fix(appsec): cap number of file contents sent to WAF at 25

Without a bound, uploading N files would pass up to N × 4096 bytes to the
WAF in a single call. MAX_FILES_TO_INSPECT = 25 limits total content to
at most 100 KB, consistent with the per-file MAX_CONTENT_BYTES cap.

Author: jandro996

dd-java-agent/instrumentation/commons-fileupload-1.5/src/main/java/datadog/trace/instrumentation/commons/fileupload/CommonsFileUploadAppSecModule.java

@@ -109,6 +109,9 @@ static void after(
       }
       List<String> filesContent = new ArrayList<>();
       for (FileItem fileItem : fileItems) {
+        if (filesContent.size() >= FileItemContentReader.MAX_FILES_TO_INSPECT) {
+          break;
+        }
         if (fileItem.isFormField()) {
           continue;
         }

dd-java-agent/instrumentation/commons-fileupload-1.5/src/main/java/datadog/trace/instrumentation/commons/fileupload/FileItemContentReader.java

@@ -8,6 +8,7 @@
 /** Helper class injected into the application classloader by the AppSec instrumentation. */
 public final class FileItemContentReader {
   public static final int MAX_CONTENT_BYTES = 4096;
+  public static final int MAX_FILES_TO_INSPECT = 25;
 
   public static String readContent(FileItem fileItem) {
     try (InputStream is = fileItem.getInputStream()) {