Skip to content

feat(appsec): expose uploaded file content as new WAF address server.request.body.files_content for commons-fileupload#11137

Open
jandro996 wants to merge 6 commits intomasterfrom
alejandro.gonzalez/APPSEC-61875-file-upload-content
Open

feat(appsec): expose uploaded file content as new WAF address server.request.body.files_content for commons-fileupload#11137
jandro996 wants to merge 6 commits intomasterfrom
alejandro.gonzalez/APPSEC-61875-file-upload-content

Conversation

@jandro996
Copy link
Copy Markdown
Member

@jandro996 jandro996 commented Apr 16, 2026
edited
Loading

What Does This Do

  • Introduces the server.request.body.files_content address and requestFilesContent() event in the gateway API, wired through GatewayBridge andInstrumentationGateway
  • Extends ServletFileUpload.parseRequest() instrumentation (commons-fileupload) to read up to 4096 bytes of each uploaded file's content and fire the new WAF callback; blocks with a BlockingException on RequestBlockingAction; content event is skipped when the filenames event has already blocked the request

Additional Info

  • Content is capped at 4096 bytes per file to keep memory usage bounded
  • This PR covers the gateway wiring and the commons-fileupload entry point. Coverage for other multipart stacks (Tomcat request.getParts(), Jetty, Liberty) will follow in successive PRs

Contributor Checklist

Jira ticket: APPSEC-61875

Note: Once your PR is ready to merge, add it to the merge queue by commenting /merge. /merge -c cancels the queue request. /merge -f --reason "reason" skips all merge queue checks; please use this judiciously, as some checks do not run at the PR-level. For more information, see this doc.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 16, 2026

Hi! 👋 Looks like you updated a Git Submodule.
If this was not intentional please make sure to:

@jandro996 jandro996 added type: enhancement Enhancements and improvements comp: asm waf Application Security Management (WAF) labels Apr 16, 2026
@jandro996
feat(appsec): expose uploaded file content as WAF address server.requ…
37e7d09 
…est.body.files_content

Introduces a new AppSec WAF address `server.request.body.files_content`
(`List<String>`) that exposes the content of each uploaded file in a
multipart/form-data request. Entries correspond positionally to the
existing `server.request.body.filenames` address. Content is capped at
4 096 bytes per file (ISO-8859-1) to keep memory usage bounded.

Changes:
- KnownAddresses: add REQUEST_FILES_CONTENT + forName() case
- Events: add requestFilesContent event (ID 31); FILE_WRITTEN bumped to 32
- InstrumentationGateway: register the new BiFunction case
- GatewayBridge: add onRequestFilesContent handler + DATA_DEPENDENCIES entry
- CommonsFileUploadAppSecModule: after firing filenames, fire content
  (skipped when the filenames event already blocked the request)
- Unit tests: GatewayBridgeSpecification, GatewayBridgeIGRegistrationSpecification,
  KnownAddressesSpecificationForkedTest
- Smoke test: 'block request based on malicious file upload content'
  verifies end-to-end blocking via a custom WAF rule on the new address

Closes APPSEC-61875
@jandro996 jandro996 force-pushed the alejandro.gonzalez/APPSEC-61875-file-upload-content branch from 0de9320 to 37e7d09 Compare April 16, 2026 14:12
@pr-commenter
Copy link
Copy Markdown

pr-commenter bot commented Apr 16, 2026
edited
Loading

Benchmarks

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/APPSEC-61875-file-upload-content
git_commit_date 1776286005 1776435596
git_commit_sha 42f154d 2076c7b
release_version 1.62.0-SNAPSHOT~42f154d2f6 1.62.0-SNAPSHOT~2076c7b858
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1776437477 1776437477
ci_job_id 1605900994 1605900994
ci_pipeline_id 108248837 108248837
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-0-jbjsleqn 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-0-jbjsleqn 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
module Agent Agent
parent None None

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 58 metrics, 13 unstable metrics.

Startup time reports for insecure-bank 
gantt
    title insecure-bank - global startup overhead: candidate=1.62.0-SNAPSHOT~2076c7b858, baseline=1.62.0-SNAPSHOT~42f154d2f6

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.056 s) : 0, 1056010
Total [baseline] (8.801 s) : 0, 8800870
Agent [candidate] (1.055 s) : 0, 1054887
Total [candidate] (8.824 s) : 0, 8824192
section iast
Agent [baseline] (1.229 s) : 0, 1229264
Total [baseline] (9.567 s) : 0, 9566758
Agent [candidate] (1.225 s) : 0, 1224859
Total [candidate] (9.555 s) : 0, 9555170
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.056 s -
Agent iast 1.229 s 173.254 ms (16.4%)
Total tracing 8.801 s -
Total iast 9.567 s 765.888 ms (8.7%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.055 s -
Agent iast 1.225 s 169.972 ms (16.1%)
Total tracing 8.824 s -
Total iast 9.555 s 730.978 ms (8.3%) 
gantt
    title insecure-bank - break down per module: candidate=1.62.0-SNAPSHOT~2076c7b858, baseline=1.62.0-SNAPSHOT~42f154d2f6

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.231 ms) : 0, 1231
crashtracking [candidate] (1.212 ms) : 0, 1212
BytebuddyAgent [baseline] (632.776 ms) : 0, 632776
BytebuddyAgent [candidate] (632.056 ms) : 0, 632056
AgentMeter [baseline] (29.666 ms) : 0, 29666
AgentMeter [candidate] (29.364 ms) : 0, 29364
GlobalTracer [baseline] (249.383 ms) : 0, 249383
GlobalTracer [candidate] (248.093 ms) : 0, 248093
AppSec [baseline] (32.604 ms) : 0, 32604
AppSec [candidate] (32.28 ms) : 0, 32280
Debugger [baseline] (59.113 ms) : 0, 59113
Debugger [candidate] (58.901 ms) : 0, 58901
Remote Config [baseline] (587.641 µs) : 0, 588
Remote Config [candidate] (591.474 µs) : 0, 591
Telemetry [baseline] (7.992 ms) : 0, 7992
Telemetry [candidate] (8.046 ms) : 0, 8046
Flare Poller [baseline] (6.569 ms) : 0, 6569
Flare Poller [candidate] (8.153 ms) : 0, 8153
section iast
crashtracking [baseline] (1.254 ms) : 0, 1254
crashtracking [candidate] (1.232 ms) : 0, 1232
BytebuddyAgent [baseline] (806.457 ms) : 0, 806457
BytebuddyAgent [candidate] (802.484 ms) : 0, 802484
AgentMeter [baseline] (11.478 ms) : 0, 11478
AgentMeter [candidate] (11.414 ms) : 0, 11414
GlobalTracer [baseline] (239.313 ms) : 0, 239313
GlobalTracer [candidate] (238.895 ms) : 0, 238895
IAST [baseline] (26.626 ms) : 0, 26626
IAST [candidate] (25.835 ms) : 0, 25835
AppSec [baseline] (29.015 ms) : 0, 29015
AppSec [candidate] (33.621 ms) : 0, 33621
Debugger [baseline] (61.347 ms) : 0, 61347
Debugger [candidate] (59.317 ms) : 0, 59317
Remote Config [baseline] (519.55 µs) : 0, 520
Remote Config [candidate] (1.73 ms) : 0, 1730
Telemetry [baseline] (13.376 ms) : 0, 13376
Telemetry [candidate] (10.562 ms) : 0, 10562
Flare Poller [baseline] (3.425 ms) : 0, 3425
Flare Poller [candidate] (3.457 ms) : 0, 3457
Loading
Startup time reports for petclinic 
gantt
    title petclinic - global startup overhead: candidate=1.62.0-SNAPSHOT~2076c7b858, baseline=1.62.0-SNAPSHOT~42f154d2f6

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.056 s) : 0, 1055642
Total [baseline] (11.054 s) : 0, 11053859
Agent [candidate] (1.064 s) : 0, 1063780
Total [candidate] (11.073 s) : 0, 11072765
section appsec
Agent [baseline] (1.249 s) : 0, 1248628
Total [baseline] (11.15 s) : 0, 11150035
Agent [candidate] (1.247 s) : 0, 1247077
Total [candidate] (11.227 s) : 0, 11226861
section iast
Agent [baseline] (1.222 s) : 0, 1222270
Total [baseline] (11.351 s) : 0, 11351259
Agent [candidate] (1.23 s) : 0, 1229792
Total [candidate] (11.214 s) : 0, 11214205
section profiling
Agent [baseline] (1.191 s) : 0, 1191111
Total [baseline] (11.184 s) : 0, 11184434
Agent [candidate] (1.187 s) : 0, 1186505
Total [candidate] (11.099 s) : 0, 11099289
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.056 s -
Agent appsec 1.249 s 192.986 ms (18.3%)
Agent iast 1.222 s 166.628 ms (15.8%)
Agent profiling 1.191 s 135.47 ms (12.8%)
Total tracing 11.054 s -
Total appsec 11.15 s 96.177 ms (0.9%)
Total iast 11.351 s 297.4 ms (2.7%)
Total profiling 11.184 s 130.575 ms (1.2%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.064 s -
Agent appsec 1.247 s 183.297 ms (17.2%)
Agent iast 1.23 s 166.012 ms (15.6%)
Agent profiling 1.187 s 122.725 ms (11.5%)
Total tracing 11.073 s -
Total appsec 11.227 s 154.096 ms (1.4%)
Total iast 11.214 s 141.44 ms (1.3%)
Total profiling 11.099 s 26.525 ms (0.2%) 
gantt
    title petclinic - break down per module: candidate=1.62.0-SNAPSHOT~2076c7b858, baseline=1.62.0-SNAPSHOT~42f154d2f6

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.232 ms) : 0, 1232
crashtracking [candidate] (1.237 ms) : 0, 1237
BytebuddyAgent [baseline] (630.999 ms) : 0, 630999
BytebuddyAgent [candidate] (634.802 ms) : 0, 634802
AgentMeter [baseline] (29.325 ms) : 0, 29325
AgentMeter [candidate] (29.454 ms) : 0, 29454
GlobalTracer [baseline] (248.174 ms) : 0, 248174
GlobalTracer [candidate] (250.178 ms) : 0, 250178
AppSec [baseline] (32.181 ms) : 0, 32181
AppSec [candidate] (32.448 ms) : 0, 32448
Debugger [baseline] (59.821 ms) : 0, 59821
Debugger [candidate] (60.222 ms) : 0, 60222
Remote Config [baseline] (595.27 µs) : 0, 595
Remote Config [candidate] (596.699 µs) : 0, 597
Telemetry [baseline] (8.05 ms) : 0, 8050
Telemetry [candidate] (8.152 ms) : 0, 8152
Flare Poller [baseline] (9.088 ms) : 0, 9088
Flare Poller [candidate] (10.493 ms) : 0, 10493
section appsec
crashtracking [baseline] (1.234 ms) : 0, 1234
crashtracking [candidate] (1.216 ms) : 0, 1216
BytebuddyAgent [baseline] (661.596 ms) : 0, 661596
BytebuddyAgent [candidate] (661.117 ms) : 0, 661117
AgentMeter [baseline] (12.104 ms) : 0, 12104
AgentMeter [candidate] (12.035 ms) : 0, 12035
GlobalTracer [baseline] (249.068 ms) : 0, 249068
GlobalTracer [candidate] (248.577 ms) : 0, 248577
IAST [baseline] (24.58 ms) : 0, 24580
IAST [candidate] (24.627 ms) : 0, 24627
AppSec [baseline] (185.044 ms) : 0, 185044
AppSec [candidate] (184.686 ms) : 0, 184686
Debugger [baseline] (65.947 ms) : 0, 65947
Debugger [candidate] (65.997 ms) : 0, 65997
Remote Config [baseline] (627.366 µs) : 0, 627
Remote Config [candidate] (609.841 µs) : 0, 610
Telemetry [baseline] (8.485 ms) : 0, 8485
Telemetry [candidate] (8.381 ms) : 0, 8381
Flare Poller [baseline] (3.535 ms) : 0, 3535
Flare Poller [candidate] (3.536 ms) : 0, 3536
section iast
crashtracking [baseline] (1.234 ms) : 0, 1234
crashtracking [candidate] (1.223 ms) : 0, 1223
BytebuddyAgent [baseline] (799.969 ms) : 0, 799969
BytebuddyAgent [candidate] (804.544 ms) : 0, 804544
AgentMeter [baseline] (11.382 ms) : 0, 11382
AgentMeter [candidate] (11.464 ms) : 0, 11464
GlobalTracer [baseline] (238.643 ms) : 0, 238643
GlobalTracer [candidate] (240.44 ms) : 0, 240440
IAST [baseline] (25.742 ms) : 0, 25742
IAST [candidate] (26.7 ms) : 0, 26700
AppSec [baseline] (32.787 ms) : 0, 32787
AppSec [candidate] (31.343 ms) : 0, 31343
Debugger [baseline] (59.402 ms) : 0, 59402
Debugger [candidate] (61.575 ms) : 0, 61575
Remote Config [baseline] (550.043 µs) : 0, 550
Remote Config [candidate] (2.911 ms) : 0, 2911
Telemetry [baseline] (12.933 ms) : 0, 12933
Telemetry [candidate] (9.965 ms) : 0, 9965
Flare Poller [baseline] (3.495 ms) : 0, 3495
Flare Poller [candidate] (3.435 ms) : 0, 3435
section profiling
crashtracking [baseline] (1.188 ms) : 0, 1188
crashtracking [candidate] (1.169 ms) : 0, 1169
BytebuddyAgent [baseline] (696.235 ms) : 0, 696235
BytebuddyAgent [candidate] (692.971 ms) : 0, 692971
AgentMeter [baseline] (9.149 ms) : 0, 9149
AgentMeter [candidate] (9.128 ms) : 0, 9128
GlobalTracer [baseline] (207.797 ms) : 0, 207797
GlobalTracer [candidate] (207.633 ms) : 0, 207633
AppSec [baseline] (32.907 ms) : 0, 32907
AppSec [candidate] (32.864 ms) : 0, 32864
Debugger [baseline] (66.033 ms) : 0, 66033
Debugger [candidate] (65.793 ms) : 0, 65793
Remote Config [baseline] (578.699 µs) : 0, 579
Remote Config [candidate] (575.981 µs) : 0, 576
Telemetry [baseline] (7.812 ms) : 0, 7812
Telemetry [candidate] (7.761 ms) : 0, 7761
Flare Poller [baseline] (3.58 ms) : 0, 3580
Flare Poller [candidate] (3.541 ms) : 0, 3541
ProfilingAgent [baseline] (94.233 ms) : 0, 94233
ProfilingAgent [candidate] (93.823 ms) : 0, 93823
Profiling [baseline] (94.796 ms) : 0, 94796
Profiling [candidate] (94.393 ms) : 0, 94393
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/APPSEC-61875-file-upload-content
git_commit_date 1776286005 1776435596
git_commit_sha 42f154d 2076c7b
release_version 1.62.0-SNAPSHOT~42f154d2f6 1.62.0-SNAPSHOT~2076c7b858
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1776437954 1776437954
ci_job_id 1605900999 1605900999
ci_pipeline_id 108248837 108248837
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-0-9bkbglk0 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-0-9bkbglk0 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 2 performance improvements and 3 performance regressions! Performance is the same for 15 metrics, 16 unstable metrics.

scenario Δ mean agg_http_req_duration_p50 Δ mean agg_http_req_duration_p95 Δ mean throughput candidate mean agg_http_req_duration_p50 candidate mean agg_http_req_duration_p95 candidate mean throughput baseline mean agg_http_req_duration_p50 baseline mean agg_http_req_duration_p95 baseline mean throughput
scenario:load:insecure-bank:iast:high_load worse
[+52.114µs; +162.096µs] or [+2.009%; +6.249%]		 same
[-108.705µs; +488.989µs] or [-1.413%; +6.356%]		 unstable
[-188.478op/s; +105.040op/s] or [-13.785%; +7.683%]		 2.701ms 7.883ms 1325.531op/s 2.594ms 7.693ms 1367.250op/s
scenario:load:insecure-bank:tracing:high_load better
[-165.599µs; -65.699µs] or [-9.894%; -3.925%]		 unstable
[-1130.698µs; -314.961µs] or [-22.983%; -6.402%]		 unstable
[-28.618op/s; +491.930op/s] or [-1.323%; +22.736%]		 1.558ms 4.197ms 2395.312op/s 1.674ms 4.920ms 2163.656op/s
scenario:load:insecure-bank:profiling:high_load better
[-227.090µs; -65.129µs] or [-12.597%; -3.613%]		 unstable
[-1305.599µs; -215.649µs] or [-24.018%; -3.967%]		 unstable
[+35.599op/s; +557.276op/s] or [+1.841%; +28.824%]		 1.657ms 4.675ms 2229.844op/s 1.803ms 5.436ms 1933.406op/s
scenario:load:petclinic:profiling:high_load worse
[+1.205ms; +1.919ms] or [+6.683%; +10.648%]		 worse
[+1.554ms; +2.705ms] or [+5.343%; +9.303%]		 unstable
[-44.466op/s; +5.029op/s] or [-17.451%; +1.973%]		 19.585ms 31.210ms 235.094op/s 18.023ms 29.081ms 254.812op/s
Request duration reports for insecure-bank 
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.62.0-SNAPSHOT~2076c7b858, baseline=1.62.0-SNAPSHOT~42f154d2f6
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.227 ms) : 1216, 1238
.   : milestone, 1227,
iast (3.349 ms) : 3301, 3396
.   : milestone, 3349,
iast_FULL (6.049 ms) : 5988, 6111
.   : milestone, 6049,
iast_GLOBAL (3.675 ms) : 3620, 3730
.   : milestone, 3675,
profiling (2.336 ms) : 2313, 2359
.   : milestone, 2336,
tracing (2.088 ms) : 2070, 2107
.   : milestone, 2088,
section candidate
no_agent (1.242 ms) : 1230, 1253
.   : milestone, 1242,
iast (3.456 ms) : 3407, 3506
.   : milestone, 3456,
iast_FULL (5.85 ms) : 5792, 5909
.   : milestone, 5850,
iast_GLOBAL (3.75 ms) : 3681, 3818
.   : milestone, 3750,
profiling (2.024 ms) : 2005, 2043
.   : milestone, 2024,
tracing (1.878 ms) : 1862, 1894
.   : milestone, 1878,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.227 ms [1.216 ms, 1.238 ms] -
iast 3.349 ms [3.301 ms, 3.396 ms] 2.122 ms (172.9%)
iast_FULL 6.049 ms [5.988 ms, 6.111 ms] 4.822 ms (393.0%)
iast_GLOBAL 3.675 ms [3.62 ms, 3.73 ms] 2.448 ms (199.5%)
profiling 2.336 ms [2.313 ms, 2.359 ms] 1.109 ms (90.4%)
tracing 2.088 ms [2.07 ms, 2.107 ms] 861.168 µs (70.2%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.242 ms [1.23 ms, 1.253 ms] -
iast 3.456 ms [3.407 ms, 3.506 ms] 2.215 ms (178.3%)
iast_FULL 5.85 ms [5.792 ms, 5.909 ms] 4.609 ms (371.1%)
iast_GLOBAL 3.75 ms [3.681 ms, 3.818 ms] 2.508 ms (201.9%)
profiling 2.024 ms [2.005 ms, 2.043 ms] 782.024 µs (63.0%)
tracing 1.878 ms [1.862 ms, 1.894 ms] 636.418 µs (51.2%)
Request duration reports for petclinic 
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.62.0-SNAPSHOT~2076c7b858, baseline=1.62.0-SNAPSHOT~42f154d2f6
    dateFormat X
    axisFormat %s
section baseline
no_agent (18.119 ms) : 17937, 18302
.   : milestone, 18119,
appsec (18.876 ms) : 18681, 19070
.   : milestone, 18876,
code_origins (18.19 ms) : 18007, 18373
.   : milestone, 18190,
iast (18.51 ms) : 18326, 18693
.   : milestone, 18510,
profiling (18.311 ms) : 18129, 18493
.   : milestone, 18311,
tracing (17.884 ms) : 17707, 18061
.   : milestone, 17884,
section candidate
no_agent (17.963 ms) : 17780, 18145
.   : milestone, 17963,
appsec (18.608 ms) : 18422, 18794
.   : milestone, 18608,
code_origins (17.881 ms) : 17705, 18056
.   : milestone, 17881,
iast (18.41 ms) : 18228, 18593
.   : milestone, 18410,
profiling (19.856 ms) : 19657, 20056
.   : milestone, 19856,
tracing (17.853 ms) : 17674, 18031
.   : milestone, 17853,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 18.119 ms [17.937 ms, 18.302 ms] -
appsec 18.876 ms [18.681 ms, 19.07 ms] 756.445 µs (4.2%)
code_origins 18.19 ms [18.007 ms, 18.373 ms] 70.733 µs (0.4%)
iast 18.51 ms [18.326 ms, 18.693 ms] 390.295 µs (2.2%)
profiling 18.311 ms [18.129 ms, 18.493 ms] 191.587 µs (1.1%)
tracing 17.884 ms [17.707 ms, 18.061 ms] -235.188 µs (-1.3%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 17.963 ms [17.78 ms, 18.145 ms] -
appsec 18.608 ms [18.422 ms, 18.794 ms] 645.179 µs (3.6%)
code_origins 17.881 ms [17.705 ms, 18.056 ms] -82.049 µs (-0.5%)
iast 18.41 ms [18.228 ms, 18.593 ms] 447.786 µs (2.5%)
profiling 19.856 ms [19.657 ms, 20.056 ms] 1.894 ms (10.5%)
tracing 17.853 ms [17.674 ms, 18.031 ms] -109.819 µs (-0.6%)

Dacapo

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/APPSEC-61875-file-upload-content
git_commit_date 1776286005 1776435596
git_commit_sha 42f154d 2076c7b
release_version 1.62.0-SNAPSHOT~42f154d2f6 1.62.0-SNAPSHOT~2076c7b858
See matching parameters
Baseline Candidate
application biojava biojava
ci_job_date 1776437706 1776437706
ci_job_id 1605901002 1605901002
ci_pipeline_id 108248837 108248837
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-0-a0hut25d 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-0-a0hut25d 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics.

Execution time for biojava 
gantt
    title biojava - execution time [CI 0.99] : candidate=1.62.0-SNAPSHOT~2076c7b858, baseline=1.62.0-SNAPSHOT~42f154d2f6
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.122 s) : 15122000, 15122000
.   : milestone, 15122000,
appsec (14.77 s) : 14770000, 14770000
.   : milestone, 14770000,
iast (18.08 s) : 18080000, 18080000
.   : milestone, 18080000,
iast_GLOBAL (18.065 s) : 18065000, 18065000
.   : milestone, 18065000,
profiling (14.907 s) : 14907000, 14907000
.   : milestone, 14907000,
tracing (14.93 s) : 14930000, 14930000
.   : milestone, 14930000,
section candidate
no_agent (15.025 s) : 15025000, 15025000
.   : milestone, 15025000,
appsec (14.606 s) : 14606000, 14606000
.   : milestone, 14606000,
iast (18.181 s) : 18181000, 18181000
.   : milestone, 18181000,
iast_GLOBAL (18.085 s) : 18085000, 18085000
.   : milestone, 18085000,
profiling (14.859 s) : 14859000, 14859000
.   : milestone, 14859000,
tracing (15.13 s) : 15130000, 15130000
.   : milestone, 15130000,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.122 s [15.122 s, 15.122 s] -
appsec 14.77 s [14.77 s, 14.77 s] -352.0 ms (-2.3%)
iast 18.08 s [18.08 s, 18.08 s] 2.958 s (19.6%)
iast_GLOBAL 18.065 s [18.065 s, 18.065 s] 2.943 s (19.5%)
profiling 14.907 s [14.907 s, 14.907 s] -215.0 ms (-1.4%)
tracing 14.93 s [14.93 s, 14.93 s] -192.0 ms (-1.3%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.025 s [15.025 s, 15.025 s] -
appsec 14.606 s [14.606 s, 14.606 s] -419.0 ms (-2.8%)
iast 18.181 s [18.181 s, 18.181 s] 3.156 s (21.0%)
iast_GLOBAL 18.085 s [18.085 s, 18.085 s] 3.06 s (20.4%)
profiling 14.859 s [14.859 s, 14.859 s] -166.0 ms (-1.1%)
tracing 15.13 s [15.13 s, 15.13 s] 105.0 ms (0.7%)
Execution time for tomcat 
gantt
    title tomcat - execution time [CI 0.99] : candidate=1.62.0-SNAPSHOT~2076c7b858, baseline=1.62.0-SNAPSHOT~42f154d2f6
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.485 ms) : 1474, 1497
.   : milestone, 1485,
appsec (2.53 ms) : 2475, 2584
.   : milestone, 2530,
iast (2.265 ms) : 2195, 2334
.   : milestone, 2265,
iast_GLOBAL (2.308 ms) : 2239, 2376
.   : milestone, 2308,
profiling (2.084 ms) : 2030, 2138
.   : milestone, 2084,
tracing (2.073 ms) : 2020, 2126
.   : milestone, 2073,
section candidate
no_agent (1.489 ms) : 1478, 1501
.   : milestone, 1489,
appsec (2.541 ms) : 2486, 2596
.   : milestone, 2541,
iast (2.268 ms) : 2199, 2337
.   : milestone, 2268,
iast_GLOBAL (2.31 ms) : 2241, 2380
.   : milestone, 2310,
profiling (2.103 ms) : 2048, 2158
.   : milestone, 2103,
tracing (2.091 ms) : 2038, 2145
.   : milestone, 2091,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.485 ms [1.474 ms, 1.497 ms] -
appsec 2.53 ms [2.475 ms, 2.584 ms] 1.045 ms (70.3%)
iast 2.265 ms [2.195 ms, 2.334 ms] 779.234 µs (52.5%)
iast_GLOBAL 2.308 ms [2.239 ms, 2.376 ms] 822.407 µs (55.4%)
profiling 2.084 ms [2.03 ms, 2.138 ms] 598.683 µs (40.3%)
tracing 2.073 ms [2.02 ms, 2.126 ms] 587.826 µs (39.6%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.489 ms [1.478 ms, 1.501 ms] -
appsec 2.541 ms [2.486 ms, 2.596 ms] 1.052 ms (70.6%)
iast 2.268 ms [2.199 ms, 2.337 ms] 778.977 µs (52.3%)
iast_GLOBAL 2.31 ms [2.241 ms, 2.38 ms] 821.201 µs (55.1%)
profiling 2.103 ms [2.048 ms, 2.158 ms] 613.665 µs (41.2%)
tracing 2.091 ms [2.038 ms, 2.145 ms] 601.976 µs (40.4%)

@jandro996 jandro996 changed the title feat(appsec): expose uploaded file content as new WAF address (APPSEC-61875) feat(appsec): expose uploaded file content as new WAF address server.request.body.files_content Apr 17, 2026
@jandro996 jandro996 marked this pull request as ready for review April 17, 2026 07:50
@jandro996 jandro996 requested a review from a team as a code owner April 17, 2026 07:50
@jandro996 jandro996 changed the title feat(appsec): expose uploaded file content as new WAF address server.request.body.files_content feat(appsec): expose uploaded file content as new WAF address server.request.body.files_content for commons-fileupload Apr 17, 2026
chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Apr 17, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: baf17b2c8e

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread ...ain/java/datadog/trace/instrumentation/commons/fileupload/CommonsFileUploadAppSecModule.java Outdated
@jandro996 jandro996 force-pushed the alejandro.gonzalez/APPSEC-61875-file-upload-content branch from baf17b2 to 304846b Compare April 17, 2026 07:57
@jandro996 jandro996 force-pushed the alejandro.gonzalez/APPSEC-61875-file-upload-content branch from a36ff44 to 22d70a0 Compare April 17, 2026 12:55
@jandro996 jandro996 requested a review from a team as a code owner April 17, 2026 12:55
@jandro996
fix(appsec): extract readContent to helper class to fix muzzle failure
2076c7b 
The static readContent method in ParseRequestAdvice created a self-reference
in the inlined advice bytecode (invokestatic on CommonsFileUploadAppSecModule$ParseRequestAdvice)
that muzzle could not resolve in the application classloader, causing the
instrumentation to be silently skipped.

Moves readContent to a new FileItemContentReader helper class declared via
helperClassNames(), which muzzle skips and the HelperInjector injects into
the application classloader at runtime.
@jandro996 jandro996 force-pushed the alejandro.gonzalez/APPSEC-61875-file-upload-content branch from 4610028 to 2076c7b Compare April 17, 2026 14:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@manuel-alvarez-alvarez manuel-alvarez-alvarez Awaiting requested review from manuel-alvarez-alvarez manuel-alvarez-alvarez is a code owner automatically assigned from DataDog/asm-java

@claponcet claponcet Awaiting requested review from claponcet claponcet is a code owner automatically assigned from DataDog/asm-java

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

comp: asm waf Application Security Management (WAF) type: enhancement Enhancements and improvements

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jandro996