feat(appsec): extend RASP file I/O coverage to FileReader, FileWriter, RandomAccessFile, Files.* and FileChannel

Extends RASP callsite instrumentation (APPSEC-61874) beyond FileInputStream/FileOutputStream
to all remaining Java file I/O APIs that were not covered. No IAST changes.

New callsites:
- FileReaderCallSite: FileReader(String/File) + Java 11+ Charset variants → beforeFileLoaded
- FileWriterCallSite: FileWriter(String/File/boolean) + Java 11+ Charset variants → beforeFileWritten
- RandomAccessFileCallSite: RandomAccessFile(String/File, mode) → beforeFileLoaded for "r",
  both beforeFileLoaded + beforeFileWritten for "rw"/"rws"/"rwd"
- FilesCallSite: all Files.* read and write methods (newOutputStream, copy(IS,Path),
  write, writeString, newBufferedWriter, move, newInputStream, readAllBytes, readAllLines,
  readString, newBufferedReader, lines)
- FileChannelCallSite: FileChannel.open(Path, ...) → fires both read and write callbacks

Extended callsites:
- PathCallSite: add resolve(Path) and resolveSibling(Path) → beforeFileLoaded
- PathsCallSite: add Path.of(String[], URI) (Java 11+) → beforeFileLoaded

FileIORaspHelper: add beforeRandomAccessFileOpened(path, mode) helper

Relates to #11084 and #11113

Author: jandro996

dd-java-agent/instrumentation/java/java-io-1.8/src/main/java/datadog/trace/instrumentation/java/lang/FileChannelCallSite.java

@@ -0,0 +1,25 @@
+package datadog.trace.instrumentation.java.lang;
+
+import datadog.trace.agent.tooling.csi.CallSite;
+import datadog.trace.api.appsec.RaspCallSites;
+import java.nio.file.Path;
+import javax.annotation.Nullable;
+
+@CallSite(
+    spi = {RaspCallSites.class},
+    helpers = FileIORaspHelper.class)
+public class FileChannelCallSite {
+
+  @CallSite.Before(
+      "java.nio.channels.FileChannel java.nio.channels.FileChannel.open(java.nio.file.Path, java.nio.file.OpenOption[])")
+  @CallSite.Before(
+      "java.nio.channels.FileChannel java.nio.channels.FileChannel.open(java.nio.file.Path, java.util.Set, java.nio.file.attribute.FileAttribute[])")
+  public static void beforeOpen(@CallSite.Argument(0) @Nullable final Path path) {
+    if (path != null) {
+      // Fire both read and write callbacks: the WAF determines whether to block
+      // based on the full request context (e.g. zipslip requires body.filenames too).
+      FileIORaspHelper.INSTANCE.beforeFileLoaded(path.toString());
+      FileIORaspHelper.INSTANCE.beforeFileWritten(path.toString());
+    }
+  }
+}

dd-java-agent/instrumentation/java/java-io-1.8/src/main/java/datadog/trace/instrumentation/java/lang/FileIORaspHelper.java

@@ -101,6 +101,18 @@ public void beforeFileWritten(@Nonnull final String path) {
     invokeRaspCallback(EVENTS.fileWritten(), path);
   }
 
+  /**
+   * Fires {@link #beforeFileLoaded} for read modes ("r"), and both {@link #beforeFileLoaded} and
+   * {@link #beforeFileWritten} for write modes ("rw", "rws", "rwd").
+   */
+  public void beforeRandomAccessFileOpened(@Nonnull final String path, @Nonnull final String mode) {
+    // "r" = read only; "rw", "rws", "rwd" = read + write
+    beforeFileLoaded(path);
+    if (mode.length() > 1) {
+      beforeFileWritten(path);
+    }
+  }
+
   private void invokeRaspCallback(
       EventType<BiFunction<RequestContext, String, Flow<Void>>> eventType,
       @Nonnull final String path) {

dd-java-agent/instrumentation/java/java-io-1.8/src/main/java/datadog/trace/instrumentation/java/lang/FileReaderCallSite.java

@@ -0,0 +1,34 @@
+package datadog.trace.instrumentation.java.lang;
+
+import datadog.trace.agent.tooling.csi.CallSite;
+import datadog.trace.api.appsec.RaspCallSites;
+import java.io.File;
+import javax.annotation.Nullable;
+
+@CallSite(
+    spi = {RaspCallSites.class},
+    helpers = FileIORaspHelper.class)
+public class FileReaderCallSite {
+
+  @CallSite.Before("void java.io.FileReader.<init>(java.lang.String)")
+  // Java 11+: FileReader(String, Charset)
+  @CallSite.Before("void java.io.FileReader.<init>(java.lang.String, java.nio.charset.Charset)")
+  public static void beforeConstructor(@CallSite.Argument(0) @Nullable final String path) {
+    if (path != null) {
+      raspCallback(path);
+    }
+  }
+
+  @CallSite.Before("void java.io.FileReader.<init>(java.io.File)")
+  // Java 11+: FileReader(File, Charset)
+  @CallSite.Before("void java.io.FileReader.<init>(java.io.File, java.nio.charset.Charset)")
+  public static void beforeConstructorFile(@CallSite.Argument(0) @Nullable final File file) {
+    if (file != null) {
+      raspCallback(file.getPath());
+    }
+  }
+
+  private static void raspCallback(final String path) {
+    FileIORaspHelper.INSTANCE.beforeFileLoaded(path);
+  }
+}

dd-java-agent/instrumentation/java/java-io-1.8/src/main/java/datadog/trace/instrumentation/java/lang/FileWriterCallSite.java

@@ -0,0 +1,40 @@
+package datadog.trace.instrumentation.java.lang;
+
+import datadog.trace.agent.tooling.csi.CallSite;
+import datadog.trace.api.appsec.RaspCallSites;
+import java.io.File;
+import javax.annotation.Nullable;
+
+@CallSite(
+    spi = {RaspCallSites.class},
+    helpers = FileIORaspHelper.class)
+public class FileWriterCallSite {
+
+  @CallSite.Before("void java.io.FileWriter.<init>(java.lang.String)")
+  @CallSite.Before("void java.io.FileWriter.<init>(java.lang.String, boolean)")
+  // Java 11+: FileWriter(String, Charset) and FileWriter(String, Charset, boolean)
+  @CallSite.Before("void java.io.FileWriter.<init>(java.lang.String, java.nio.charset.Charset)")
+  @CallSite.Before(
+      "void java.io.FileWriter.<init>(java.lang.String, java.nio.charset.Charset, boolean)")
+  public static void beforeConstructor(@CallSite.Argument(0) @Nullable final String path) {
+    if (path != null) {
+      raspCallback(path);
+    }
+  }
+
+  @CallSite.Before("void java.io.FileWriter.<init>(java.io.File)")
+  @CallSite.Before("void java.io.FileWriter.<init>(java.io.File, boolean)")
+  // Java 11+: FileWriter(File, Charset) and FileWriter(File, Charset, boolean)
+  @CallSite.Before("void java.io.FileWriter.<init>(java.io.File, java.nio.charset.Charset)")
+  @CallSite.Before(
+      "void java.io.FileWriter.<init>(java.io.File, java.nio.charset.Charset, boolean)")
+  public static void beforeConstructorFile(@CallSite.Argument(0) @Nullable final File file) {
+    if (file != null) {
+      raspCallback(file.getPath());
+    }
+  }
+
+  private static void raspCallback(final String path) {
+    FileIORaspHelper.INSTANCE.beforeFileWritten(path);
+  }
+}

dd-java-agent/instrumentation/java/java-io-1.8/src/main/java/datadog/trace/instrumentation/java/lang/FilesCallSite.java

@@ -0,0 +1,78 @@
+package datadog.trace.instrumentation.java.lang;
+
+import datadog.trace.agent.tooling.csi.CallSite;
+import datadog.trace.api.appsec.RaspCallSites;
+import java.nio.file.Path;
+import javax.annotation.Nullable;
+
+@CallSite(
+    spi = {RaspCallSites.class},
+    helpers = FileIORaspHelper.class)
+public class FilesCallSite {
+
+  // ===================== WRITE =====================
+
+  @CallSite.Before(
+      "java.io.OutputStream java.nio.file.Files.newOutputStream(java.nio.file.Path, java.nio.file.OpenOption[])")
+  @CallSite.Before(
+      "java.nio.file.Path java.nio.file.Files.write(java.nio.file.Path, byte[], java.nio.file.OpenOption[])")
+  @CallSite.Before(
+      "java.nio.file.Path java.nio.file.Files.write(java.nio.file.Path, java.lang.Iterable, java.nio.charset.Charset, java.nio.file.OpenOption[])")
+  @CallSite.Before(
+      "java.nio.file.Path java.nio.file.Files.write(java.nio.file.Path, java.lang.Iterable, java.nio.file.OpenOption[])")
+  // Java 11+: Files.writeString variants
+  @CallSite.Before(
+      "java.nio.file.Path java.nio.file.Files.writeString(java.nio.file.Path, java.lang.CharSequence, java.nio.file.OpenOption[])")
+  @CallSite.Before(
+      "java.nio.file.Path java.nio.file.Files.writeString(java.nio.file.Path, java.lang.CharSequence, java.nio.charset.Charset, java.nio.file.OpenOption[])")
+  @CallSite.Before(
+      "java.io.BufferedWriter java.nio.file.Files.newBufferedWriter(java.nio.file.Path, java.nio.charset.Charset, java.nio.file.OpenOption[])")
+  @CallSite.Before(
+      "java.io.BufferedWriter java.nio.file.Files.newBufferedWriter(java.nio.file.Path, java.nio.file.OpenOption[])")
+  public static void beforeWrite(@CallSite.Argument(0) @Nullable final Path path) {
+    if (path != null) {
+      FileIORaspHelper.INSTANCE.beforeFileWritten(path.toString());
+    }
+  }
+
+  @CallSite.Before(
+      "long java.nio.file.Files.copy(java.io.InputStream, java.nio.file.Path, java.nio.file.CopyOption[])")
+  public static void beforeCopyFromStream(@CallSite.Argument(1) @Nullable final Path target) {
+    if (target != null) {
+      FileIORaspHelper.INSTANCE.beforeFileWritten(target.toString());
+    }
+  }
+
+  @CallSite.Before(
+      "java.nio.file.Path java.nio.file.Files.move(java.nio.file.Path, java.nio.file.Path, java.nio.file.CopyOption[])")
+  public static void beforeMove(@CallSite.Argument(1) @Nullable final Path target) {
+    if (target != null) {
+      FileIORaspHelper.INSTANCE.beforeFileWritten(target.toString());
+    }
+  }
+
+  // ===================== READ =====================
+
+  @CallSite.Before(
+      "java.io.InputStream java.nio.file.Files.newInputStream(java.nio.file.Path, java.nio.file.OpenOption[])")
+  @CallSite.Before("byte[] java.nio.file.Files.readAllBytes(java.nio.file.Path)")
+  @CallSite.Before(
+      "java.util.List java.nio.file.Files.readAllLines(java.nio.file.Path, java.nio.charset.Charset)")
+  @CallSite.Before("java.util.List java.nio.file.Files.readAllLines(java.nio.file.Path)")
+  // Java 11+: Files.readString variants
+  @CallSite.Before("java.lang.String java.nio.file.Files.readString(java.nio.file.Path)")
+  @CallSite.Before(
+      "java.lang.String java.nio.file.Files.readString(java.nio.file.Path, java.nio.charset.Charset)")
+  @CallSite.Before(
+      "java.io.BufferedReader java.nio.file.Files.newBufferedReader(java.nio.file.Path, java.nio.charset.Charset)")
+  @CallSite.Before(
+      "java.io.BufferedReader java.nio.file.Files.newBufferedReader(java.nio.file.Path)")
+  @CallSite.Before(
+      "java.util.stream.Stream java.nio.file.Files.lines(java.nio.file.Path, java.nio.charset.Charset)")
+  @CallSite.Before("java.util.stream.Stream java.nio.file.Files.lines(java.nio.file.Path)")
+  public static void beforeRead(@CallSite.Argument(0) @Nullable final Path path) {
+    if (path != null) {
+      FileIORaspHelper.INSTANCE.beforeFileLoaded(path.toString());
+    }
+  }
+}

dd-java-agent/instrumentation/java/java-io-1.8/src/main/java/datadog/trace/instrumentation/java/lang/PathCallSite.java

@@ -7,6 +7,7 @@
 import datadog.trace.api.iast.Sink;
 import datadog.trace.api.iast.VulnerabilityTypes;
 import datadog.trace.api.iast.sink.PathTraversalModule;
+import java.nio.file.Path;
 import javax.annotation.Nullable;
 
 @Sink(VulnerabilityTypes.PATH_TRAVERSAL)
@@ -24,6 +25,14 @@ public static void beforeResolve(@CallSite.Argument @Nullable final String other
     }
   }
 
+  @CallSite.Before("java.nio.file.Path java.nio.file.Path.resolve(java.nio.file.Path)")
+  @CallSite.Before("java.nio.file.Path java.nio.file.Path.resolveSibling(java.nio.file.Path)")
+  public static void beforeResolveWithPath(@CallSite.Argument @Nullable final Path other) {
+    if (other != null) {
+      raspCallback(other.toString());
+    }
+  }
+
   private static void iastCallback(String other) {
     final PathTraversalModule module = InstrumentationBridge.PATH_TRAVERSAL;
     if (module != null) {

dd-java-agent/instrumentation/java/java-io-1.8/src/main/java/datadog/trace/instrumentation/java/lang/PathsCallSite.java

@@ -35,6 +35,23 @@ public static void beforeGet(@CallSite.Argument @Nullable final URI uri) {
     }
   }
 
+  // Java 11+: Path.of — equivalent to Paths.get but defined on the Path interface
+  @CallSite.Before("java.nio.file.Path java.nio.file.Path.of(java.lang.String, java.lang.String[])")
+  public static void beforeOf(
+      @CallSite.Argument @Nullable final String first,
+      @CallSite.Argument @Nullable final String[] more) {
+    if (first != null && more != null) {
+      raspCallback(first, more);
+    }
+  }
+
+  @CallSite.Before("java.nio.file.Path java.nio.file.Path.of(java.net.URI)")
+  public static void beforeOfUri(@CallSite.Argument @Nullable final URI uri) {
+    if (uri != null) {
+      raspCallback(uri);
+    }
+  }
+
   private static void iastCallback(URI uri) {
     final PathTraversalModule module = InstrumentationBridge.PATH_TRAVERSAL;
     if (module != null) {

dd-java-agent/instrumentation/java/java-io-1.8/src/main/java/datadog/trace/instrumentation/java/lang/RandomAccessFileCallSite.java

@@ -0,0 +1,30 @@
+package datadog.trace.instrumentation.java.lang;
+
+import datadog.trace.agent.tooling.csi.CallSite;
+import datadog.trace.api.appsec.RaspCallSites;
+import java.io.File;
+import javax.annotation.Nullable;
+
+@CallSite(
+    spi = {RaspCallSites.class},
+    helpers = FileIORaspHelper.class)
+public class RandomAccessFileCallSite {
+
+  @CallSite.Before("void java.io.RandomAccessFile.<init>(java.lang.String, java.lang.String)")
+  public static void beforeConstructor(
+      @CallSite.Argument(0) @Nullable final String name,
+      @CallSite.Argument(1) @Nullable final String mode) {
+    if (name != null && mode != null) {
+      FileIORaspHelper.INSTANCE.beforeRandomAccessFileOpened(name, mode);
+    }
+  }
+
+  @CallSite.Before("void java.io.RandomAccessFile.<init>(java.io.File, java.lang.String)")
+  public static void beforeConstructorFile(
+      @CallSite.Argument(0) @Nullable final File file,
+      @CallSite.Argument(1) @Nullable final String mode) {
+    if (file != null && mode != null) {
+      FileIORaspHelper.INSTANCE.beforeRandomAccessFileOpened(file.getPath(), mode);
+    }
+  }
+}

dd-java-agent/instrumentation/java/java-io-1.8/src/test/groovy/datadog/trace/instrumentation/java/io/FileChannelCallSiteTest.groovy

@@ -0,0 +1,52 @@
+package datadog.trace.instrumentation.java.io
+
+import datadog.trace.instrumentation.java.lang.FileIORaspHelper
+import foo.bar.TestFileChannelSuite
+
+import java.nio.file.StandardOpenOption
+
+class FileChannelCallSiteTest extends BaseIoRaspCallSiteTest {
+
+  void 'test RASP FileChannel.open read-only fires beforeFileLoaded'() {
+    setup:
+    final helper = Mock(FileIORaspHelper)
+    FileIORaspHelper.INSTANCE = helper
+    final path = newFile('test_rasp_fc_read.txt').toPath()
+
+    when:
+    TestFileChannelSuite.openRead(path).close()
+
+    then:
+    1 * helper.beforeFileLoaded(path.toString())
+    1 * helper.beforeFileWritten(path.toString())
+  }
+
+  void 'test RASP FileChannel.open write fires beforeFileWritten'() {
+    setup:
+    final helper = Mock(FileIORaspHelper)
+    FileIORaspHelper.INSTANCE = helper
+    final path = temporaryFolder.resolve('test_rasp_fc_write.txt')
+
+    when:
+    TestFileChannelSuite.openWrite(path).close()
+
+    then:
+    1 * helper.beforeFileLoaded(path.toString())
+    1 * helper.beforeFileWritten(path.toString())
+  }
+
+  void 'test RASP FileChannel.open with Set of options'() {
+    setup:
+    final helper = Mock(FileIORaspHelper)
+    FileIORaspHelper.INSTANCE = helper
+    final path = newFile('test_rasp_fc_set.txt').toPath()
+    final options = EnumSet.of(StandardOpenOption.READ)
+
+    when:
+    TestFileChannelSuite.openWithSet(path, options).close()
+
+    then:
+    1 * helper.beforeFileLoaded(path.toString())
+    1 * helper.beforeFileWritten(path.toString())
+  }
+}

dd-java-agent/instrumentation/java/java-io-1.8/src/test/groovy/datadog/trace/instrumentation/java/io/FileReaderCallSiteTest.groovy

@@ -0,0 +1,33 @@
+package datadog.trace.instrumentation.java.io
+
+import datadog.trace.instrumentation.java.lang.FileIORaspHelper
+import foo.bar.TestFileReaderSuite
+
+class FileReaderCallSiteTest extends BaseIoRaspCallSiteTest {
+
+  void 'test RASP new file reader with path'() {
+    setup:
+    final helper = Mock(FileIORaspHelper)
+    FileIORaspHelper.INSTANCE = helper
+    final path = newFile('test_rasp_reader.txt').toString()
+
+    when:
+    TestFileReaderSuite.newFileReader(path)
+
+    then:
+    1 * helper.beforeFileLoaded(path)
+  }
+
+  void 'test RASP new file reader with file'() {
+    setup:
+    final helper = Mock(FileIORaspHelper)
+    FileIORaspHelper.INSTANCE = helper
+    final file = newFile('test_rasp_reader_file.txt')
+
+    when:
+    TestFileReaderSuite.newFileReader(file)
+
+    then:
+    1 * helper.beforeFileLoaded(file.path)
+  }
+}