Skip to content

Add server.request.body.filenames support for Jetty#10988

Draft
jandro996 wants to merge 4 commits intomasterfrom
alejandro.gonzalez/APPSEC-61873-3
Draft

Add server.request.body.filenames support for Jetty#10988
jandro996 wants to merge 4 commits intomasterfrom
alejandro.gonzalez/APPSEC-61873-3

Conversation

@jandro996
Copy link
Copy Markdown
Member

@jandro996 jandro996 commented Mar 27, 2026
edited by atlassian bot
Loading

What Does This Do

  • Add GetFilenamesAdvice to all three Jetty AppSec instrumentation modules to collect uploaded file names from multipart requests and fire the requestFilesFilenames() IG callback:
    • jetty-appsec-8.1.3: intercepts getParts() return value; includes Content-Disposition header fallback for Servlet 3.0 (Jetty 9.0) where getSubmittedFileName() is not available
    • jetty-appsec-9.2: intercepts no-arg getParts() for Servlet 3.1+
    • jetty-appsec-9.3: same pattern, applies to Jetty 9.3, 10, 11
  • Enable testBodyFilenames() in Jetty 9.x, 10, and 11 server tests
  • Override testBodyFilenames() = false in JettyAsyncHandlerTest — async re-dispatch changes how Jetty processes multipart parts, the tag is not set in that variant

Motivation

Additional Notes

Depends on #10973 (merged).
Part of Jira ticket: APPSEC-61873server.request.body.filenames implementation across server frameworks.

Contributor Checklist

@jandro996 jandro996 added comp: asm waf Application Security Management (WAF) type: enhancement Enhancements and improvements labels Mar 27, 2026
@pr-commenter
Copy link
Copy Markdown

pr-commenter bot commented Mar 27, 2026
edited
Loading

Benchmarks

⚠️ Warning: Baseline build not found for merge-base commit. Comparing against the latest commit on master instead.

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/APPSEC-61873-3
git_commit_date 1775555215 1775555561
git_commit_sha 4fa94c4 d8a92f8
release_version 1.61.0-SNAPSHOT~4fa94c4f4f 1.61.0-SNAPSHOT~d8a92f8c6d
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1775557324 1775557324
ci_job_id 1572351211 1572351211
ci_pipeline_id 106346023 106346023
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-0-p15q9nog 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-0-p15q9nog 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
module Agent Agent
parent None None

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 59 metrics, 12 unstable metrics.

Startup time reports for insecure-bank 
gantt
    title insecure-bank - global startup overhead: candidate=1.61.0-SNAPSHOT~d8a92f8c6d, baseline=1.61.0-SNAPSHOT~4fa94c4f4f

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.053 s) : 0, 1052822
Total [baseline] (8.813 s) : 0, 8813274
Agent [candidate] (1.065 s) : 0, 1064919
Total [candidate] (8.859 s) : 0, 8858935
section iast
Agent [baseline] (1.224 s) : 0, 1223771
Total [baseline] (9.562 s) : 0, 9562248
Agent [candidate] (1.221 s) : 0, 1221352
Total [candidate] (9.562 s) : 0, 9561935
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.053 s -
Agent iast 1.224 s 170.949 ms (16.2%)
Total tracing 8.813 s -
Total iast 9.562 s 748.975 ms (8.5%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.065 s -
Agent iast 1.221 s 156.433 ms (14.7%)
Total tracing 8.859 s -
Total iast 9.562 s 703.0 ms (7.9%) 
gantt
    title insecure-bank - break down per module: candidate=1.61.0-SNAPSHOT~d8a92f8c6d, baseline=1.61.0-SNAPSHOT~4fa94c4f4f

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.244 ms) : 0, 1244
crashtracking [candidate] (1.211 ms) : 0, 1211
BytebuddyAgent [baseline] (632.049 ms) : 0, 632049
BytebuddyAgent [candidate] (640.592 ms) : 0, 640592
AgentMeter [baseline] (29.289 ms) : 0, 29289
AgentMeter [candidate] (29.411 ms) : 0, 29411
GlobalTracer [baseline] (247.26 ms) : 0, 247260
GlobalTracer [candidate] (249.64 ms) : 0, 249640
AppSec [baseline] (31.897 ms) : 0, 31897
AppSec [candidate] (32.199 ms) : 0, 32199
Debugger [baseline] (58.984 ms) : 0, 58984
Debugger [candidate] (59.441 ms) : 0, 59441
Remote Config [baseline] (602.256 µs) : 0, 602
Remote Config [candidate] (592.978 µs) : 0, 593
Telemetry [baseline] (8.012 ms) : 0, 8012
Telemetry [candidate] (8.083 ms) : 0, 8083
Flare Poller [baseline] (7.401 ms) : 0, 7401
Flare Poller [candidate] (7.367 ms) : 0, 7367
section iast
crashtracking [baseline] (1.217 ms) : 0, 1217
crashtracking [candidate] (1.185 ms) : 0, 1185
BytebuddyAgent [baseline] (801.989 ms) : 0, 801989
BytebuddyAgent [candidate] (799.865 ms) : 0, 799865
AgentMeter [baseline] (11.397 ms) : 0, 11397
AgentMeter [candidate] (11.366 ms) : 0, 11366
GlobalTracer [baseline] (238.684 ms) : 0, 238684
GlobalTracer [candidate] (238.528 ms) : 0, 238528
IAST [baseline] (25.89 ms) : 0, 25890
IAST [candidate] (25.887 ms) : 0, 25887
AppSec [baseline] (31.188 ms) : 0, 31188
AppSec [candidate] (32.294 ms) : 0, 32294
Debugger [baseline] (62.26 ms) : 0, 62260
Debugger [candidate] (56.778 ms) : 0, 56778
Remote Config [baseline] (1.73 ms) : 0, 1730
Remote Config [candidate] (522.634 µs) : 0, 523
Telemetry [baseline] (9.916 ms) : 0, 9916
Telemetry [candidate] (14.526 ms) : 0, 14526
Flare Poller [baseline] (3.394 ms) : 0, 3394
Flare Poller [candidate] (3.987 ms) : 0, 3987
Loading
Startup time reports for petclinic 
gantt
    title petclinic - global startup overhead: candidate=1.61.0-SNAPSHOT~d8a92f8c6d, baseline=1.61.0-SNAPSHOT~4fa94c4f4f

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.057 s) : 0, 1056792
Total [baseline] (10.987 s) : 0, 10987179
Agent [candidate] (1.058 s) : 0, 1058267
Total [candidate] (11.013 s) : 0, 11013164
section appsec
Agent [baseline] (1.245 s) : 0, 1244883
Total [baseline] (11.102 s) : 0, 11102091
Agent [candidate] (1.244 s) : 0, 1244320
Total [candidate] (11.167 s) : 0, 11166856
section iast
Agent [baseline] (1.223 s) : 0, 1223368
Total [baseline] (11.315 s) : 0, 11314806
Agent [candidate] (1.222 s) : 0, 1221730
Total [candidate] (11.303 s) : 0, 11302602
section profiling
Agent [baseline] (1.184 s) : 0, 1184004
Total [baseline] (11.034 s) : 0, 11033715
Agent [candidate] (1.185 s) : 0, 1184607
Total [candidate] (11.047 s) : 0, 11047148
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.057 s -
Agent appsec 1.245 s 188.091 ms (17.8%)
Agent iast 1.223 s 166.576 ms (15.8%)
Agent profiling 1.184 s 127.212 ms (12.0%)
Total tracing 10.987 s -
Total appsec 11.102 s 114.911 ms (1.0%)
Total iast 11.315 s 327.626 ms (3.0%)
Total profiling 11.034 s 46.536 ms (0.4%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.058 s -
Agent appsec 1.244 s 186.053 ms (17.6%)
Agent iast 1.222 s 163.462 ms (15.4%)
Agent profiling 1.185 s 126.339 ms (11.9%)
Total tracing 11.013 s -
Total appsec 11.167 s 153.693 ms (1.4%)
Total iast 11.303 s 289.439 ms (2.6%)
Total profiling 11.047 s 33.984 ms (0.3%) 
gantt
    title petclinic - break down per module: candidate=1.61.0-SNAPSHOT~d8a92f8c6d, baseline=1.61.0-SNAPSHOT~4fa94c4f4f

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.218 ms) : 0, 1218
crashtracking [candidate] (1.189 ms) : 0, 1189
BytebuddyAgent [baseline] (632.562 ms) : 0, 632562
BytebuddyAgent [candidate] (635.681 ms) : 0, 635681
AgentMeter [baseline] (29.385 ms) : 0, 29385
AgentMeter [candidate] (29.312 ms) : 0, 29312
GlobalTracer [baseline] (248.304 ms) : 0, 248304
GlobalTracer [candidate] (248.069 ms) : 0, 248069
AppSec [baseline] (31.857 ms) : 0, 31857
AppSec [candidate] (31.952 ms) : 0, 31952
Debugger [baseline] (59.817 ms) : 0, 59817
Debugger [candidate] (59.867 ms) : 0, 59867
Remote Config [baseline] (601.817 µs) : 0, 602
Remote Config [candidate] (592.25 µs) : 0, 592
Telemetry [baseline] (8.065 ms) : 0, 8065
Telemetry [candidate] (8.031 ms) : 0, 8031
Flare Poller [baseline] (8.904 ms) : 0, 8904
Flare Poller [candidate] (7.392 ms) : 0, 7392
section appsec
crashtracking [baseline] (1.212 ms) : 0, 1212
crashtracking [candidate] (1.185 ms) : 0, 1185
BytebuddyAgent [baseline] (660.647 ms) : 0, 660647
BytebuddyAgent [candidate] (660.382 ms) : 0, 660382
AgentMeter [baseline] (12.02 ms) : 0, 12020
AgentMeter [candidate] (12.024 ms) : 0, 12024
GlobalTracer [baseline] (248.37 ms) : 0, 248370
GlobalTracer [candidate] (248.138 ms) : 0, 248138
IAST [baseline] (24.543 ms) : 0, 24543
IAST [candidate] (24.502 ms) : 0, 24502
AppSec [baseline] (183.52 ms) : 0, 183520
AppSec [candidate] (183.595 ms) : 0, 183595
Debugger [baseline] (65.651 ms) : 0, 65651
Debugger [candidate] (64.879 ms) : 0, 64879
Remote Config [baseline] (588.661 µs) : 0, 589
Remote Config [candidate] (592.044 µs) : 0, 592
Telemetry [baseline] (8.526 ms) : 0, 8526
Telemetry [candidate] (9.338 ms) : 0, 9338
Flare Poller [baseline] (3.549 ms) : 0, 3549
Flare Poller [candidate] (3.535 ms) : 0, 3535
section iast
crashtracking [baseline] (1.219 ms) : 0, 1219
crashtracking [candidate] (1.188 ms) : 0, 1188
BytebuddyAgent [baseline] (801.38 ms) : 0, 801380
BytebuddyAgent [candidate] (800.375 ms) : 0, 800375
AgentMeter [baseline] (11.419 ms) : 0, 11419
AgentMeter [candidate] (11.356 ms) : 0, 11356
GlobalTracer [baseline] (238.793 ms) : 0, 238793
GlobalTracer [candidate] (237.88 ms) : 0, 237880
IAST [baseline] (25.774 ms) : 0, 25774
IAST [candidate] (25.835 ms) : 0, 25835
AppSec [baseline] (29.42 ms) : 0, 29420
AppSec [candidate] (32.415 ms) : 0, 32415
Debugger [baseline] (63.144 ms) : 0, 63144
Debugger [candidate] (57.343 ms) : 0, 57343
Remote Config [baseline] (535.37 µs) : 0, 535
Remote Config [candidate] (521.928 µs) : 0, 522
Telemetry [baseline] (12.003 ms) : 0, 12003
Telemetry [candidate] (14.835 ms) : 0, 14835
Flare Poller [baseline] (3.572 ms) : 0, 3572
Flare Poller [candidate] (3.83 ms) : 0, 3830
section profiling
crashtracking [baseline] (1.18 ms) : 0, 1180
crashtracking [candidate] (1.181 ms) : 0, 1181
BytebuddyAgent [baseline] (691.091 ms) : 0, 691091
BytebuddyAgent [candidate] (693.031 ms) : 0, 693031
AgentMeter [baseline] (9.164 ms) : 0, 9164
AgentMeter [candidate] (9.141 ms) : 0, 9141
GlobalTracer [baseline] (206.783 ms) : 0, 206783
GlobalTracer [candidate] (206.769 ms) : 0, 206769
AppSec [baseline] (32.731 ms) : 0, 32731
AppSec [candidate] (32.492 ms) : 0, 32492
Debugger [baseline] (65.858 ms) : 0, 65858
Debugger [candidate] (65.439 ms) : 0, 65439
Remote Config [baseline] (580.378 µs) : 0, 580
Remote Config [candidate] (564.277 µs) : 0, 564
Telemetry [baseline] (7.955 ms) : 0, 7955
Telemetry [candidate] (7.931 ms) : 0, 7931
Flare Poller [baseline] (3.605 ms) : 0, 3605
Flare Poller [candidate] (3.602 ms) : 0, 3602
ProfilingAgent [baseline] (94.015 ms) : 0, 94015
ProfilingAgent [candidate] (93.466 ms) : 0, 93466
Profiling [baseline] (94.589 ms) : 0, 94589
Profiling [candidate] (94.026 ms) : 0, 94026
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/APPSEC-61873-3
git_commit_date 1775555215 1775555561
git_commit_sha 4fa94c4 d8a92f8
release_version 1.61.0-SNAPSHOT~4fa94c4f4f 1.61.0-SNAPSHOT~d8a92f8c6d
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1775557887 1775557887
ci_job_id 1572351214 1572351214
ci_pipeline_id 106346023 106346023
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-1-t5p7ytob 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-1-t5p7ytob 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 2 performance improvements and 1 performance regressions! Performance is the same for 16 metrics, 17 unstable metrics.

scenario Δ mean agg_http_req_duration_p50 Δ mean agg_http_req_duration_p95 Δ mean throughput candidate mean agg_http_req_duration_p50 candidate mean agg_http_req_duration_p95 candidate mean throughput baseline mean agg_http_req_duration_p50 baseline mean agg_http_req_duration_p95 baseline mean throughput
scenario:load:insecure-bank:iast_GLOBAL:high_load better
[-315.728µs; -116.420µs] or [-10.299%; -3.797%]		 better
[-735.088µs; -193.454µs] or [-8.646%; -2.275%]		 unstable
[-65.110op/s; +204.235op/s] or [-5.445%; +17.078%]		 2.850ms 8.037ms 1265.438op/s 3.066ms 8.502ms 1195.875op/s
scenario:load:petclinic:no_agent:high_load worse
[+0.808ms; +2.443ms] or [+4.592%; +13.891%]		 unstable
[+0.747ms; +3.963ms] or [+2.554%; +13.549%]		 unstable
[-36.334op/s; +10.802op/s] or [-14.069%; +4.183%]		 19.212ms 31.607ms 245.484op/s 17.587ms 29.252ms 258.250op/s
Request duration reports for petclinic 
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.61.0-SNAPSHOT~d8a92f8c6d, baseline=1.61.0-SNAPSHOT~4fa94c4f4f
    dateFormat X
    axisFormat %s
section baseline
no_agent (18.067 ms) : 17888, 18246
.   : milestone, 18067,
appsec (18.987 ms) : 18793, 19182
.   : milestone, 18987,
code_origins (17.892 ms) : 17719, 18066
.   : milestone, 17892,
iast (18.014 ms) : 17838, 18189
.   : milestone, 18014,
profiling (18.949 ms) : 18758, 19141
.   : milestone, 18949,
tracing (17.849 ms) : 17674, 18025
.   : milestone, 17849,
section candidate
no_agent (19.625 ms) : 19422, 19828
.   : milestone, 19625,
appsec (18.605 ms) : 18420, 18791
.   : milestone, 18605,
code_origins (17.779 ms) : 17603, 17956
.   : milestone, 17779,
iast (17.801 ms) : 17624, 17977
.   : milestone, 17801,
profiling (19.092 ms) : 18896, 19287
.   : milestone, 19092,
tracing (18.001 ms) : 17822, 18180
.   : milestone, 18001,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 18.067 ms [17.888 ms, 18.246 ms] -
appsec 18.987 ms [18.793 ms, 19.182 ms] 920.15 µs (5.1%)
code_origins 17.892 ms [17.719 ms, 18.066 ms] -175.09 µs (-1.0%)
iast 18.014 ms [17.838 ms, 18.189 ms] -53.517 µs (-0.3%)
profiling 18.949 ms [18.758 ms, 19.141 ms] 882.222 µs (4.9%)
tracing 17.849 ms [17.674 ms, 18.025 ms] -217.929 µs (-1.2%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 19.625 ms [19.422 ms, 19.828 ms] -
appsec 18.605 ms [18.42 ms, 18.791 ms] -1.02 ms (-5.2%)
code_origins 17.779 ms [17.603 ms, 17.956 ms] -1.846 ms (-9.4%)
iast 17.801 ms [17.624 ms, 17.977 ms] -1.824 ms (-9.3%)
profiling 19.092 ms [18.896 ms, 19.287 ms] -533.242 µs (-2.7%)
tracing 18.001 ms [17.822 ms, 18.18 ms] -1.624 ms (-8.3%)
Request duration reports for insecure-bank 
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.61.0-SNAPSHOT~d8a92f8c6d, baseline=1.61.0-SNAPSHOT~4fa94c4f4f
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.279 ms) : 1266, 1292
.   : milestone, 1279,
iast (3.23 ms) : 3192, 3267
.   : milestone, 3230,
iast_FULL (5.939 ms) : 5880, 5999
.   : milestone, 5939,
iast_GLOBAL (3.838 ms) : 3776, 3900
.   : milestone, 3838,
profiling (2.213 ms) : 2194, 2233
.   : milestone, 2213,
tracing (1.877 ms) : 1861, 1894
.   : milestone, 1877,
section candidate
no_agent (1.246 ms) : 1234, 1258
.   : milestone, 1246,
iast (3.292 ms) : 3244, 3341
.   : milestone, 3292,
iast_FULL (5.929 ms) : 5870, 5988
.   : milestone, 5929,
iast_GLOBAL (3.623 ms) : 3560, 3686
.   : milestone, 3623,
profiling (2.389 ms) : 2363, 2415
.   : milestone, 2389,
tracing (1.855 ms) : 1841, 1870
.   : milestone, 1855,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.279 ms [1.266 ms, 1.292 ms] -
iast 3.23 ms [3.192 ms, 3.267 ms] 1.95 ms (152.5%)
iast_FULL 5.939 ms [5.88 ms, 5.999 ms] 4.66 ms (364.3%)
iast_GLOBAL 3.838 ms [3.776 ms, 3.9 ms] 2.559 ms (200.0%)
profiling 2.213 ms [2.194 ms, 2.233 ms] 934.115 µs (73.0%)
tracing 1.877 ms [1.861 ms, 1.894 ms] 597.92 µs (46.7%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.246 ms [1.234 ms, 1.258 ms] -
iast 3.292 ms [3.244 ms, 3.341 ms] 2.046 ms (164.2%)
iast_FULL 5.929 ms [5.87 ms, 5.988 ms] 4.683 ms (375.7%)
iast_GLOBAL 3.623 ms [3.56 ms, 3.686 ms] 2.377 ms (190.7%)
profiling 2.389 ms [2.363 ms, 2.415 ms] 1.143 ms (91.7%)
tracing 1.855 ms [1.841 ms, 1.87 ms] 609.056 µs (48.9%)

Dacapo

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/APPSEC-61873-3
git_commit_date 1775555215 1775555561
git_commit_sha 4fa94c4 d8a92f8
release_version 1.61.0-SNAPSHOT~4fa94c4f4f 1.61.0-SNAPSHOT~d8a92f8c6d
See matching parameters
Baseline Candidate
application biojava biojava
ci_job_date 1775557648 1775557648
ci_job_id 1572351216 1572351216
ci_pipeline_id 106346023 106346023
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-0-tnssffz0 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-0-tnssffz0 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 1 unstable metrics.

Execution time for biojava 
gantt
    title biojava - execution time [CI 0.99] : candidate=1.61.0-SNAPSHOT~d8a92f8c6d, baseline=1.61.0-SNAPSHOT~4fa94c4f4f
    dateFormat X
    axisFormat %s
section baseline
no_agent (14.797 s) : 14797000, 14797000
.   : milestone, 14797000,
appsec (14.858 s) : 14858000, 14858000
.   : milestone, 14858000,
iast (18.952 s) : 18952000, 18952000
.   : milestone, 18952000,
iast_GLOBAL (18.086 s) : 18086000, 18086000
.   : milestone, 18086000,
profiling (15.186 s) : 15186000, 15186000
.   : milestone, 15186000,
tracing (14.932 s) : 14932000, 14932000
.   : milestone, 14932000,
section candidate
no_agent (15.326 s) : 15326000, 15326000
.   : milestone, 15326000,
appsec (15.034 s) : 15034000, 15034000
.   : milestone, 15034000,
iast (18.276 s) : 18276000, 18276000
.   : milestone, 18276000,
iast_GLOBAL (17.911 s) : 17911000, 17911000
.   : milestone, 17911000,
profiling (14.998 s) : 14998000, 14998000
.   : milestone, 14998000,
tracing (14.894 s) : 14894000, 14894000
.   : milestone, 14894000,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 14.797 s [14.797 s, 14.797 s] -
appsec 14.858 s [14.858 s, 14.858 s] 61.0 ms (0.4%)
iast 18.952 s [18.952 s, 18.952 s] 4.155 s (28.1%)
iast_GLOBAL 18.086 s [18.086 s, 18.086 s] 3.289 s (22.2%)
profiling 15.186 s [15.186 s, 15.186 s] 389.0 ms (2.6%)
tracing 14.932 s [14.932 s, 14.932 s] 135.0 ms (0.9%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.326 s [15.326 s, 15.326 s] -
appsec 15.034 s [15.034 s, 15.034 s] -292.0 ms (-1.9%)
iast 18.276 s [18.276 s, 18.276 s] 2.95 s (19.2%)
iast_GLOBAL 17.911 s [17.911 s, 17.911 s] 2.585 s (16.9%)
profiling 14.998 s [14.998 s, 14.998 s] -328.0 ms (-2.1%)
tracing 14.894 s [14.894 s, 14.894 s] -432.0 ms (-2.8%)
Execution time for tomcat 
gantt
    title tomcat - execution time [CI 0.99] : candidate=1.61.0-SNAPSHOT~d8a92f8c6d, baseline=1.61.0-SNAPSHOT~4fa94c4f4f
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.485 ms) : 1473, 1496
.   : milestone, 1485,
appsec (3.845 ms) : 3623, 4067
.   : milestone, 3845,
iast (2.273 ms) : 2204, 2342
.   : milestone, 2273,
iast_GLOBAL (2.32 ms) : 2250, 2390
.   : milestone, 2320,
profiling (2.098 ms) : 2043, 2153
.   : milestone, 2098,
tracing (2.087 ms) : 2033, 2140
.   : milestone, 2087,
section candidate
no_agent (1.495 ms) : 1484, 1507
.   : milestone, 1495,
appsec (3.82 ms) : 3599, 4041
.   : milestone, 3820,
iast (2.268 ms) : 2199, 2336
.   : milestone, 2268,
iast_GLOBAL (2.313 ms) : 2244, 2382
.   : milestone, 2313,
profiling (2.092 ms) : 2037, 2146
.   : milestone, 2092,
tracing (2.089 ms) : 2035, 2142
.   : milestone, 2089,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.485 ms [1.473 ms, 1.496 ms] -
appsec 3.845 ms [3.623 ms, 4.067 ms] 2.36 ms (158.9%)
iast 2.273 ms [2.204 ms, 2.342 ms] 788.354 µs (53.1%)
iast_GLOBAL 2.32 ms [2.25 ms, 2.39 ms] 835.218 µs (56.2%)
profiling 2.098 ms [2.043 ms, 2.153 ms] 613.236 µs (41.3%)
tracing 2.087 ms [2.033 ms, 2.14 ms] 601.694 µs (40.5%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.495 ms [1.484 ms, 1.507 ms] -
appsec 3.82 ms [3.599 ms, 4.041 ms] 2.325 ms (155.5%)
iast 2.268 ms [2.199 ms, 2.336 ms] 772.535 µs (51.7%)
iast_GLOBAL 2.313 ms [2.244 ms, 2.382 ms] 817.738 µs (54.7%)
profiling 2.092 ms [2.037 ms, 2.146 ms] 596.584 µs (39.9%)
tracing 2.089 ms [2.035 ms, 2.142 ms] 593.356 µs (39.7%)

@jandro996 jandro996 force-pushed the alejandro.gonzalez/APPSEC-61873-3 branch from e3d4073 to e2d5ed0 Compare April 6, 2026 08:02
@jandro996
Instrument Jetty for server.request.body.filenames
629f074 
Add GetFilenamesAdvice to all three Jetty AppSec modules to collect
uploaded file names from multipart requests and fire the
requestFilesFilenames() IG callback:

- jetty-appsec-8.1.3: intercepts getParts() return value; includes
  Content-Disposition header fallback for Servlet 3.0 (Jetty 9.0)
  where getSubmittedFileName() is not available
- jetty-appsec-9.2: intercepts no-arg getParts() for Servlet 3.1+
- jetty-appsec-9.3: same, applies to Jetty 9.3, 10, 11

Enable testBodyFilenames() in Jetty 9.x, 10 and 11 server tests.
@jandro996 jandro996 force-pushed the alejandro.gonzalez/APPSEC-61873-3 branch from f2998c3 to 629f074 Compare April 6, 2026 10:50
@jandro996 jandro996 marked this pull request as ready for review April 6, 2026 13:08
@jandro996 jandro996 requested a review from a team as a code owner April 6, 2026 13:08
manuel-alvarez-alvarez
manuel-alvarez-alvarez reviewed Apr 6, 2026
View reviewed changes
...8.1.3/src/main/java/datadog/trace/instrumentation/jetty8/RequestGetPartsInstrumentation.java Outdated
}
}
// Fallback: parse filename from Content-Disposition header (Servlet 3.0)
if (name == null) {
Copy link
Copy Markdown
Member

@manuel-alvarez-alvarez manuel-alvarez-alvarez Apr 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't this be outside of the main parts loop?

Copy link
Copy Markdown
Member Author

@jandro996 jandro996 Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed. Restructured into two separate loops chosen once before iteration: if getSubmittedFileName != null (Servlet 3.1+) iterate using that method; otherwise iterate parsing the Content-Disposition header (Servlet 3.0 fallback). No per-part branching inside the loop.

manuel-alvarez-alvarez
manuel-alvarez-alvarez reviewed Apr 6, 2026
View reviewed changes
...va/datadog/trace/instrumentation/jetty93/RequestExtractContentParametersInstrumentation.java Outdated
transformer.applyAdvice(
named("extractContentParameters").and(takesArguments(0)).or(named("getParts")),
getClass().getName() + "$ExtractContentParametersAdvice");
transformer.applyAdvice(named("getParts"), getClass().getName() + "$GetFilenamesAdvice");
Copy link
Copy Markdown
Member

@manuel-alvarez-alvarez manuel-alvarez-alvarez Apr 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as before

Copy link
Copy Markdown
Member Author

@jandro996 jandro996 Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed. GetFilenamesAdvice now has a call-depth guard (CallDepthThreadLocalMap with Collection.class) to avoid double-firing when getParts() internally calls getParts(MultiMap)

chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Apr 6, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c732823549

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@jandro996 jandro996 force-pushed the alejandro.gonzalez/APPSEC-61873-3 branch 2 times, most recently from ecf65c5 to eae08aa Compare April 6, 2026 14:13
@jandro996
Fix GetFilenamesAdvice double-firing and extend coverage to getParts(…
b1ec26b 
…MultiMap) path

- jetty-appsec-9.3: add call-depth guard (Collection.class) to GetFilenamesAdvice
  to prevent double callback invocation when getParts() calls getParts(MultiMap) internally
- jetty-appsec-9.2: extend GetFilenamesAdvice matcher to all getParts overloads
  (not just no-arg) to cover getParameter*()/getParameterMap() code paths,
  guarded with same call-depth mechanism to avoid double-firing
@jandro996 jandro996 force-pushed the alejandro.gonzalez/APPSEC-61873-3 branch 2 times, most recently from 3ab9ff7 to 77ec572 Compare April 7, 2026 07:33
@jandro996 jandro996 enabled auto-merge April 7, 2026 08:52
@jandro996 jandro996 force-pushed the alejandro.gonzalez/APPSEC-61873-3 branch from 2e72584 to d37e03e Compare April 7, 2026 09:23
@jandro996 jandro996 disabled auto-merge April 7, 2026 09:42
@jandro996 jandro996 marked this pull request as draft April 7, 2026 09:48
@jandro996 jandro996 force-pushed the alejandro.gonzalez/APPSEC-61873-3 branch from d37e03e to d8a92f8 Compare April 7, 2026 09:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@manuel-alvarez-alvarez manuel-alvarez-alvarez manuel-alvarez-alvarez left review comments

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

comp: asm waf Application Security Management (WAF) type: enhancement Enhancements and improvements

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jandro996 @manuel-alvarez-alvarez