feat(appsec): add blocking fallback for GlassFish/Payara multipart instrumentation

jandro996 · jandro996 · commit 6e7f1298b20d · 2026-05-06T10:28:49.000+02:00
TomcatServerInstrumentation is muzzled out for Payara's response type, so
BlockResponseFunction is never registered. Add GlassFishBlockingHelper that
commits the blocking response directly via Servlet API, extracting the
HttpServletResponse from Multipart.request (private field) via reflection.
The setAccessible call works because the advice is inlined into Multipart.getParts()
— the same module as the field owner.

Verified against system-tests APPSEC_BLOCKING with spring-boot-payara:
- Test_Blocking_request_body_filenames: passes (was missing_feature)
- Test_Blocking_request_body_files_content: passes (was missing_feature)
diff --git a/dd-java-agent/instrumentation/tomcat/tomcat-appsec/tomcat-appsec-7.0/src/main/java/datadog/trace/instrumentation/tomcat7/GlassFishBlockingHelper.java b/dd-java-agent/instrumentation/tomcat/tomcat-appsec/tomcat-appsec-7.0/src/main/java/datadog/trace/instrumentation/tomcat7/GlassFishBlockingHelper.java
@@ -0,0 +1,48 @@
+package datadog.trace.instrumentation.tomcat7;
+
+import datadog.appsec.api.blocking.BlockingContentType;
+import datadog.trace.api.gateway.Flow;
+import datadog.trace.bootstrap.blocking.BlockingActionHelper;
+import java.io.OutputStream;
+import java.util.Map;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+public final class GlassFishBlockingHelper {
+
+  public static boolean commitBlocking(
+      HttpServletRequest request,
+      HttpServletResponse response,
+      Flow.Action.RequestBlockingAction rba) {
+    if (response == null) {
+      return false;
+    }
+    try {
+      if (response.isCommitted()) {
+        return false;
+      }
+      response.reset();
+      response.setStatus(BlockingActionHelper.getHttpCode(rba.getStatusCode()));
+      for (Map.Entry<String, String> e : rba.getExtraHeaders().entrySet()) {
+        response.setHeader(e.getKey(), e.getValue());
+      }
+      if (rba.getBlockingContentType() != BlockingContentType.NONE) {
+        String accept = request != null ? request.getHeader("Accept") : null;
+        BlockingActionHelper.TemplateType type =
+            BlockingActionHelper.determineTemplateType(rba.getBlockingContentType(), accept);
+        byte[] body = BlockingActionHelper.getTemplate(type, rba.getSecurityResponseId());
+        if (body != null) {
+          response.setHeader("Content-Type", BlockingActionHelper.getContentType(type));
+          response.setHeader("Content-Length", Integer.toString(body.length));
+          OutputStream os = response.getOutputStream();
+          os.write(body);
+          os.close();
+        }
+      }
+      response.flushBuffer();
+      return true;
+    } catch (Exception e) {
+      return false;
+    }
+  }
+}
diff --git a/dd-java-agent/instrumentation/tomcat/tomcat-appsec/tomcat-appsec-7.0/src/main/java/datadog/trace/instrumentation/tomcat7/GlassFishMultipartInstrumentation.java b/dd-java-agent/instrumentation/tomcat/tomcat-appsec/tomcat-appsec-7.0/src/main/java/datadog/trace/instrumentation/tomcat7/GlassFishMultipartInstrumentation.java
@@ -19,10 +19,14 @@
 import datadog.trace.bootstrap.instrumentation.api.AgentSpan;
 import datadog.trace.bootstrap.instrumentation.api.AgentTracer;
 import java.io.InputStream;
+import java.lang.reflect.Field;
+import java.lang.reflect.Method;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
 import java.util.function.BiFunction;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.Part;
 import net.bytebuddy.asm.Advice;
 
@@ -57,6 +61,13 @@ public String instrumentedType() {
     return "org.apache.catalina.fileupload.Multipart";
   }
 
+  @Override
+  public String[] helperClassNames() {
+    return new String[] {
+      "datadog.trace.instrumentation.tomcat7.GlassFishBlockingHelper",
+    };
+  }
+
   @Override
   public void methodAdvice(MethodTransformer transformer) {
     transformer.applyAdvice(
@@ -68,7 +79,9 @@ public static class GetPartsAdvice {
 
     @Advice.OnMethodExit(suppress = Throwable.class, onThrowable = Throwable.class)
     static void after(
-        @Advice.Return Collection<?> parts, @Advice.Thrown(readOnly = false) Throwable t) {
+        @Advice.This Object thisMultipart,
+        @Advice.Return Collection<?> parts,
+        @Advice.Thrown(readOnly = false) Throwable t) {
       if (t != null || parts == null || parts.isEmpty()) {
         return;
       }
@@ -91,6 +104,29 @@ static void after(
         return;
       }
 
+      // Extract servlet request/response for fallback blocking when no BlockResponseFunction is
+      // registered (Payara: TomcatServerInstrumentation is muzzled out for Payara's response type).
+      // setAccessible works here because this code is inlined into Multipart.getParts() —
+      // the same module as the private field's owner class.
+      HttpServletRequest fallbackReq = null;
+      HttpServletResponse fallbackResp = null;
+      try {
+        Field f = thisMultipart.getClass().getDeclaredField("request");
+        f.setAccessible(true);
+        Object catReq = f.get(thisMultipart);
+        if (catReq instanceof HttpServletRequest) {
+          fallbackReq = (HttpServletRequest) catReq;
+        }
+        if (catReq != null) {
+          Method m = catReq.getClass().getMethod("getResponse");
+          Object catResp = m.invoke(catReq);
+          if (catResp instanceof HttpServletResponse) {
+            fallbackResp = (HttpServletResponse) catResp;
+          }
+        }
+      } catch (Exception ignored) {
+      }
+
       int maxFiles = Config.get().getAppSecMaxFileContentCount();
       int maxBytes = Config.get().getAppSecMaxFileContentBytes();
 
@@ -142,6 +178,9 @@ static void after(
             brf.tryCommitBlockingResponse(reqCtx.getTraceSegment(), rba);
             t = new BlockingException("Blocked request (GlassFish multipart file upload)");
             reqCtx.getTraceSegment().effectivelyBlocked();
+          } else if (GlassFishBlockingHelper.commitBlocking(fallbackReq, fallbackResp, rba)) {
+            t = new BlockingException("Blocked request (GlassFish multipart file upload)");
+            reqCtx.getTraceSegment().effectivelyBlocked();
           }
         }
       }
@@ -156,6 +195,9 @@ static void after(
             brf.tryCommitBlockingResponse(reqCtx.getTraceSegment(), rba);
             t = new BlockingException("Blocked request (GlassFish multipart file upload content)");
             reqCtx.getTraceSegment().effectivelyBlocked();
+          } else if (GlassFishBlockingHelper.commitBlocking(fallbackReq, fallbackResp, rba)) {
+            t = new BlockingException("Blocked request (GlassFish multipart file upload content)");
+            reqCtx.getTraceSegment().effectivelyBlocked();
           }
         }
       }
