Add server.request.body.filenames support for Jersey and RESTEasy

Author: jandro996

dd-java-agent/instrumentation/grizzly/grizzly-http-2.3.20/src/test/groovy/GrizzlyTest.groovy

@@ -49,6 +49,11 @@ class GrizzlyTest extends HttpServerTest<HttpServer> {
     true
   }
 
+  @Override
+  boolean testBodyFilenames() {
+    true
+  }
+
   @Override
   boolean testBodyJson() {
     true

dd-java-agent/instrumentation/jersey/jersey-2.0/src/jersey2JettyTest/groovy/datadog/trace/instrumentation/jersey2/Jersey2JettyTest.groovy

@@ -54,6 +54,11 @@ class Jersey2JettyTest extends HttpServerTest<JettyServer> {
     true
   }
 
+  @Override
+  boolean testBodyFilenames() {
+    true
+  }
+
   @Override
   boolean testBodyJson() {
     true

dd-java-agent/instrumentation/jersey/jersey-2.0/src/jersey3JettyTest/groovy/datadog/trace/instrumentation/jersey3/Jersey3JettyTest.groovy

@@ -53,6 +53,11 @@ class Jersey3JettyTest extends HttpServerTest<JettyServer> {
     true
   }
 
+  @Override
+  boolean testBodyFilenames() {
+    true
+  }
+
   @Override
   boolean testBodyJson() {
     true

dd-java-agent/instrumentation/jersey/jersey-appsec/jersey-appsec-2.0/build.gradle

@@ -31,10 +31,16 @@ muzzle {
 
 apply from: "$rootDir/gradle/java.gradle"
 
+configurations.configureEach {
+  resolutionStrategy.deactivateDependencyLocking()
+}
+
 dependencies {
   compileOnly group: 'org.glassfish.jersey.core', name: 'jersey-common', version: '2.0'
   compileOnly group: 'org.glassfish.jersey.core', name: 'jersey-server', version: '2.0'
   compileOnly group: 'org.glassfish.jersey.media', name: 'jersey-media-multipart', version: '2.0'
+
+  testImplementation group: 'org.glassfish.jersey.media', name: 'jersey-media-multipart', version: '2.18'
 }
 
 // tested in grizzly-http-2.3.20

dd-java-agent/instrumentation/jersey/jersey-appsec/jersey-appsec-2.0/src/main/java/datadog/trace/instrumentation/jersey2/MultiPartHelper.java

@@ -0,0 +1,16 @@
+package datadog.trace.instrumentation.jersey2;
+
+import org.glassfish.jersey.media.multipart.FormDataBodyPart;
+import org.glassfish.jersey.media.multipart.FormDataContentDisposition;
+
+public final class MultiPartHelper {
+
+  private MultiPartHelper() {}
+
+  public static String filenameFromBodyPart(FormDataBodyPart bodyPart) {
+    FormDataContentDisposition cd = bodyPart.getFormDataContentDisposition();
+    if (cd == null) return null;
+    String filename = cd.getFileName();
+    return (filename == null || filename.isEmpty()) ? null : filename;
+  }
+}

dd-java-agent/instrumentation/jersey/jersey-appsec/jersey-appsec-2.0/src/main/java/datadog/trace/instrumentation/jersey2/MultiPartReaderServerSideInstrumentation.java

@@ -48,6 +48,11 @@ public String instrumentedType() {
     return "org.glassfish.jersey.media.multipart.internal.MultiPartReaderServerSide";
   }
 
+  @Override
+  public String[] helperClassNames() {
+    return new String[] {packageName + ".MultiPartHelper"};
+  }
+
   @Override
   public void methodAdvice(MethodTransformer transformer) {
     transformer.applyAdvice(
@@ -72,42 +77,66 @@ static void after(
       CallbackProvider cbp = AgentTracer.get().getCallbackProvider(RequestContextSlot.APPSEC);
       BiFunction<RequestContext, Object, Flow<Void>> callback =
           cbp.getCallback(EVENTS.requestBodyProcessed());
-      if (callback == null) {
+      BiFunction<RequestContext, List<String>, Flow<Void>> filenamesCallback =
+          cbp.getCallback(EVENTS.requestFilesFilenames());
+      if (callback == null && filenamesCallback == null) {
         return;
       }
 
-      Map<String, List<String>> map = new HashMap<>();
+      Map<String, List<String>> map = callback != null ? new HashMap<>() : null;
+      List<String> filenames = filenamesCallback != null ? new ArrayList<>() : null;
       for (BodyPart bodyPart : ret.getBodyParts()) {
         if (!(bodyPart instanceof FormDataBodyPart)) {
           continue;
         }
         FormDataBodyPart dataBodyPart = (FormDataBodyPart) bodyPart;
-        if (!MediaTypes.typeEqual(MediaType.TEXT_PLAIN_TYPE, dataBodyPart.getMediaType())) {
-          continue;
+        if (map != null
+            && MediaTypes.typeEqual(MediaType.TEXT_PLAIN_TYPE, dataBodyPart.getMediaType())) {
+          // if the type of dataBodyPart.getEntity() is BodyPartEntity, it is safe to read the part
+          // more than once. So we're not depriving the application of the data by consuming it here
+          String v = dataBodyPart.getValue();
+          String name = dataBodyPart.getName();
+          List<String> values = map.get(name);
+          if (values == null) {
+            values = new ArrayList<>();
+            map.put(name, values);
+          }
+          values.add(v);
         }
-        // if the type of dataBodyPart.getEntity() is BodyPartEntity, it is safe to read the part
-        // more than once. So we're not depriving the application of the data by consuming it here
-        String v = dataBodyPart.getValue();
-
-        String name = dataBodyPart.getName();
-        List<String> values = map.get(name);
-        if (values == null) {
-          values = new ArrayList<>();
-          map.put(name, values);
+        if (filenames != null) {
+          String filename = MultiPartHelper.filenameFromBodyPart(dataBodyPart);
+          if (filename != null) {
+            filenames.add(filename);
+          }
         }
+      }
 
-        values.add(v);
+      if (map != null) {
+        Flow<Void> flow = callback.apply(reqCtx, map);
+        Flow.Action action = flow.getAction();
+        if (action instanceof Flow.Action.RequestBlockingAction) {
+          Flow.Action.RequestBlockingAction rba = (Flow.Action.RequestBlockingAction) action;
+          BlockResponseFunction blockResponseFunction = reqCtx.getBlockResponseFunction();
+          if (blockResponseFunction != null) {
+            blockResponseFunction.tryCommitBlockingResponse(reqCtx.getTraceSegment(), rba);
+            t = new BlockingException("Blocked request (for MultiPartReaderClientSide/readFrom)");
+            reqCtx.getTraceSegment().effectivelyBlocked();
+          }
+        }
       }
 
-      Flow<Void> flow = callback.apply(reqCtx, map);
-      Flow.Action action = flow.getAction();
-      if (action instanceof Flow.Action.RequestBlockingAction) {
-        Flow.Action.RequestBlockingAction rba = (Flow.Action.RequestBlockingAction) action;
-        BlockResponseFunction blockResponseFunction = reqCtx.getBlockResponseFunction();
-        if (blockResponseFunction != null) {
-          blockResponseFunction.tryCommitBlockingResponse(reqCtx.getTraceSegment(), rba);
-          t = new BlockingException("Blocked request (for MultiPartReaderClientSide/readFrom)");
-          reqCtx.getTraceSegment().effectivelyBlocked();
+      if (filenames != null && !filenames.isEmpty()) {
+        Flow<Void> filenamesFlow = filenamesCallback.apply(reqCtx, filenames);
+        Flow.Action filenamesAction = filenamesFlow.getAction();
+        if (t == null && filenamesAction instanceof Flow.Action.RequestBlockingAction) {
+          Flow.Action.RequestBlockingAction rba =
+              (Flow.Action.RequestBlockingAction) filenamesAction;
+          BlockResponseFunction blockResponseFunction = reqCtx.getBlockResponseFunction();
+          if (blockResponseFunction != null) {
+            blockResponseFunction.tryCommitBlockingResponse(reqCtx.getTraceSegment(), rba);
+            t = new BlockingException("Blocked request (multipart file upload)");
+            reqCtx.getTraceSegment().effectivelyBlocked();
+          }
         }
       }
     }

dd-java-agent/instrumentation/jersey/jersey-appsec/jersey-appsec-2.0/src/test/groovy/MultiPartHelperTest.groovy

@@ -0,0 +1,52 @@
+import datadog.trace.instrumentation.jersey2.MultiPartHelper
+import org.glassfish.jersey.media.multipart.FormDataBodyPart
+import org.glassfish.jersey.media.multipart.FormDataContentDisposition
+import spock.lang.Specification
+
+class MultiPartHelperTest extends Specification {
+
+  def "returns null when content disposition is null"() {
+    given:
+    def bodyPart = Mock(FormDataBodyPart)
+    bodyPart.getFormDataContentDisposition() >> null
+
+    expect:
+    MultiPartHelper.filenameFromBodyPart(bodyPart) == null
+  }
+
+  def "returns null when filename is null"() {
+    given:
+    def cd = Mock(FormDataContentDisposition)
+    cd.getFileName() >> null
+    def bodyPart = Mock(FormDataBodyPart)
+    bodyPart.getFormDataContentDisposition() >> cd
+
+    expect:
+    MultiPartHelper.filenameFromBodyPart(bodyPart) == null
+  }
+
+  def "returns null when filename is empty"() {
+    given:
+    def cd = Mock(FormDataContentDisposition)
+    cd.getFileName() >> ''
+    def bodyPart = Mock(FormDataBodyPart)
+    bodyPart.getFormDataContentDisposition() >> cd
+
+    expect:
+    MultiPartHelper.filenameFromBodyPart(bodyPart) == null
+  }
+
+  def "extracts filename"() {
+    given:
+    def cd = Mock(FormDataContentDisposition)
+    cd.getFileName() >> filename
+    def bodyPart = Mock(FormDataBodyPart)
+    bodyPart.getFormDataContentDisposition() >> cd
+
+    expect:
+    MultiPartHelper.filenameFromBodyPart(bodyPart) == filename
+
+    where:
+    filename << ['report.php', 'upload.txt', 'shell;evil.php', 'file"name.php']
+  }
+}

dd-java-agent/instrumentation/jersey/jersey-appsec/jersey-appsec-3.0/build.gradle

@@ -24,10 +24,16 @@ muzzle {
 
 apply from: "$rootDir/gradle/java.gradle"
 
+configurations.configureEach {
+  resolutionStrategy.deactivateDependencyLocking()
+}
+
 dependencies {
   compileOnly group: 'org.glassfish.jersey.core', name: 'jersey-common', version: '3.0.0'
   compileOnly group: 'org.glassfish.jersey.core', name: 'jersey-server', version: '3.0.0'
   compileOnly group: 'org.glassfish.jersey.media', name: 'jersey-media-multipart', version: '3.0.0'
+
+  testImplementation group: 'org.glassfish.jersey.media', name: 'jersey-media-multipart', version: '3.1.2'
 }
 
 // tested in GrizzlyTest/GrizzlyAsyncTest

dd-java-agent/instrumentation/jersey/jersey-appsec/jersey-appsec-3.0/src/main/java/datadog/trace/instrumentation/jersey3/MultiPartHelper.java

@@ -0,0 +1,16 @@
+package datadog.trace.instrumentation.jersey3;
+
+import org.glassfish.jersey.media.multipart.FormDataBodyPart;
+import org.glassfish.jersey.media.multipart.FormDataContentDisposition;
+
+public final class MultiPartHelper {
+
+  private MultiPartHelper() {}
+
+  public static String filenameFromBodyPart(FormDataBodyPart bodyPart) {
+    FormDataContentDisposition cd = bodyPart.getFormDataContentDisposition();
+    if (cd == null) return null;
+    String filename = cd.getFileName();
+    return (filename == null || filename.isEmpty()) ? null : filename;
+  }
+}

dd-java-agent/instrumentation/jersey/jersey-appsec/jersey-appsec-3.0/src/main/java/datadog/trace/instrumentation/jersey3/MultiPartReaderServerSideInstrumentation.java

@@ -48,6 +48,11 @@ public String instrumentedType() {
     return "org.glassfish.jersey.media.multipart.internal.MultiPartReaderServerSide";
   }
 
+  @Override
+  public String[] helperClassNames() {
+    return new String[] {packageName + ".MultiPartHelper"};
+  }
+
   @Override
   public void methodAdvice(MethodTransformer transformer) {
     transformer.applyAdvice(
@@ -72,42 +77,66 @@ static void after(
       CallbackProvider cbp = AgentTracer.get().getCallbackProvider(RequestContextSlot.APPSEC);
       BiFunction<RequestContext, Object, Flow<Void>> callback =
           cbp.getCallback(EVENTS.requestBodyProcessed());
-      if (callback == null) {
+      BiFunction<RequestContext, List<String>, Flow<Void>> filenamesCallback =
+          cbp.getCallback(EVENTS.requestFilesFilenames());
+      if (callback == null && filenamesCallback == null) {
         return;
       }
 
-      Map<String, List<String>> map = new HashMap<>();
+      Map<String, List<String>> map = callback != null ? new HashMap<>() : null;
+      List<String> filenames = filenamesCallback != null ? new ArrayList<>() : null;
       for (BodyPart bodyPart : ret.getBodyParts()) {
         if (!(bodyPart instanceof FormDataBodyPart)) {
           continue;
         }
         FormDataBodyPart dataBodyPart = (FormDataBodyPart) bodyPart;
-        if (!MediaTypes.typeEqual(MediaType.TEXT_PLAIN_TYPE, dataBodyPart.getMediaType())) {
-          continue;
+        if (map != null
+            && MediaTypes.typeEqual(MediaType.TEXT_PLAIN_TYPE, dataBodyPart.getMediaType())) {
+          // if the type of dataBodyPart.getEntity() is BodyPartEntity, it is safe to read the part
+          // more than once. So we're not depriving the application of the data by consuming it here
+          String v = dataBodyPart.getValue();
+          String name = dataBodyPart.getName();
+          List<String> values = map.get(name);
+          if (values == null) {
+            values = new ArrayList<>();
+            map.put(name, values);
+          }
+          values.add(v);
         }
-        // if the type of dataBodyPart.getEntity() is BodyPartEntity, it is safe to read the part
-        // more than once. So we're not depriving the application of the data by consuming it here
-        String v = dataBodyPart.getValue();
-
-        String name = dataBodyPart.getName();
-        List<String> values = map.get(name);
-        if (values == null) {
-          values = new ArrayList<>();
-          map.put(name, values);
+        if (filenames != null) {
+          String filename = MultiPartHelper.filenameFromBodyPart(dataBodyPart);
+          if (filename != null) {
+            filenames.add(filename);
+          }
         }
+      }
 
-        values.add(v);
+      if (map != null) {
+        Flow<Void> flow = callback.apply(reqCtx, map);
+        Flow.Action action = flow.getAction();
+        if (action instanceof Flow.Action.RequestBlockingAction) {
+          Flow.Action.RequestBlockingAction rba = (Flow.Action.RequestBlockingAction) action;
+          BlockResponseFunction blockResponseFunction = reqCtx.getBlockResponseFunction();
+          if (blockResponseFunction != null) {
+            blockResponseFunction.tryCommitBlockingResponse(reqCtx.getTraceSegment(), rba);
+            t = new BlockingException("Blocked request (for MultiPartReaderClientSide/readFrom)");
+            reqCtx.getTraceSegment().effectivelyBlocked();
+          }
+        }
       }
 
-      Flow<Void> flow = callback.apply(reqCtx, map);
-      Flow.Action action = flow.getAction();
-      if (action instanceof Flow.Action.RequestBlockingAction) {
-        Flow.Action.RequestBlockingAction rba = (Flow.Action.RequestBlockingAction) action;
-        BlockResponseFunction blockResponseFunction = reqCtx.getBlockResponseFunction();
-        if (blockResponseFunction != null) {
-          blockResponseFunction.tryCommitBlockingResponse(reqCtx.getTraceSegment(), rba);
-          t = new BlockingException("Blocked request (for MultiPartReaderClientSide/readFrom)");
-          reqCtx.getTraceSegment().effectivelyBlocked();
+      if (filenames != null && !filenames.isEmpty()) {
+        Flow<Void> filenamesFlow = filenamesCallback.apply(reqCtx, filenames);
+        Flow.Action filenamesAction = filenamesFlow.getAction();
+        if (t == null && filenamesAction instanceof Flow.Action.RequestBlockingAction) {
+          Flow.Action.RequestBlockingAction rba =
+              (Flow.Action.RequestBlockingAction) filenamesAction;
+          BlockResponseFunction blockResponseFunction = reqCtx.getBlockResponseFunction();
+          if (blockResponseFunction != null) {
+            blockResponseFunction.tryCommitBlockingResponse(reqCtx.getTraceSegment(), rba);
+            t = new BlockingException("Blocked request (multipart file upload)");
+            reqCtx.getTraceSegment().effectivelyBlocked();
+          }
         }
       }
     }