fix(appsec): make GlassFishBlockingHelper fields public and avoid BlockingException for Payara blocking

ByteBuddy inlines advice into Multipart.getParts() (package org.apache.catalina.fileupload),
which is a different package than GlassFishBlockingHelper. Package-private static fields
caused IllegalAccessError at runtime crashing the Payara container.

BlockingException thrown from getParts() propagated through Payara's Grizzly pipeline and
caused an ungraceful shutdown. Replace with parts = Collections.emptyList() so the response
is committed (via commitBlocking fallback) and the controller skips processing the parts.

Author: jandro996

dd-java-agent/instrumentation/tomcat/tomcat-appsec/tomcat-appsec-7.0/src/main/java/datadog/trace/instrumentation/tomcat7/GlassFishBlockingHelper.java

@@ -4,15 +4,14 @@
 import datadog.trace.api.Config;
 import datadog.trace.api.gateway.Flow;
 import datadog.trace.bootstrap.blocking.BlockingActionHelper;
-import java.io.OutputStream;
 import java.util.Map;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 public final class GlassFishBlockingHelper {
 
-  static final int MAX_FILE_CONTENT_COUNT = Config.get().getAppSecMaxFileContentCount();
-  static final int MAX_FILE_CONTENT_BYTES = Config.get().getAppSecMaxFileContentBytes();
+  public static final int MAX_FILE_CONTENT_COUNT = Config.get().getAppSecMaxFileContentCount();
+  public static final int MAX_FILE_CONTENT_BYTES = Config.get().getAppSecMaxFileContentBytes();
 
   public static boolean commitBlocking(
       HttpServletRequest request,
@@ -38,9 +37,7 @@ public static boolean commitBlocking(
         if (body != null) {
           response.setHeader("Content-Type", BlockingActionHelper.getContentType(type));
           response.setHeader("Content-Length", Integer.toString(body.length));
-          try (OutputStream os = response.getOutputStream()) {
-            os.write(body);
-          }
+          response.getOutputStream().write(body);
         }
       }
       response.flushBuffer();

dd-java-agent/instrumentation/tomcat/tomcat-appsec/tomcat-appsec-7.0/src/main/java/datadog/trace/instrumentation/tomcat7/GlassFishMultipartInstrumentation.java

@@ -6,7 +6,6 @@
 import static net.bytebuddy.matcher.ElementMatchers.takesArguments;
 
 import com.google.auto.service.AutoService;
-import datadog.appsec.api.blocking.BlockingException;
 import datadog.trace.agent.tooling.Instrumenter;
 import datadog.trace.agent.tooling.InstrumenterModule;
 import datadog.trace.api.gateway.BlockResponseFunction;
@@ -22,6 +21,7 @@
 import java.lang.reflect.Method;
 import java.util.ArrayList;
 import java.util.Collection;
+import java.util.Collections;
 import java.util.List;
 import java.util.function.BiFunction;
 import javax.servlet.http.HttpServletRequest;
@@ -79,8 +79,8 @@ public static class GetPartsAdvice {
     @Advice.OnMethodExit(suppress = Throwable.class, onThrowable = Throwable.class)
     static void after(
         @Advice.This Object thisMultipart,
-        @Advice.Return Collection<?> parts,
-        @Advice.Thrown(readOnly = false) Throwable t) {
+        @Advice.Return(readOnly = false) Collection<?> parts,
+        @Advice.Thrown Throwable t) {
       if (t != null || parts == null || parts.isEmpty()) {
         return;
       }
@@ -167,6 +167,8 @@ static void after(
         }
       }
 
+      boolean blocked = false;
+
       if (filenames != null && !filenames.isEmpty() && filenamesCb != null) {
         Flow<Void> flow = filenamesCb.apply(reqCtx, filenames);
         Flow.Action action = flow.getAction();
@@ -175,27 +177,29 @@ static void after(
           BlockResponseFunction brf = reqCtx.getBlockResponseFunction();
           if (brf != null) {
             brf.tryCommitBlockingResponse(reqCtx.getTraceSegment(), rba);
-            t = new BlockingException("Blocked request (GlassFish multipart file upload)");
+            parts = Collections.emptyList();
             reqCtx.getTraceSegment().effectivelyBlocked();
+            blocked = true;
           } else if (GlassFishBlockingHelper.commitBlocking(fallbackReq, fallbackResp, rba)) {
-            t = new BlockingException("Blocked request (GlassFish multipart file upload)");
+            parts = Collections.emptyList();
             reqCtx.getTraceSegment().effectivelyBlocked();
+            blocked = true;
           }
         }
       }
 
-      if (t == null && contents != null && !contents.isEmpty() && contentCb != null) {
+      if (!blocked && contents != null && !contents.isEmpty() && contentCb != null) {
         Flow<Void> contentFlow = contentCb.apply(reqCtx, contents);
         Flow.Action contentAction = contentFlow.getAction();
         if (contentAction instanceof Flow.Action.RequestBlockingAction) {
           Flow.Action.RequestBlockingAction rba = (Flow.Action.RequestBlockingAction) contentAction;
           BlockResponseFunction brf = reqCtx.getBlockResponseFunction();
           if (brf != null) {
             brf.tryCommitBlockingResponse(reqCtx.getTraceSegment(), rba);
-            t = new BlockingException("Blocked request (GlassFish multipart file upload content)");
+            parts = Collections.emptyList();
             reqCtx.getTraceSegment().effectivelyBlocked();
           } else if (GlassFishBlockingHelper.commitBlocking(fallbackReq, fallbackResp, rba)) {
-            t = new BlockingException("Blocked request (GlassFish multipart file upload content)");
+            parts = Collections.emptyList();
             reqCtx.getTraceSegment().effectivelyBlocked();
           }
         }