Add server.request.body.filenames support for Jersey and RESTEasy

Author: jandro996

dd-java-agent/instrumentation/jersey/jersey-2.0/src/jersey2JettyTest/groovy/datadog/trace/instrumentation/jersey2/Jersey2JettyTest.groovy

@@ -54,6 +54,11 @@ class Jersey2JettyTest extends HttpServerTest<JettyServer> {
     true
   }
 
+  @Override
+  boolean testBodyFilenames() {
+    true
+  }
+
   @Override
   boolean testBodyJson() {
     true

dd-java-agent/instrumentation/jersey/jersey-2.0/src/jersey3JettyTest/groovy/datadog/trace/instrumentation/jersey3/Jersey3JettyTest.groovy

@@ -53,6 +53,11 @@ class Jersey3JettyTest extends HttpServerTest<JettyServer> {
     true
   }
 
+  @Override
+  boolean testBodyFilenames() {
+    true
+  }
+
   @Override
   boolean testBodyJson() {
     true

dd-java-agent/instrumentation/jersey/jersey-appsec/jersey-appsec-2.0/src/main/java/datadog/trace/instrumentation/jersey2/MultiPartReaderServerSideInstrumentation.java

@@ -27,6 +27,7 @@
 import net.bytebuddy.asm.Advice;
 import org.glassfish.jersey.media.multipart.BodyPart;
 import org.glassfish.jersey.media.multipart.FormDataBodyPart;
+import org.glassfish.jersey.media.multipart.FormDataContentDisposition;
 import org.glassfish.jersey.media.multipart.MultiPart;
 import org.glassfish.jersey.message.internal.MediaTypes;
 
@@ -72,42 +73,69 @@ static void after(
       CallbackProvider cbp = AgentTracer.get().getCallbackProvider(RequestContextSlot.APPSEC);
       BiFunction<RequestContext, Object, Flow<Void>> callback =
           cbp.getCallback(EVENTS.requestBodyProcessed());
-      if (callback == null) {
+      BiFunction<RequestContext, List<String>, Flow<Void>> filenamesCallback =
+          cbp.getCallback(EVENTS.requestFilesFilenames());
+      if (callback == null && filenamesCallback == null) {
         return;
       }
 
-      Map<String, List<String>> map = new HashMap<>();
+      Map<String, List<String>> map = callback != null ? new HashMap<>() : null;
+      List<String> filenames = filenamesCallback != null ? new ArrayList<>() : null;
       for (BodyPart bodyPart : ret.getBodyParts()) {
         if (!(bodyPart instanceof FormDataBodyPart)) {
           continue;
         }
         FormDataBodyPart dataBodyPart = (FormDataBodyPart) bodyPart;
-        if (!MediaTypes.typeEqual(MediaType.TEXT_PLAIN_TYPE, dataBodyPart.getMediaType())) {
-          continue;
+        if (map != null
+            && MediaTypes.typeEqual(MediaType.TEXT_PLAIN_TYPE, dataBodyPart.getMediaType())) {
+          // if the type of dataBodyPart.getEntity() is BodyPartEntity, it is safe to read the part
+          // more than once. So we're not depriving the application of the data by consuming it here
+          String v = dataBodyPart.getValue();
+          String name = dataBodyPart.getName();
+          List<String> values = map.get(name);
+          if (values == null) {
+            values = new ArrayList<>();
+            map.put(name, values);
+          }
+          values.add(v);
         }
-        // if the type of dataBodyPart.getEntity() is BodyPartEntity, it is safe to read the part
-        // more than once. So we're not depriving the application of the data by consuming it here
-        String v = dataBodyPart.getValue();
-
-        String name = dataBodyPart.getName();
-        List<String> values = map.get(name);
-        if (values == null) {
-          values = new ArrayList<>();
-          map.put(name, values);
+        if (filenames != null) {
+          FormDataContentDisposition cd = dataBodyPart.getFormDataContentDisposition();
+          if (cd != null) {
+            String filename = cd.getFileName();
+            if (filename != null && !filename.isEmpty()) {
+              filenames.add(filename);
+            }
+          }
         }
+      }
 
-        values.add(v);
+      if (map != null) {
+        Flow<Void> flow = callback.apply(reqCtx, map);
+        Flow.Action action = flow.getAction();
+        if (action instanceof Flow.Action.RequestBlockingAction) {
+          Flow.Action.RequestBlockingAction rba = (Flow.Action.RequestBlockingAction) action;
+          BlockResponseFunction blockResponseFunction = reqCtx.getBlockResponseFunction();
+          if (blockResponseFunction != null) {
+            blockResponseFunction.tryCommitBlockingResponse(reqCtx.getTraceSegment(), rba);
+            t = new BlockingException("Blocked request (for MultiPartReaderClientSide/readFrom)");
+            reqCtx.getTraceSegment().effectivelyBlocked();
+          }
+        }
       }
 
-      Flow<Void> flow = callback.apply(reqCtx, map);
-      Flow.Action action = flow.getAction();
-      if (action instanceof Flow.Action.RequestBlockingAction) {
-        Flow.Action.RequestBlockingAction rba = (Flow.Action.RequestBlockingAction) action;
-        BlockResponseFunction blockResponseFunction = reqCtx.getBlockResponseFunction();
-        if (blockResponseFunction != null) {
-          blockResponseFunction.tryCommitBlockingResponse(reqCtx.getTraceSegment(), rba);
-          t = new BlockingException("Blocked request (for MultiPartReaderClientSide/readFrom)");
-          reqCtx.getTraceSegment().effectivelyBlocked();
+      if (filenames != null && !filenames.isEmpty()) {
+        Flow<Void> filenamesFlow = filenamesCallback.apply(reqCtx, filenames);
+        Flow.Action filenamesAction = filenamesFlow.getAction();
+        if (t == null && filenamesAction instanceof Flow.Action.RequestBlockingAction) {
+          Flow.Action.RequestBlockingAction rba =
+              (Flow.Action.RequestBlockingAction) filenamesAction;
+          BlockResponseFunction blockResponseFunction = reqCtx.getBlockResponseFunction();
+          if (blockResponseFunction != null) {
+            blockResponseFunction.tryCommitBlockingResponse(reqCtx.getTraceSegment(), rba);
+            t = new BlockingException("Blocked request (multipart file upload)");
+            reqCtx.getTraceSegment().effectivelyBlocked();
+          }
         }
       }
     }

dd-java-agent/instrumentation/jersey/jersey-appsec/jersey-appsec-3.0/src/main/java/datadog/trace/instrumentation/jersey3/MultiPartReaderServerSideInstrumentation.java

@@ -27,6 +27,7 @@
 import net.bytebuddy.asm.Advice;
 import org.glassfish.jersey.media.multipart.BodyPart;
 import org.glassfish.jersey.media.multipart.FormDataBodyPart;
+import org.glassfish.jersey.media.multipart.FormDataContentDisposition;
 import org.glassfish.jersey.media.multipart.MultiPart;
 import org.glassfish.jersey.message.internal.MediaTypes;
 
@@ -72,42 +73,69 @@ static void after(
       CallbackProvider cbp = AgentTracer.get().getCallbackProvider(RequestContextSlot.APPSEC);
       BiFunction<RequestContext, Object, Flow<Void>> callback =
           cbp.getCallback(EVENTS.requestBodyProcessed());
-      if (callback == null) {
+      BiFunction<RequestContext, List<String>, Flow<Void>> filenamesCallback =
+          cbp.getCallback(EVENTS.requestFilesFilenames());
+      if (callback == null && filenamesCallback == null) {
         return;
       }
 
-      Map<String, List<String>> map = new HashMap<>();
+      Map<String, List<String>> map = callback != null ? new HashMap<>() : null;
+      List<String> filenames = filenamesCallback != null ? new ArrayList<>() : null;
       for (BodyPart bodyPart : ret.getBodyParts()) {
         if (!(bodyPart instanceof FormDataBodyPart)) {
           continue;
         }
         FormDataBodyPart dataBodyPart = (FormDataBodyPart) bodyPart;
-        if (!MediaTypes.typeEqual(MediaType.TEXT_PLAIN_TYPE, dataBodyPart.getMediaType())) {
-          continue;
+        if (map != null
+            && MediaTypes.typeEqual(MediaType.TEXT_PLAIN_TYPE, dataBodyPart.getMediaType())) {
+          // if the type of dataBodyPart.getEntity() is BodyPartEntity, it is safe to read the part
+          // more than once. So we're not depriving the application of the data by consuming it here
+          String v = dataBodyPart.getValue();
+          String name = dataBodyPart.getName();
+          List<String> values = map.get(name);
+          if (values == null) {
+            values = new ArrayList<>();
+            map.put(name, values);
+          }
+          values.add(v);
         }
-        // if the type of dataBodyPart.getEntity() is BodyPartEntity, it is safe to read the part
-        // more than once. So we're not depriving the application of the data by consuming it here
-        String v = dataBodyPart.getValue();
-
-        String name = dataBodyPart.getName();
-        List<String> values = map.get(name);
-        if (values == null) {
-          values = new ArrayList<>();
-          map.put(name, values);
+        if (filenames != null) {
+          FormDataContentDisposition cd = dataBodyPart.getFormDataContentDisposition();
+          if (cd != null) {
+            String filename = cd.getFileName();
+            if (filename != null && !filename.isEmpty()) {
+              filenames.add(filename);
+            }
+          }
         }
+      }
 
-        values.add(v);
+      if (map != null) {
+        Flow<Void> flow = callback.apply(reqCtx, map);
+        Flow.Action action = flow.getAction();
+        if (action instanceof Flow.Action.RequestBlockingAction) {
+          Flow.Action.RequestBlockingAction rba = (Flow.Action.RequestBlockingAction) action;
+          BlockResponseFunction blockResponseFunction = reqCtx.getBlockResponseFunction();
+          if (blockResponseFunction != null) {
+            blockResponseFunction.tryCommitBlockingResponse(reqCtx.getTraceSegment(), rba);
+            t = new BlockingException("Blocked request (for MultiPartReaderClientSide/readFrom)");
+            reqCtx.getTraceSegment().effectivelyBlocked();
+          }
+        }
       }
 
-      Flow<Void> flow = callback.apply(reqCtx, map);
-      Flow.Action action = flow.getAction();
-      if (action instanceof Flow.Action.RequestBlockingAction) {
-        Flow.Action.RequestBlockingAction rba = (Flow.Action.RequestBlockingAction) action;
-        BlockResponseFunction blockResponseFunction = reqCtx.getBlockResponseFunction();
-        if (blockResponseFunction != null) {
-          blockResponseFunction.tryCommitBlockingResponse(reqCtx.getTraceSegment(), rba);
-          t = new BlockingException("Blocked request (for MultiPartReaderClientSide/readFrom)");
-          reqCtx.getTraceSegment().effectivelyBlocked();
+      if (filenames != null && !filenames.isEmpty()) {
+        Flow<Void> filenamesFlow = filenamesCallback.apply(reqCtx, filenames);
+        Flow.Action filenamesAction = filenamesFlow.getAction();
+        if (t == null && filenamesAction instanceof Flow.Action.RequestBlockingAction) {
+          Flow.Action.RequestBlockingAction rba =
+              (Flow.Action.RequestBlockingAction) filenamesAction;
+          BlockResponseFunction blockResponseFunction = reqCtx.getBlockResponseFunction();
+          if (blockResponseFunction != null) {
+            blockResponseFunction.tryCommitBlockingResponse(reqCtx.getTraceSegment(), rba);
+            t = new BlockingException("Blocked request (multipart file upload)");
+            reqCtx.getTraceSegment().effectivelyBlocked();
+          }
         }
       }
     }

dd-java-agent/instrumentation/resteasy/resteasy-appsec-3.0/src/main/java/datadog/trace/instrumentation/resteasy/MultipartFormDataReaderInstrumentation.java

@@ -18,6 +18,7 @@
 import datadog.trace.api.gateway.RequestContextSlot;
 import datadog.trace.bootstrap.instrumentation.api.AgentTracer;
 import java.io.IOException;
+import java.lang.reflect.Method;
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
@@ -72,30 +73,122 @@ static void after(
       CallbackProvider cbp = AgentTracer.get().getCallbackProvider(RequestContextSlot.APPSEC);
       BiFunction<RequestContext, Object, Flow<Void>> callback =
           cbp.getCallback(EVENTS.requestBodyProcessed());
-      if (callback == null) {
+      BiFunction<RequestContext, List<String>, Flow<Void>> filenamesCallback =
+          cbp.getCallback(EVENTS.requestFilesFilenames());
+      if (callback == null && filenamesCallback == null) {
         return;
       }
 
-      Map<String, List<String>> m = new HashMap<>();
-      for (Map.Entry<String, List<InputPart>> e : ret.getFormDataMap().entrySet()) {
-        List<String> strings = new ArrayList<>();
-        m.put(e.getKey(), strings);
-        for (InputPart inputPart : e.getValue()) {
-          strings.add(inputPart.getBodyAsString());
+      if (callback != null) {
+        Map<String, List<String>> m = new HashMap<>();
+        for (Map.Entry<String, List<InputPart>> e : ret.getFormDataMap().entrySet()) {
+          List<String> strings = new ArrayList<>();
+          m.put(e.getKey(), strings);
+          for (InputPart inputPart : e.getValue()) {
+            strings.add(inputPart.getBodyAsString());
+          }
+        }
+
+        Flow<Void> flow = callback.apply(reqCtx, m);
+        Flow.Action action = flow.getAction();
+        if (action instanceof Flow.Action.RequestBlockingAction) {
+          Flow.Action.RequestBlockingAction rba = (Flow.Action.RequestBlockingAction) action;
+          BlockResponseFunction blockResponseFunction = reqCtx.getBlockResponseFunction();
+          if (blockResponseFunction != null) {
+            blockResponseFunction.tryCommitBlockingResponse(reqCtx.getTraceSegment(), rba);
+            t = new BlockingException("Blocked request (for MultipartFormDataInput/readFrom)");
+            reqCtx.getTraceSegment().effectivelyBlocked();
+          }
         }
       }
 
-      Flow<Void> flow = callback.apply(reqCtx, m);
-      Flow.Action action = flow.getAction();
-      if (action instanceof Flow.Action.RequestBlockingAction) {
-        Flow.Action.RequestBlockingAction rba = (Flow.Action.RequestBlockingAction) action;
-        BlockResponseFunction blockResponseFunction = reqCtx.getBlockResponseFunction();
-        if (blockResponseFunction != null) {
-          blockResponseFunction.tryCommitBlockingResponse(reqCtx.getTraceSegment(), rba);
-          t = new BlockingException("Blocked request (for MultipartFormDataInput/readFrom)");
-          reqCtx.getTraceSegment().effectivelyBlocked();
+      if (filenamesCallback != null) {
+        List<String> filenames = new ArrayList<>();
+        // Reflection avoids a bytecode ref to MultivaluedMap (javax→jakarta in RESTEasy 6)
+        Method getHeadersMethod = null;
+        try {
+          getHeadersMethod = InputPart.class.getMethod("getHeaders");
+        } catch (NoSuchMethodException ignored) {
+        }
+        if (getHeadersMethod != null) {
+          for (Map.Entry<String, List<InputPart>> e : ret.getFormDataMap().entrySet()) {
+            for (InputPart inputPart : e.getValue()) {
+              List<String> cdHeaders;
+              try {
+                @SuppressWarnings("unchecked")
+                Map<String, List<String>> headers =
+                    (Map<String, List<String>>) getHeadersMethod.invoke(inputPart);
+                cdHeaders = headers != null ? headers.get("Content-Disposition") : null;
+              } catch (Exception ignored) {
+                continue;
+              }
+              if (cdHeaders == null || cdHeaders.isEmpty()) {
+                continue;
+              }
+              String filename = filenameFromContentDisposition(cdHeaders.get(0));
+              if (filename != null && !filename.isEmpty()) {
+                filenames.add(filename);
+              }
+            }
+          }
+        }
+        if (!filenames.isEmpty()) {
+          Flow<Void> filenamesFlow = filenamesCallback.apply(reqCtx, filenames);
+          Flow.Action filenamesAction = filenamesFlow.getAction();
+          if (t == null && filenamesAction instanceof Flow.Action.RequestBlockingAction) {
+            Flow.Action.RequestBlockingAction rba =
+                (Flow.Action.RequestBlockingAction) filenamesAction;
+            BlockResponseFunction blockResponseFunction = reqCtx.getBlockResponseFunction();
+            if (blockResponseFunction != null) {
+              blockResponseFunction.tryCommitBlockingResponse(reqCtx.getTraceSegment(), rba);
+              t = new BlockingException("Blocked request (multipart file upload)");
+              reqCtx.getTraceSegment().effectivelyBlocked();
+            }
+          }
+        }
+      }
+    }
+
+    // Quote-aware: semicolons inside quoted filenames (e.g. filename="a;b.php") are not separators
+    static String filenameFromContentDisposition(String cd) {
+      int i = 0;
+      int len = cd.length();
+      while (i < len) {
+        // advance to the next ';', skipping over any quoted strings
+        while (i < len && cd.charAt(i) != ';') {
+          if (cd.charAt(i) == '"') {
+            i++;
+            while (i < len && cd.charAt(i) != '"') {
+              if (cd.charAt(i) == '\\') i++;
+              i++;
+            }
+          }
+          i++;
+        }
+        if (i >= len) break;
+        i++; // skip ';'
+        while (i < len && cd.charAt(i) == ' ') i++;
+        if (cd.regionMatches(true, i, "filename=", 0, 9)) {
+          i += 9;
+          if (i >= len) return null;
+          if (cd.charAt(i) == '"') {
+            i++; // skip opening '"'
+            StringBuilder sb = new StringBuilder();
+            while (i < len && cd.charAt(i) != '"') {
+              if (cd.charAt(i) == '\\' && i + 1 < len) i++; // unescape
+              sb.append(cd.charAt(i++));
+            }
+            String name = sb.toString();
+            return name.isEmpty() ? null : name;
+          } else {
+            int start = i;
+            while (i < len && cd.charAt(i) != ';') i++;
+            String name = cd.substring(start, i).trim();
+            return name.isEmpty() ? null : name;
+          }
         }
       }
+      return null;
     }
   }
 }