fix(appsec/jetty8): inspect all cached parts in GetPartAdvice, not just the singleton

When getPart("field") is the app's first multipart access, Jetty 8 parses the entire
multipart stream and caches all parts in _multiPartInputStream, but only returns the
one requested part. The previous advice forwarded just that singleton to AppSec, so any
co-uploaded file parts were invisible to requestFilesFilenames — a WAF bypass if the
app never called getParts() explicitly.

Fix: read all cached parts via MultiPartInputStream.getParts() (reflected, cached handle)
and fall back to the singleton only when reflection fails. Also remove the part==null
early return: even if the requested field was not found, other file parts may have parsed.

Add PartHelper.getAllParts(Object, Part) + FakeMpi unit tests.

Author: jandro996

dd-java-agent/instrumentation/jetty/jetty-appsec/jetty-appsec-8.1.3/src/main/java/datadog/trace/instrumentation/jetty8/PartHelper.java

@@ -12,6 +12,7 @@
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
+import java.lang.reflect.Method;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
@@ -31,6 +32,37 @@ public class PartHelper {
 
   private PartHelper() {}
 
+  // Cached reflection handle to MultiPartInputStream.getParts() — set once on first use.
+  private static volatile Method mpiGetParts;
+
+  /**
+   * Returns all parts from a {@code MultiPartInputStream} object (already-parsed, no re-trigger).
+   * Falls back to a singleton of {@code singlePart} if reflection fails or the collection is empty.
+   */
+  public static Collection<?> getAllParts(Object multiPartInputStream, Part singlePart) {
+    if (multiPartInputStream != null) {
+      Method m = mpiGetParts;
+      if (m == null) {
+        try {
+          m = multiPartInputStream.getClass().getMethod("getParts");
+          mpiGetParts = m;
+        } catch (NoSuchMethodException ignored) {
+        }
+      }
+      if (m != null) {
+        try {
+          @SuppressWarnings("unchecked")
+          Collection<?> all = (Collection<?>) m.invoke(multiPartInputStream);
+          if (all != null && !all.isEmpty()) {
+            return all;
+          }
+        } catch (Exception ignored) {
+        }
+      }
+    }
+    return singlePart != null ? Collections.singletonList(singlePart) : Collections.emptyList();
+  }
+
   /**
    * Returns filenames found in {@code parts} by parsing each part's {@code Content-Disposition}
    * header for a {@code filename=} parameter.

dd-java-agent/instrumentation/jetty/jetty-appsec/jetty-appsec-8.1.3/src/main/java/datadog/trace/instrumentation/jetty8/RequestGetPartsInstrumentation.java

@@ -15,7 +15,6 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.util.Collection;
-import java.util.Collections;
 import javax.servlet.http.Part;
 import net.bytebuddy.asm.Advice;
 import net.bytebuddy.implementation.bytecode.assign.Assigner;
@@ -154,10 +153,13 @@ static void after(
   }
 
   /**
-   * Fires AppSec events for a single-part upload via {@code getPart(String)}, which in Jetty 8.x
-   * does NOT delegate to {@code getParts()} — it calls {@code
-   * _multiPartInputStream.getPart(String)} directly. Without this advice, single-file uploads that
-   * never call the public {@code getParts()} would be missed.
+   * Fires AppSec events for requests whose first multipart access is {@code getPart(String)}.
+   *
+   * <p>In Jetty 8.x, {@code getPart(String)} parses and caches the entire multipart stream into
+   * {@code _multiPartInputStream} but returns only the single requested part. If the app only calls
+   * {@code getPart("field")} (a text field), any co-uploaded file parts would never reach {@code
+   * requestFilesFilenames}. We therefore read all cached parts via {@code
+   * MultiPartInputStream.getParts()} and fall back to the returned singleton only if that fails.
    */
   @RequiresRequestContext(RequestContextSlot.APPSEC)
   public static class GetPartAdvice {
@@ -170,13 +172,18 @@ static boolean before() {
     static void after(
         @Advice.Enter boolean proceed,
         @Advice.Return Part part,
+        @Advice.FieldValue(value = "_multiPartInputStream", typing = Assigner.Typing.DYNAMIC)
+            Object multiPartInputStream,
         @ActiveRequestContext RequestContext reqCtx,
         @Advice.Thrown(readOnly = false) Throwable t) {
       CallDepthThreadLocalMap.decrementCallDepth(Part.class);
-      if (!proceed || t != null || part == null) {
+      if (!proceed || t != null) {
+        return;
+      }
+      Collection<?> parts = PartHelper.getAllParts(multiPartInputStream, part);
+      if (parts.isEmpty()) {
         return;
       }
-      Collection<Part> parts = Collections.singletonList(part);
       t = PartHelper.fireBodyProcessedEvent(parts, reqCtx);
       if (t == null) {
         t = PartHelper.fireFilenamesEvent(parts, reqCtx);

dd-java-agent/instrumentation/jetty/jetty-appsec/jetty-appsec-8.1.3/src/test/groovy/datadog/trace/instrumentation/jetty8/PartHelperTest.groovy

@@ -3,6 +3,19 @@ package datadog.trace.instrumentation.jetty8
 import javax.servlet.http.Part
 import spock.lang.Specification
 
+/** Minimal stand-in for {@code MultiPartInputStream}: exposes a {@code getParts()} method. */
+class FakeMpi {
+  private final Collection parts
+
+  FakeMpi(Collection parts) {
+    this.parts = parts
+  }
+
+  Collection getParts() {
+    parts
+  }
+}
+
 class PartHelperTest extends Specification {
 
   // ── extractFilenames ────────────────────────────────────────────────────────
@@ -191,6 +204,54 @@ class PartHelperTest extends Specification {
     PartHelper.extractFormFields(parts) == [a: ['x'], b: ['y']]
   }
 
+  // ── getAllParts ─────────────────────────────────────────────────────────────
+
+  def "getAllParts returns empty list when multiPartInputStream is null and singlePart is null"() {
+    expect:
+    PartHelper.getAllParts(null, null) == []
+  }
+
+  def "getAllParts falls back to singleton when multiPartInputStream is null"() {
+    given:
+    def part = filePart('evil.php')
+
+    expect:
+    PartHelper.getAllParts(null, part) == [part]
+  }
+
+  def "getAllParts returns all parts from MultiPartInputStream.getParts()"() {
+    given:
+    def file = filePart('evil.php')
+    def text = field('name', 'val')
+    def mpi = new FakeMpi([file, text])
+
+    expect:
+    PartHelper.getAllParts(mpi, null) == [file, text]
+  }
+
+  def "getAllParts prefers full collection over singleton even when singlePart is provided"() {
+    given:
+    def file = filePart('evil.php')
+    def other = field('name', 'val')
+    def mpi = new FakeMpi([file, other])
+
+    expect:
+    PartHelper.getAllParts(mpi, file) == [file, other]
+  }
+
+  def "getAllParts falls back to singleton when getParts() throws"() {
+    given:
+    def part = filePart('fallback.jpg')
+    def mpi = new Object() {
+        Collection getParts() {
+          throw new IOException("simulated failure")
+        }
+      }
+
+    expect:
+    PartHelper.getAllParts(mpi, part) == [part]
+  }
+
   // ── helpers ─────────────────────────────────────────────────────────────────
 
   /** Creates a stub Part that looks like a plain form field (no filename). */