Add server.request.body.filenames AppSec address for Undertow and Play (#11174)

Add server.request.body.filenames support for Undertow and Play

- Undertow: extract filenames from FormData attachments in MultiPartUploadHandlerInstrumentation
- Play 2.5/2.6: extract filenames from MultipartFormData.files() in BodyParserHelpers

Both implementations fire the requestFilesFilenames() IG event and support
blocking on malicious filenames.

Fix server.request.body.filenames for in-memory uploads in Undertow 2.2

In undertow 2.2+, FormValueImpl.isFile() returns false for in-memory file uploads
(file size below fileSizeThreshold) because it checks fileItem.isInMemory(). Use
getFileName() to identify file uploads regardless of storage, which works across
all undertow versions. Also check the filenames callback before building the list
to avoid allocations on requests where the feature is inactive.

Decouple requestBodyProcessed and requestFilesFilenames callbacks in Undertow

Both callbacks are now fetched upfront; the method only returns early when both
are null. Previously an early return on requestBodyProcessed==null silently
skipped filename detection, breaking deployments with filename-only WAF rules.

Fix Scala 2.13 muzzle incompatibility in Play multipart filenames support

Use reflection to invoke MultipartFormData.files() so the bytecode does not
embed a hard reference to the Scala 2.11/2.12 return type
(Lscala/collection/Seq;). In Scala 2.13 (Play 2.7+) the method returns
scala.collection.immutable.Seq, causing muzzle to disable the entire
PlayBodyParsersInstrumentation and breaking all body-parsing features.

Also enable testBodyFilenames() in Play 2.5/2.6/2.7 test suites.

Skip filenames WAF callback when body callback already caused a block

Avoids a redundant WAF evaluation when the request was already blocked by
the requestBodyProcessed callback. The filenamesCb is now only invoked when
t == null (no block committed yet), and the inner t == null guard is removed
since it is now guaranteed by the outer condition.

Add unit tests for FormDataMap and BodyParserHelpers.jsValueToJavaObject

Fix tryCommitBlockingResponse return-value check; simplify appsec guard; add play-2.5 unit tests

Align play-appsec-2.6 handleMultipartFilenames with play-appsec-2.5 safe pattern

Cache MultipartFormData.files() Method to avoid per-request reflection lookup

Fix FormDataMapTest anonymous FormValue missing undertow 2.2.x methods

Add getCharset(), getFileItem(), isFileItem(), and isBigField() stubs
to the anonymous FormData.FormValue in addInMemoryFileValue(). These
abstract methods were added in undertow 2.2.x and caused compilation
failure when the latestDepForkedTest resolved the latest 2.2.x release.

Use Proxy in FormDataMapTest to handle undertow 2.0/2.2 interface differences

FormData.FormValue gained getCharset(), getFileItem(), isFileItem(), and
isBigField() in undertow 2.2.x. A static anonymous class can't implement
all versions simultaneously. Using a Proxy resolves the interface at
runtime, so the test compiles against undertow 2.0 and runs correctly
against the latest 2.2.x dependency.

Move testBodyFilenames from AbstractPlayServerTest to play-appsec-2.6 tests

AbstractPlayServerTest is shared by both play-2.6 (no AppSec) and
play-appsec-2.6 tests. Setting testBodyFilenames=true there caused the
plain play-2.6 tests to check the request.body.filenames tag, which is
never set without the AppSec instrumentation.

Move the override into PlayServerTest and PlayAsyncServerTest in
play-appsec-2.6, which are the modules where the instrumentation is active.

Fix dual-fire rule and BlockingException propagation clarity in Play and Undertow multipart

- Play 2.5/2.6 handleMultipartFormData: apply pendingBlock pattern so both body
  and filenames callbacks always fire even when one of them blocks first
- Play 2.5/2.6: split catch(Exception) into explicit catch(BlockingException)/catch(Exception)
  to make blocking propagation unambiguous (was relying on non-obvious re-throw in handleException)
- Play 2.5/2.6: extract collectFilenames() as package-private to enable unit testing
- Play 2.5/2.6 BodyParserHelpersTest: add collectFilenames unit tests with real FilePart instances
- Undertow MultiPartUploadHandlerInstrumentation: remove && t == null guard on filenames
  callback so filenames fires even when body already blocked

Make filenames blocking guard consistent with body blocking guard in Undertow advice

Both now use `if (success && t == null)` to avoid overwriting a pre-existing
throwable, matching the pattern already used in the body-callback block.

Fix collectFilenames to accept java.util.Iterator to enable unit testing

Adapt the scala.collection.Iterator from MULTIPART_FILES_METHOD with an
anonymous java.util.Iterator wrapper at the call site, so collectFilenames
can be called directly from Java tests without a Scala iterator.

Replace anonymous iterator with named ScalaIteratorAdapter; add to helperClassNames

The anonymous java.util.Iterator class compiled as BodyParserHelpers$1 was
missing from helperClassNames, causing muzzle validation failures. Replace
with a named static inner class ScalaIteratorAdapter and declare it explicitly
in all helperClassNames arrays that already reference BodyParserHelpers.

Guard filenames tryCommitBlockingResponse if body already blocked in Undertow

UndertowBlockResponseFunction.tryCommitBlockingResponse is not idempotent:
it overwrites exchange attachments and re-dispatches on the IO thread on every
call. Move the t == null guard before the call so the filename blocking path
is skipped when the body blocking path has already committed a response.

Trigger devflow re-evaluation

Merge branch 'master' into alejandro.gonzalez/APPSEC-61873-4-undertow-play

Co-authored-by: alejandro.gonzalez <alejandro.gonzalez@datadoghq.com>

Author: jandro996

dd-java-agent/instrumentation/play/play-appsec-2.5/src/main/java/datadog/trace/instrumentation/play25/appsec/BodyParserHelpers.java

@@ -19,6 +19,7 @@
 import datadog.trace.api.gateway.RequestContextSlot;
 import datadog.trace.bootstrap.instrumentation.api.AgentSpan;
 import datadog.trace.bootstrap.instrumentation.api.AgentTracer;
+import java.lang.reflect.Method;
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
@@ -47,6 +48,21 @@ public class BodyParserHelpers {
   private static final Logger log = LoggerFactory.getLogger(BodyParserHelpers.class);
   public static final int MAX_RECURSION = 15;
 
+  // Cached via reflection to avoid embedding a hard binary reference to
+  // files():Lscala/collection/Seq; — the return type changed to
+  // Lscala/collection/immutable/Seq; in Scala 2.13 (Play 2.7+), which would
+  // cause muzzle to disable the instrumentation for Play 2.7.
+  private static final Method MULTIPART_FILES_METHOD;
+
+  static {
+    Method m = null;
+    try {
+      m = MultipartFormData.class.getMethod("files");
+    } catch (Exception ignored) {
+    }
+    MULTIPART_FILES_METHOD = m;
+  }
+
   private static JFunction1<
           scala.collection.immutable.Map<String, Seq<String>>,
           scala.collection.immutable.Map<String, Seq<String>>>
@@ -105,20 +121,91 @@ private static String handleText(String s) {
 
   private static MultipartFormData<?> handleMultipartFormData(MultipartFormData<?> data) {
     scala.collection.immutable.Map<String, Seq<String>> mpfd = data.asFormUrlEncoded();
-
-    if (mpfd == null || mpfd.isEmpty()) {
-      return data;
+    BlockingException pendingBlock = null;
+
+    if (mpfd != null && !mpfd.isEmpty()) {
+      try {
+        Object conv = tryConvertingScalaContainers(mpfd, MAX_CONVERSION_DEPTH);
+        handleArbitraryPostData(conv, "multipartFormData");
+      } catch (BlockingException be) {
+        pendingBlock = be;
+      } catch (Exception e) {
+        log.debug("Error handling result of multipartFormData BodyParser", e);
+      }
     }
 
     try {
-      Object conv = tryConvertingScalaContainers(mpfd, MAX_CONVERSION_DEPTH);
-      handleArbitraryPostData(conv, "multipartFormData");
+      if (MULTIPART_FILES_METHOD != null) {
+        Object files = MULTIPART_FILES_METHOD.invoke(data);
+        if (files instanceof scala.collection.Iterable) {
+          handleMultipartFilenames(
+              new ScalaIteratorAdapter(((scala.collection.Iterable<?>) files).iterator()));
+        }
+      }
+    } catch (BlockingException be) {
+      if (pendingBlock == null) pendingBlock = be;
     } catch (Exception e) {
-      handleException(e, "Error handling result of multipartFormData BodyParser");
+      log.debug("Error handling multipartFormData filenames", e);
     }
+
+    if (pendingBlock != null) throw pendingBlock;
     return data;
   }
 
+  private static void handleMultipartFilenames(java.util.Iterator<?> iterator) {
+    AgentSpan span = activeSpan();
+    if (span == null) {
+      return;
+    }
+    RequestContext reqCtx = span.getRequestContext();
+    if (reqCtx == null || reqCtx.getData(RequestContextSlot.APPSEC) == null) {
+      return;
+    }
+
+    List<String> filenames = collectFilenames(iterator);
+    if (filenames.isEmpty()) {
+      return;
+    }
+
+    CallbackProvider cbp = AgentTracer.get().getCallbackProvider(RequestContextSlot.APPSEC);
+    BiFunction<RequestContext, List<String>, Flow<Void>> callback =
+        cbp.getCallback(EVENTS.requestFilesFilenames());
+    if (callback == null) {
+      return;
+    }
+    executeFilenamesCallback(reqCtx, callback, filenames);
+  }
+
+  static List<String> collectFilenames(java.util.Iterator<?> iterator) {
+    List<String> filenames = new ArrayList<>();
+    while (iterator.hasNext()) {
+      MultipartFormData.FilePart<?> part = (MultipartFormData.FilePart<?>) iterator.next();
+      String filename = part.filename();
+      if (filename != null && !filename.isEmpty()) {
+        filenames.add(filename);
+      }
+    }
+    return filenames;
+  }
+
+  private static void executeFilenamesCallback(
+      RequestContext reqCtx,
+      BiFunction<RequestContext, List<String>, Flow<Void>> callback,
+      List<String> filenames) {
+    Flow<Void> flow = callback.apply(reqCtx, filenames);
+    Flow.Action action = flow.getAction();
+    if (action instanceof Flow.Action.RequestBlockingAction) {
+      Flow.Action.RequestBlockingAction rba = (Flow.Action.RequestBlockingAction) action;
+      BlockResponseFunction brf = reqCtx.getBlockResponseFunction();
+      if (brf != null) {
+        boolean success = brf.tryCommitBlockingResponse(reqCtx.getTraceSegment(), rba);
+        if (success) {
+          throw new BlockingException("Blocked request (multipart file upload)");
+        }
+      }
+    }
+  }
+
   public static Function1<JsValue, JsValue> getHandleJsonF() {
     return HANDLE_JSON;
   }
@@ -302,4 +389,22 @@ private static Object jsNodeToJavaObject(JsonNode value, int maxRecursion) {
       return value.asText("");
     }
   }
+
+  static final class ScalaIteratorAdapter implements java.util.Iterator<Object> {
+    private final Iterator<?> delegate;
+
+    ScalaIteratorAdapter(Iterator<?> delegate) {
+      this.delegate = delegate;
+    }
+
+    @Override
+    public boolean hasNext() {
+      return delegate.hasNext();
+    }
+
+    @Override
+    public Object next() {
+      return delegate.next();
+    }
+  }
 }

dd-java-agent/instrumentation/play/play-appsec-2.5/src/main/java/datadog/trace/instrumentation/play25/appsec/FormUrlEncodedInstrumentation.java

@@ -31,7 +31,7 @@ public String instrumentedType() {
   @Override
   public String[] helperClassNames() {
     return new String[] {
-      packageName + ".BodyParserHelpers",
+      packageName + ".BodyParserHelpers", packageName + ".BodyParserHelpers$ScalaIteratorAdapter",
     };
   }
 

dd-java-agent/instrumentation/play/play-appsec-2.5/src/main/java/datadog/trace/instrumentation/play25/appsec/PlayBodyParsersInstrumentation.java

@@ -38,7 +38,7 @@ public String[] knownMatchingTypes() {
   @Override
   public String[] helperClassNames() {
     return new String[] {
-      packageName + ".BodyParserHelpers",
+      packageName + ".BodyParserHelpers", packageName + ".BodyParserHelpers$ScalaIteratorAdapter",
     };
   }
 

dd-java-agent/instrumentation/play/play-appsec-2.5/src/main/java/datadog/trace/instrumentation/play25/appsec/ResultsStatusInstrumentation.java

@@ -28,7 +28,7 @@ public String instrumentedType() {
   @Override
   public String[] helperClassNames() {
     return new String[] {
-      packageName + ".BodyParserHelpers",
+      packageName + ".BodyParserHelpers", packageName + ".BodyParserHelpers$ScalaIteratorAdapter",
     };
   }
 

dd-java-agent/instrumentation/play/play-appsec-2.5/src/main/java/datadog/trace/instrumentation/play25/appsec/TolerantJsonInstrumentation.java

@@ -35,7 +35,7 @@ public String instrumentedType() {
   @Override
   public String[] helperClassNames() {
     return new String[] {
-      packageName + ".BodyParserHelpers",
+      packageName + ".BodyParserHelpers", packageName + ".BodyParserHelpers$ScalaIteratorAdapter",
     };
   }
 

dd-java-agent/instrumentation/play/play-appsec-2.5/src/main/java/datadog/trace/instrumentation/play25/appsec/TolerantTextInstrumentation.java

@@ -30,7 +30,7 @@ public String instrumentedType() {
   @Override
   public String[] helperClassNames() {
     return new String[] {
-      packageName + ".BodyParserHelpers",
+      packageName + ".BodyParserHelpers", packageName + ".BodyParserHelpers$ScalaIteratorAdapter",
     };
   }
 

dd-java-agent/instrumentation/play/play-appsec-2.5/src/test/groovy/datadog/trace/instrumentation/play25/server/PlayServerTest.groovy

@@ -83,6 +83,11 @@ class PlayServerTest extends HttpServerTest<Server> {
     true
   }
 
+  @Override
+  boolean testBodyFilenames() {
+    true
+  }
+
   @Override
   boolean testBlocking() {
     true

dd-java-agent/instrumentation/play/play-appsec-2.5/src/test/java/datadog/trace/instrumentation/play25/appsec/BodyParserHelpersTest.java

@@ -0,0 +1,167 @@
+package datadog.trace.instrumentation.play25.appsec;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNull;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+import java.lang.reflect.Method;
+import java.math.BigDecimal;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+import java.util.Map;
+import org.junit.jupiter.api.Test;
+import play.api.libs.json.JsValue;
+import play.api.mvc.MultipartFormData;
+
+class BodyParserHelpersTest {
+
+  private static JsValue parse(String json) {
+    return play.api.libs.json.Json$.MODULE$.parse(json);
+  }
+
+  @Test
+  void jsValueToJavaObject_nullInputReturnsNull() {
+    assertNull(BodyParserHelpers.jsValueToJavaObject(null));
+  }
+
+  @Test
+  void jsValueToJavaObject_jsNullReturnsNull() {
+    assertNull(BodyParserHelpers.jsValueToJavaObject(parse("null")));
+  }
+
+  @Test
+  void jsValueToJavaObject_string() {
+    Object result = BodyParserHelpers.jsValueToJavaObject(parse("\"hello\""));
+    assertEquals("hello", result);
+  }
+
+  @Test
+  void jsValueToJavaObject_number() {
+    Object result = BodyParserHelpers.jsValueToJavaObject(parse("42"));
+    assertTrue(result instanceof BigDecimal);
+    assertEquals(0, ((BigDecimal) result).compareTo(new BigDecimal("42")));
+  }
+
+  @Test
+  void jsValueToJavaObject_booleanTrue() {
+    Object result = BodyParserHelpers.jsValueToJavaObject(parse("true"));
+    assertEquals(Boolean.TRUE, result);
+  }
+
+  @Test
+  void jsValueToJavaObject_booleanFalse() {
+    Object result = BodyParserHelpers.jsValueToJavaObject(parse("false"));
+    assertEquals(Boolean.FALSE, result);
+  }
+
+  @Test
+  @SuppressWarnings("unchecked")
+  void jsValueToJavaObject_object() {
+    Object result = BodyParserHelpers.jsValueToJavaObject(parse("{\"key\":\"value\",\"num\":1}"));
+    assertTrue(result instanceof Map);
+    Map<String, Object> map = (Map<String, Object>) result;
+    assertEquals("value", map.get("key"));
+    assertTrue(map.get("num") instanceof BigDecimal);
+  }
+
+  @Test
+  @SuppressWarnings("unchecked")
+  void jsValueToJavaObject_array() {
+    Object result = BodyParserHelpers.jsValueToJavaObject(parse("[\"a\",\"b\",\"c\"]"));
+    assertTrue(result instanceof List);
+    List<Object> list = (List<Object>) result;
+    assertEquals(3, list.size());
+    assertEquals("a", list.get(0));
+    assertEquals("b", list.get(1));
+    assertEquals("c", list.get(2));
+  }
+
+  @Test
+  @SuppressWarnings("unchecked")
+  void jsValueToJavaObject_nestedObject() {
+    Object result =
+        BodyParserHelpers.jsValueToJavaObject(parse("{\"outer\":{\"inner\":\"deep\"}}"));
+    assertTrue(result instanceof Map);
+    Map<String, Object> outer = (Map<String, Object>) result;
+    assertTrue(outer.get("outer") instanceof Map);
+    Map<String, Object> inner = (Map<String, Object>) outer.get("outer");
+    assertEquals("deep", inner.get("inner"));
+  }
+
+  @Test
+  void jsValueToJavaObject_zeroRecursionReturnsNull() {
+    Object result = BodyParserHelpers.jsValueToJavaObject(parse("{\"key\":\"value\"}"), 0);
+    assertNull(result);
+  }
+
+  @Test
+  @SuppressWarnings("unchecked")
+  void jsValueToJavaObject_recursionLimitTruncatesNesting() {
+    // depth=1: outer object is converted, but children exceed the limit and become null
+    Object result = BodyParserHelpers.jsValueToJavaObject(parse("{\"a\":{\"b\":\"val\"}}"), 1);
+    assertTrue(result instanceof Map);
+    Map<String, Object> map = (Map<String, Object>) result;
+    assertNull(map.get("a"));
+  }
+
+  // --- collectFilenames tests ---
+
+  @Test
+  void collectFilenames_emptyIterator() {
+    List<String> result = BodyParserHelpers.collectFilenames(Collections.emptyIterator());
+    assertTrue(result.isEmpty());
+  }
+
+  @Test
+  void collectFilenames_nullFilenameExcluded() throws Exception {
+    List<String> result =
+        BodyParserHelpers.collectFilenames(
+            Collections.<Object>singletonList(filePart("f", null)).iterator());
+    assertTrue(result.isEmpty());
+  }
+
+  @Test
+  void collectFilenames_emptyFilenameExcluded() throws Exception {
+    List<String> result =
+        BodyParserHelpers.collectFilenames(
+            Collections.<Object>singletonList(filePart("f", "")).iterator());
+    assertTrue(result.isEmpty());
+  }
+
+  @Test
+  void collectFilenames_validFilenameIncluded() throws Exception {
+    List<String> result =
+        BodyParserHelpers.collectFilenames(
+            Collections.<Object>singletonList(filePart("f", "evil.php")).iterator());
+    assertEquals(Collections.singletonList("evil.php"), result);
+  }
+
+  @Test
+  void collectFilenames_mixedPartsFiltered() throws Exception {
+    List<Object> parts =
+        Arrays.<Object>asList(
+            filePart("f1", "a.pdf"),
+            filePart("f2", null),
+            filePart("f3", ""),
+            filePart("f4", "b.jpg"));
+    List<String> result = BodyParserHelpers.collectFilenames(parts.iterator());
+    assertEquals(Arrays.asList("a.pdf", "b.jpg"), result);
+  }
+
+  @SuppressWarnings("unchecked")
+  private static MultipartFormData.FilePart<Object> filePart(String key, String filename)
+      throws Exception {
+    // FilePart is a Scala case class nested in object MultipartFormData.
+    // Use the companion object's apply() to avoid JVM inner-class constructor complexity.
+    Class<?> companionClass = Class.forName("play.api.mvc.MultipartFormData$FilePart$");
+    Object companion = companionClass.getField("MODULE$").get(null);
+    for (Method m : companionClass.getMethods()) {
+      if ("apply".equals(m.getName()) && m.getParameterCount() == 4) {
+        return (MultipartFormData.FilePart<Object>)
+            m.invoke(companion, key, filename, scala.None$.MODULE$, new Object());
+      }
+    }
+    throw new IllegalStateException("FilePart.apply(4 params) not found");
+  }
+}