fix(appsec): move MAX_FILES_TO_INSPECT out of advice inner class to fix muzzle validation

jandro996 · jandro996 · commit acf3a60e0fea · 2026-04-27T10:57:37.000+02:00
Static fields in @RequiresRequestContext advice inner classes trigger muzzle to
treat the advice class itself as a user-classpath class; moving the constant to
NettyFileUploadContentReader (a helper) avoids the self-referential muzzle failure.
diff --git a/dd-java-agent/instrumentation/netty/netty-4.1/src/main/java/datadog/trace/instrumentation/netty41/HttpPostRequestDecoderInstrumentation.java b/dd-java-agent/instrumentation/netty/netty-4.1/src/main/java/datadog/trace/instrumentation/netty41/HttpPostRequestDecoderInstrumentation.java
@@ -12,7 +12,6 @@
 import datadog.trace.agent.tooling.Instrumenter;
 import datadog.trace.agent.tooling.InstrumenterModule;
 import datadog.trace.agent.tooling.muzzle.Reference;
-import datadog.trace.api.Config;
 import datadog.trace.api.gateway.BlockResponseFunction;
 import datadog.trace.api.gateway.CallbackProvider;
 import datadog.trace.api.gateway.Flow;
@@ -88,8 +87,6 @@ public void methodAdvice(MethodTransformer transformer) {
 
   @RequiresRequestContext(RequestContextSlot.APPSEC)
   static class ParseBodyAdvice {
-    private static final int MAX_FILES_TO_INSPECT = Config.get().getAppSecMaxFileContentCount();
-
     @Advice.OnMethodExit(suppress = Throwable.class, onThrowable = Throwable.class)
     static void after(
         @Advice.This InterfaceHttpPostRequestDecoder thiz,
@@ -143,7 +140,7 @@ static void after(
           if (filename != null && !filename.isEmpty()) {
             filenames.add(filename);
           }
-          if (contentCb != null && filesContent.size() < MAX_FILES_TO_INSPECT) {
+          if (contentCb != null && filesContent.size() < NettyFileUploadContentReader.MAX_FILES_TO_INSPECT) {
             filesContent.add(NettyFileUploadContentReader.readContent(fileUpload));
           }
         }
diff --git a/dd-java-agent/instrumentation/netty/netty-4.1/src/main/java/datadog/trace/instrumentation/netty41/NettyFileUploadContentReader.java b/dd-java-agent/instrumentation/netty/netty-4.1/src/main/java/datadog/trace/instrumentation/netty41/NettyFileUploadContentReader.java
@@ -9,6 +9,7 @@
 /** Reads uploaded file content from a Netty {@link FileUpload} for WAF inspection. */
 public final class NettyFileUploadContentReader {
   public static final int MAX_CONTENT_BYTES = Config.get().getAppSecMaxFileContentBytes();
+  public static final int MAX_FILES_TO_INSPECT = Config.get().getAppSecMaxFileContentCount();
 
   public static String readContent(FileUpload fileUpload) {
     try {
