fix(appsec): guard Jetty 8 getParts against repeated calls; disable filename tests in async suite

jandro996 · jandro996 · commit bece33644c22 · 2026-04-20T12:35:23.000+02:00
1. Add _multiPartInputStream == null guard to GetFilenamesAdvice.before() so that
   repeated getParts() calls on the same request (which Jetty caches) do not
   re-fire requestFilesFilenames/requestBodyProcessed WAF callbacks. The field is
   null before the first multipart parse and non-null on all subsequent cached
   calls, matching the pattern used in the 9.4/11.0 advice (_multiParts guard).

2. JettyAsyncHandlerTest already disabled testBodyFilenames() but neglected to
   disable testBodyFilenamesCalledOnce() and testBodyFilenamesCalledOnceCombined(),
   which are now enabled in the Jetty11Test parent. Override both to false in the
   async handler suite to prevent spurious test failures.
diff --git a/dd-java-agent/instrumentation/jetty/jetty-appsec/jetty-appsec-8.1.3/src/main/java/datadog/trace/instrumentation/jetty8/RequestGetPartsInstrumentation.java b/dd-java-agent/instrumentation/jetty/jetty-appsec/jetty-appsec-8.1.3/src/main/java/datadog/trace/instrumentation/jetty8/RequestGetPartsInstrumentation.java
@@ -27,6 +27,7 @@
 import java.util.function.BiFunction;
 import javax.servlet.http.Part;
 import net.bytebuddy.asm.Advice;
+import net.bytebuddy.implementation.bytecode.assign.Assigner;
 import net.bytebuddy.jar.asm.ClassReader;
 import net.bytebuddy.jar.asm.ClassVisitor;
 import net.bytebuddy.jar.asm.FieldVisitor;
@@ -129,8 +130,12 @@ public void visitMethodInsn(
   @RequiresRequestContext(RequestContextSlot.APPSEC)
   public static class GetFilenamesAdvice {
     @Advice.OnMethodEnter(suppress = Throwable.class)
-    static boolean before() {
-      return CallDepthThreadLocalMap.incrementCallDepth(Collection.class) == 0;
+    static boolean before(
+        @Advice.FieldValue(value = "_multiPartInputStream", typing = Assigner.Typing.DYNAMIC)
+            final Object multiPartInputStream) {
+      final int callDepth = CallDepthThreadLocalMap.incrementCallDepth(Collection.class);
+      // _multiPartInputStream is null before the first parse; non-null on cached repeat calls.
+      return callDepth == 0 && multiPartInputStream == null;
     }
 
     @Advice.OnMethodExit(suppress = Throwable.class, onThrowable = Throwable.class)
diff --git a/dd-java-agent/instrumentation/jetty/jetty-server/jetty-server-11.0/src/test/groovy/JettyAsyncHandlerTest.groovy b/dd-java-agent/instrumentation/jetty/jetty-server/jetty-server-11.0/src/test/groovy/JettyAsyncHandlerTest.groovy
@@ -30,6 +30,16 @@ class JettyAsyncHandlerTest extends Jetty11Test implements TestingGenericHttpNam
     false
   }
 
+  @Override
+  boolean testBodyFilenamesCalledOnce() {
+    false
+  }
+
+  @Override
+  boolean testBodyFilenamesCalledOnceCombined() {
+    false
+  }
+
   static class ContinuationTestHandler implements Handler {
     @Delegate
     private final Handler delegate
