACK_TRACE_DEPTH;
 import static datadog.trace.api.ConfigDefaults.DEFAULT_APPSEC_REPORTING_INBAND;
@@ -215,6 +217,8 @@
 import static datadog.trace.api.config.AppSecConfig.APPSEC_HTTP_BLOCKED_TEMPLATE_HTML;
 import static datadog.trace.api.config.AppSecConfig.APPSEC_HTTP_BLOCKED_TEMPLATE_JSON;
 import static datadog.trace.api.config.AppSecConfig.APPSEC_IP_ADDR_HEADER;
+import static datadog.trace.api.config.AppSecConfig.APPSEC_MAX_FILE_CONTENT_BYTES;
+import static datadog.trace.api.config.AppSecConfig.APPSEC_MAX_FILE_CONTENT_COUNT;
 import static datadog.trace.api.config.AppSecConfig.APPSEC_MAX_STACKTRACES_DEPRECATED;
 import static datadog.trace.api.config.AppSecConfig.APPSEC_MAX_STACKTRACE_DEPTH_DEPRECATED;
 import static datadog.trace.api.config.AppSecConfig.APPSEC_MAX_STACK_TRACES;
@@ -1028,6 +1032,8 @@ public static String getHostName() {
   private final int appSecMaxStackTraces;
   private final int appSecMaxStackTraceDepth;
   private final int appSecBodyParsingSizeLimit;
+  private final int appSecMaxFileContentBytes;
+  private final int appSecMaxFileContentCount;
   private final boolean apiSecurityEnabled;
   private final float apiSecuritySampleDelay;
   private final int apiSecurityEndpointCollectionMessageLimit;
@@ -2329,6 +2335,12 @@ PROFILING_DATADOG_PROFILER_ENABLED, isDatadogProfilerSafeInCurrentEnvironment())
     appSecBodyParsingSizeLimit =
         configProvider.getInteger(
             APPSEC_BODY_PARSING_SIZE_LIMIT, DEFAULT_APPSEC_BODY_PARSING_SIZE_LIMIT);
+    appSecMaxFileContentBytes =
+        configProvider.getInteger(
+            APPSEC_MAX_FILE_CONTENT_BYTES, DEFAULT_APPSEC_MAX_FILE_CONTENT_BYTES);
+    appSecMaxFileContentCount =
+        configProvider.getInteger(
+            APPSEC_MAX_FILE_CONTENT_COUNT, DEFAULT_APPSEC_MAX_FILE_CONTENT_COUNT);
     apiSecurityEnabled =
         configProvider.getBoolean(
             API_SECURITY_ENABLED, DEFAULT_API_SECURITY_ENABLED, API_SECURITY_ENABLED_EXPERIMENTAL);
@@ -5599,6 +5611,14 @@ public int getAppSecBodyParsingSizeLimit() {
     return appSecBodyParsingSizeLimit;
   }
 
+  public int getAppSecMaxFileContentBytes() {
+    return appSecMaxFileContentBytes;
+  }
+
+  public int getAppSecMaxFileContentCount() {
+    return appSecMaxFileContentCount;
+  }
+
   public boolean isCloudPayloadTaggingEnabledFor(String serviceName) {
     return cloudPayloadTaggingServices.contains(serviceName);
   }