Fix GetFilenamesAdvice double-firing and extend coverage to getParts(MultiMap) path

jandro996 · jandro996 · commit ecf65c548ee3 · 2026-04-06T15:45:36.000+02:00
- jetty-appsec-9.3: add call-depth guard (Collection.class) to GetFilenamesAdvice
  to prevent double callback invocation when getParts() calls getParts(MultiMap) internally
- jetty-appsec-9.2: extend GetFilenamesAdvice matcher to all getParts overloads
  (not just no-arg) to cover getParameter*()/getParameterMap() code paths,
  guarded with same call-depth mechanism to avoid double-firing
diff --git a/dd-java-agent/instrumentation/jetty/jetty-appsec/jetty-appsec-8.1.3/src/main/java/datadog/trace/instrumentation/jetty8/RequestGetPartsInstrumentation.java b/dd-java-agent/instrumentation/jetty/jetty-appsec/jetty-appsec-8.1.3/src/main/java/datadog/trace/instrumentation/jetty8/RequestGetPartsInstrumentation.java
@@ -216,8 +216,7 @@ static void after(
       // Resolve getSubmittedFileName once (Servlet 3.1+; null on Servlet 3.0)
       Method getSubmittedFileName = null;
       try {
-        getSubmittedFileName =
-            parts.iterator().next().getClass().getMethod("getSubmittedFileName");
+        getSubmittedFileName = parts.iterator().next().getClass().getMethod("getSubmittedFileName");
       } catch (Exception ignored) {
       }
       List<String> filenames = new ArrayList<>();
diff --git a/dd-java-agent/instrumentation/jetty/jetty-appsec/jetty-appsec-9.2/src/main/java/datadog/trace/instrumentation/jetty92/RequestExtractContentParametersInstrumentation.java b/dd-java-agent/instrumentation/jetty/jetty-appsec/jetty-appsec-9.2/src/main/java/datadog/trace/instrumentation/jetty92/RequestExtractContentParametersInstrumentation.java
@@ -52,8 +52,7 @@ public void methodAdvice(MethodTransformer transformer) {
             .and(takesArguments(1))
             .and(takesArgument(0, named("org.eclipse.jetty.util.MultiMap"))),
         getClass().getName() + "$GetPartsAdvice");
-    transformer.applyAdvice(
-        named("getParts").and(takesArguments(0)), getClass().getName() + "$GetFilenamesAdvice");
+    transformer.applyAdvice(named("getParts"), getClass().getName() + "$GetFilenamesAdvice");
   }
 
   private static final Reference REQUEST_REFERENCE =
@@ -144,12 +143,19 @@ static void after(
 
   @RequiresRequestContext(RequestContextSlot.APPSEC)
   public static class GetFilenamesAdvice {
+    @Advice.OnMethodEnter(suppress = Throwable.class)
+    static boolean before() {
+      return CallDepthThreadLocalMap.incrementCallDepth(Collection.class) == 0;
+    }
+
     @Advice.OnMethodExit(suppress = Throwable.class, onThrowable = Throwable.class)
     static void after(
+        @Advice.Enter boolean proceed,
         @Advice.Return Collection parts,
         @ActiveRequestContext RequestContext reqCtx,
         @Advice.Thrown(readOnly = false) Throwable t) {
-      if (t != null || parts == null || parts.isEmpty()) {
+      CallDepthThreadLocalMap.decrementCallDepth(Collection.class);
+      if (!proceed || t != null || parts == null || parts.isEmpty()) {
         return;
       }
       List<String> filenames = new ArrayList<>();
diff --git a/dd-java-agent/instrumentation/jetty/jetty-appsec/jetty-appsec-9.3/src/main/java/datadog/trace/instrumentation/jetty93/RequestExtractContentParametersInstrumentation.java b/dd-java-agent/instrumentation/jetty/jetty-appsec/jetty-appsec-9.3/src/main/java/datadog/trace/instrumentation/jetty93/RequestExtractContentParametersInstrumentation.java
@@ -107,18 +107,24 @@ static void after(
 
   @RequiresRequestContext(RequestContextSlot.APPSEC)
   public static class GetFilenamesAdvice {
+    @Advice.OnMethodEnter(suppress = Throwable.class)
+    static boolean before() {
+      return CallDepthThreadLocalMap.incrementCallDepth(Collection.class) == 0;
+    }
+
     @Advice.OnMethodExit(suppress = Throwable.class, onThrowable = Throwable.class)
     static void after(
+        @Advice.Enter boolean proceed,
         @Advice.Return Collection parts,
         @ActiveRequestContext RequestContext reqCtx,
         @Advice.Thrown(readOnly = false) Throwable t) {
-      if (t != null || parts == null || parts.isEmpty()) {
+      CallDepthThreadLocalMap.decrementCallDepth(Collection.class);
+      if (!proceed || t != null || parts == null || parts.isEmpty()) {
         return;
       }
       Method getSubmittedFileName = null;
       try {
-        getSubmittedFileName =
-            parts.iterator().next().getClass().getMethod("getSubmittedFileName");
+        getSubmittedFileName = parts.iterator().next().getClass().getMethod("getSubmittedFileName");
       } catch (Exception ignored) {
       }
       if (getSubmittedFileName == null) {
