Add server.request.body.filenames support for Jersey and RESTEasy

[jandro996]

What Does This Do

Instruments Jersey 2.x, Jersey 3.x, and RESTEasy 3.x multipart request handling to fire the requestFilesFilenames AppSec gateway event, enabling WAF rules that act on uploaded file names.

Module	Framework	Changes
jersey-appsec-2.0	Jersey 2.x	Added exit advice on MultiPartReaderServerSide.readMultiPart() to iterate FormDataBodyPart instances and extract filenames via FormDataContentDisposition.getFileName()
jersey-appsec-3.0	Jersey 3.x	Identical to 2.x but compiled against jakarta.* imports
resteasy-appsec-3.0	RESTEasy 3.x	Added filename extraction to the existing readFrom() advice; parses Content-Disposition header manually (split on ;, looks for filename=) since RESTEasy's InputPart API does not expose filenames directly

Motivation

Part of APPSEC-61873 — server.request.body.filenames implementation across server frameworks.

Additional Notes

Depends on #10949 and #10973 (both merged).

Contributor Checklist

• Format the title according to the contribution guidelines
• Assign the type: and (comp: or inst:) labels in addition to any other useful labels
• Avoid using close, fix, or any linking keywords when referencing an issue
  Use solves instead, and assign the PR milestone to the issue
• Update the CODEOWNERS file on source file addition, migration, or deletion
• Update public documentation with any new configuration flags or behaviors

[jandro996]

@codex review

[pr-commenter]

Benchmarks

Startup

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	alejandro.gonzalez/APPSEC-61873-5-jersey-resteasy
git_commit_date	1776642285	1776855026
git_commit_sha	081af53	21a5777
release_version	1.62.0-SNAPSHOT~081af53226	1.62.0-SNAPSHOT~21a57776c3

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1776856803	1776856803
ci_job_id	1618978009	1618978009
ci_pipeline_id	109001300	109001300
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-zfyrx7zua-project-304-concurrent-0-a6kyewkl 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-zfyrx7zua-project-304-concurrent-0-a6kyewkl 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
module	Agent	Agent
parent	None	None

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 61 metrics, 10 unstable metrics.

Startup time reports for petclinic

gantt
    title petclinic - global startup overhead: candidate=1.62.0-SNAPSHOT~21a57776c3, baseline=1.62.0-SNAPSHOT~081af53226

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.061 s) : 0, 1060631
Total [baseline] (11.157 s) : 0, 11157057
Agent [candidate] (1.06 s) : 0, 1059707
Total [candidate] (10.988 s) : 0, 10987780
section appsec
Agent [baseline] (1.248 s) : 0, 1247957
Total [baseline] (11.13 s) : 0, 11130061
Agent [candidate] (1.247 s) : 0, 1247186
Total [candidate] (11.113 s) : 0, 11112506
section iast
Agent [baseline] (1.226 s) : 0, 1226424
Total [baseline] (11.386 s) : 0, 11385530
Agent [candidate] (1.225 s) : 0, 1225268
Total [candidate] (11.316 s) : 0, 11316499
section profiling
Agent [baseline] (1.184 s) : 0, 1184143
Total [baseline] (11.039 s) : 0, 11039380
Agent [candidate] (1.189 s) : 0, 1189031
Total [candidate] (11.062 s) : 0, 11061989

Loading

• baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.061 s	-
Agent	appsec	1.248 s	187.326 ms (17.7%)
Agent	iast	1.226 s	165.793 ms (15.6%)
Agent	profiling	1.184 s	123.512 ms (11.6%)
Total	tracing	11.157 s	-
Total	appsec	11.13 s	-26.996 ms (-0.2%)
Total	iast	11.386 s	228.473 ms (2.0%)
Total	profiling	11.039 s	-117.678 ms (-1.1%)

• candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.06 s	-
Agent	appsec	1.247 s	187.48 ms (17.7%)
Agent	iast	1.225 s	165.562 ms (15.6%)
Agent	profiling	1.189 s	129.324 ms (12.2%)
Total	tracing	10.988 s	-
Total	appsec	11.113 s	124.725 ms (1.1%)
Total	iast	11.316 s	328.719 ms (3.0%)
Total	profiling	11.062 s	74.208 ms (0.7%)

gantt
    title petclinic - break down per module: candidate=1.62.0-SNAPSHOT~21a57776c3, baseline=1.62.0-SNAPSHOT~081af53226

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.231 ms) : 0, 1231
crashtracking [candidate] (1.235 ms) : 0, 1235
BytebuddyAgent [baseline] (634.04 ms) : 0, 634040
BytebuddyAgent [candidate] (634.944 ms) : 0, 634944
AgentMeter [baseline] (29.586 ms) : 0, 29586
AgentMeter [candidate] (29.608 ms) : 0, 29608
GlobalTracer [baseline] (249.328 ms) : 0, 249328
GlobalTracer [candidate] (249.176 ms) : 0, 249176
AppSec [baseline] (32.477 ms) : 0, 32477
AppSec [candidate] (32.371 ms) : 0, 32371
Debugger [baseline] (60.012 ms) : 0, 60012
Debugger [candidate] (60.024 ms) : 0, 60024
Remote Config [baseline] (595.114 µs) : 0, 595
Remote Config [candidate] (591.257 µs) : 0, 591
Telemetry [baseline] (8.056 ms) : 0, 8056
Telemetry [candidate] (8.002 ms) : 0, 8002
Flare Poller [baseline] (9.114 ms) : 0, 9114
Flare Poller [candidate] (7.499 ms) : 0, 7499
section appsec
crashtracking [baseline] (1.22 ms) : 0, 1220
crashtracking [candidate] (1.206 ms) : 0, 1206
BytebuddyAgent [baseline] (661.637 ms) : 0, 661637
BytebuddyAgent [candidate] (660.792 ms) : 0, 660792
AgentMeter [baseline] (12.248 ms) : 0, 12248
AgentMeter [candidate] (12.207 ms) : 0, 12207
GlobalTracer [baseline] (248.978 ms) : 0, 248978
GlobalTracer [candidate] (248.433 ms) : 0, 248433
AppSec [baseline] (185.012 ms) : 0, 185012
AppSec [candidate] (185.219 ms) : 0, 185219
Debugger [baseline] (65.661 ms) : 0, 65661
Debugger [candidate] (66.223 ms) : 0, 66223
Remote Config [baseline] (594.784 µs) : 0, 595
Remote Config [candidate] (603.785 µs) : 0, 604
Telemetry [baseline] (8.34 ms) : 0, 8340
Telemetry [candidate] (8.293 ms) : 0, 8293
Flare Poller [baseline] (3.446 ms) : 0, 3446
Flare Poller [candidate] (3.509 ms) : 0, 3509
IAST [baseline] (24.498 ms) : 0, 24498
IAST [candidate] (24.493 ms) : 0, 24493
section iast
crashtracking [baseline] (1.216 ms) : 0, 1216
crashtracking [candidate] (1.227 ms) : 0, 1227
BytebuddyAgent [baseline] (802.019 ms) : 0, 802019
BytebuddyAgent [candidate] (801.985 ms) : 0, 801985
AgentMeter [baseline] (11.609 ms) : 0, 11609
AgentMeter [candidate] (11.575 ms) : 0, 11575
GlobalTracer [baseline] (240.095 ms) : 0, 240095
GlobalTracer [candidate] (239.469 ms) : 0, 239469
AppSec [baseline] (31.86 ms) : 0, 31860
AppSec [candidate] (32.561 ms) : 0, 32561
Debugger [baseline] (64.21 ms) : 0, 64210
Debugger [candidate] (63.205 ms) : 0, 63205
Remote Config [baseline] (539.261 µs) : 0, 539
Remote Config [candidate] (541.209 µs) : 0, 541
Telemetry [baseline] (9.376 ms) : 0, 9376
Telemetry [candidate] (9.311 ms) : 0, 9311
Flare Poller [baseline] (3.546 ms) : 0, 3546
Flare Poller [candidate] (3.578 ms) : 0, 3578
IAST [baseline] (25.798 ms) : 0, 25798
IAST [candidate] (25.751 ms) : 0, 25751
section profiling
ProfilingAgent [baseline] (93.987 ms) : 0, 93987
ProfilingAgent [candidate] (93.687 ms) : 0, 93687
crashtracking [baseline] (1.178 ms) : 0, 1178
crashtracking [candidate] (1.19 ms) : 0, 1190
BytebuddyAgent [baseline] (691.33 ms) : 0, 691330
BytebuddyAgent [candidate] (694.311 ms) : 0, 694311
AgentMeter [baseline] (9.165 ms) : 0, 9165
AgentMeter [candidate] (9.174 ms) : 0, 9174
GlobalTracer [baseline] (206.807 ms) : 0, 206807
GlobalTracer [candidate] (207.935 ms) : 0, 207935
AppSec [baseline] (32.632 ms) : 0, 32632
AppSec [candidate] (33.186 ms) : 0, 33186
Debugger [baseline] (65.89 ms) : 0, 65890
Debugger [candidate] (66.096 ms) : 0, 66096
Remote Config [baseline] (573.614 µs) : 0, 574
Remote Config [candidate] (569.87 µs) : 0, 570
Telemetry [baseline] (7.791 ms) : 0, 7791
Telemetry [candidate] (7.835 ms) : 0, 7835
Flare Poller [baseline] (3.556 ms) : 0, 3556
Flare Poller [candidate] (3.525 ms) : 0, 3525
Profiling [baseline] (94.552 ms) : 0, 94552
Profiling [candidate] (94.246 ms) : 0, 94246

Loading

Startup time reports for insecure-bank

gantt
    title insecure-bank - global startup overhead: candidate=1.62.0-SNAPSHOT~21a57776c3, baseline=1.62.0-SNAPSHOT~081af53226

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.067 s) : 0, 1066599
Total [baseline] (8.838 s) : 0, 8837949
Agent [candidate] (1.059 s) : 0, 1058569
Total [candidate] (8.824 s) : 0, 8824144
section iast
Agent [baseline] (1.232 s) : 0, 1231785
Total [baseline] (9.569 s) : 0, 9569488
Agent [candidate] (1.233 s) : 0, 1233156
Total [candidate] (9.581 s) : 0, 9580586

Loading

• baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.067 s	-
Agent	iast	1.232 s	165.186 ms (15.5%)
Total	tracing	8.838 s	-
Total	iast	9.569 s	731.539 ms (8.3%)

• candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.059 s	-
Agent	iast	1.233 s	174.587 ms (16.5%)
Total	tracing	8.824 s	-
Total	iast	9.581 s	756.442 ms (8.6%)

gantt
    title insecure-bank - break down per module: candidate=1.62.0-SNAPSHOT~21a57776c3, baseline=1.62.0-SNAPSHOT~081af53226

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.25 ms) : 0, 1250
crashtracking [candidate] (1.224 ms) : 0, 1224
BytebuddyAgent [baseline] (639.16 ms) : 0, 639160
BytebuddyAgent [candidate] (634.13 ms) : 0, 634130
AgentMeter [baseline] (29.757 ms) : 0, 29757
AgentMeter [candidate] (29.522 ms) : 0, 29522
GlobalTracer [baseline] (250.81 ms) : 0, 250810
GlobalTracer [candidate] (249.369 ms) : 0, 249369
AppSec [baseline] (32.69 ms) : 0, 32690
AppSec [candidate] (32.457 ms) : 0, 32457
Debugger [baseline] (59.59 ms) : 0, 59590
Debugger [candidate] (58.928 ms) : 0, 58928
Remote Config [baseline] (647.475 µs) : 0, 647
Remote Config [candidate] (591.153 µs) : 0, 591
Telemetry [baseline] (8.05 ms) : 0, 8050
Telemetry [candidate] (9.492 ms) : 0, 9492
Flare Poller [baseline] (8.304 ms) : 0, 8304
Flare Poller [candidate] (6.665 ms) : 0, 6665
section iast
crashtracking [baseline] (1.248 ms) : 0, 1248
crashtracking [candidate] (1.233 ms) : 0, 1233
BytebuddyAgent [baseline] (808.46 ms) : 0, 808460
BytebuddyAgent [candidate] (808.211 ms) : 0, 808211
AgentMeter [baseline] (11.719 ms) : 0, 11719
AgentMeter [candidate] (11.902 ms) : 0, 11902
GlobalTracer [baseline] (239.273 ms) : 0, 239273
GlobalTracer [candidate] (240.775 ms) : 0, 240775
IAST [baseline] (25.753 ms) : 0, 25753
IAST [candidate] (26.006 ms) : 0, 26006
AppSec [baseline] (31.115 ms) : 0, 31115
AppSec [candidate] (32.084 ms) : 0, 32084
Debugger [baseline] (64.3 ms) : 0, 64300
Debugger [candidate] (63.422 ms) : 0, 63422
Remote Config [baseline] (532.958 µs) : 0, 533
Remote Config [candidate] (526.65 µs) : 0, 527
Telemetry [baseline] (9.357 ms) : 0, 9357
Telemetry [candidate] (9.194 ms) : 0, 9194
Flare Poller [baseline] (3.621 ms) : 0, 3621
Flare Poller [candidate] (3.558 ms) : 0, 3558

Loading

Load

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	alejandro.gonzalez/APPSEC-61873-5-jersey-resteasy
git_commit_date	1776642285	1776855026
git_commit_sha	081af53	21a5777
release_version	1.62.0-SNAPSHOT~081af53226	1.62.0-SNAPSHOT~21a57776c3

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1776857305	1776857305
ci_job_id	1618978010	1618978010
ci_pipeline_id	109001300	109001300
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-zfyrx7zua-project-304-concurrent-1-rj6bpwcc 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-zfyrx7zua-project-304-concurrent-1-rj6bpwcc 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 0 performance improvements and 3 performance regressions! Performance is the same for 17 metrics, 16 unstable metrics.

scenario	Δ mean agg_http_req_duration_p50	Δ mean agg_http_req_duration_p95	Δ mean throughput	candidate mean agg_http_req_duration_p50	candidate mean agg_http_req_duration_p95	candidate mean throughput	baseline mean agg_http_req_duration_p50	baseline mean agg_http_req_duration_p95	baseline mean throughput
scenario:load:insecure-bank:iast_GLOBAL:high_load	worse [+88.249µs; +193.742µs] or [+3.059%; +6.716%]	unsure [+26.262µs; +476.350µs] or [+0.321%; +5.821%]	unstable [-193.219op/s; +105.469op/s] or [-15.511%; +8.467%]	3.026ms	8.434ms	1201.781op/s	2.885ms	8.183ms	1245.656op/s
scenario:load:petclinic:profiling:high_load	worse [+371.259µs; +1447.094µs] or [+2.062%; +8.037%]	worse [+0.924ms; +2.451ms] or [+3.180%; +8.436%]	unstable [-45.007op/s; +1.118op/s] or [-17.034%; +0.423%]	18.914ms	30.739ms	242.281op/s	18.005ms	29.052ms	264.226op/s

Request duration reports for petclinic

gantt
    title petclinic - request duration [CI 0.99] : candidate=1.62.0-SNAPSHOT~21a57776c3, baseline=1.62.0-SNAPSHOT~081af53226
    dateFormat X
    axisFormat %s
section baseline
no_agent (19.088 ms) : 18895, 19281
.   : milestone, 19088,
appsec (18.728 ms) : 18538, 18917
.   : milestone, 18728,
code_origins (17.974 ms) : 17796, 18152
.   : milestone, 17974,
iast (17.97 ms) : 17795, 18145
.   : milestone, 17970,
profiling (18.23 ms) : 18049, 18411
.   : milestone, 18230,
tracing (18.316 ms) : 18136, 18496
.   : milestone, 18316,
section candidate
no_agent (19.343 ms) : 19143, 19543
.   : milestone, 19343,
appsec (18.838 ms) : 18650, 19026
.   : milestone, 18838,
code_origins (18.309 ms) : 18129, 18490
.   : milestone, 18309,
iast (17.773 ms) : 17597, 17950
.   : milestone, 17773,
profiling (19.262 ms) : 19066, 19458
.   : milestone, 19262,
tracing (18.006 ms) : 17826, 18185
.   : milestone, 18006,

Loading

• baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	19.088 ms [18.895 ms, 19.281 ms]	-
appsec	18.728 ms [18.538 ms, 18.917 ms]	-360.174 µs (-1.9%)
code_origins	17.974 ms [17.796 ms, 18.152 ms]	-1.114 ms (-5.8%)
iast	17.97 ms [17.795 ms, 18.145 ms]	-1.118 ms (-5.9%)
profiling	18.23 ms [18.049 ms, 18.411 ms]	-858.035 µs (-4.5%)
tracing	18.316 ms [18.136 ms, 18.496 ms]	-772.032 µs (-4.0%)

• candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	19.343 ms [19.143 ms, 19.543 ms]	-
appsec	18.838 ms [18.65 ms, 19.026 ms]	-504.6 µs (-2.6%)
code_origins	18.309 ms [18.129 ms, 18.49 ms]	-1.033 ms (-5.3%)
iast	17.773 ms [17.597 ms, 17.95 ms]	-1.569 ms (-8.1%)
profiling	19.262 ms [19.066 ms, 19.458 ms]	-80.634 µs (-0.4%)
tracing	18.006 ms [17.826 ms, 18.185 ms]	-1.337 ms (-6.9%)

Request duration reports for insecure-bank

gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.62.0-SNAPSHOT~21a57776c3, baseline=1.62.0-SNAPSHOT~081af53226
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.28 ms) : 1269, 1292
.   : milestone, 1280,
iast (3.318 ms) : 3274, 3363
.   : milestone, 3318,
iast_FULL (5.978 ms) : 5917, 6038
.   : milestone, 5978,
iast_GLOBAL (3.683 ms) : 3619, 3747
.   : milestone, 3683,
profiling (2.182 ms) : 2162, 2202
.   : milestone, 2182,
tracing (1.879 ms) : 1863, 1895
.   : milestone, 1879,
section candidate
no_agent (1.244 ms) : 1233, 1255
.   : milestone, 1244,
iast (3.365 ms) : 3316, 3415
.   : milestone, 3365,
iast_FULL (5.961 ms) : 5902, 6020
.   : milestone, 5961,
iast_GLOBAL (3.82 ms) : 3750, 3889
.   : milestone, 3820,
profiling (2.2 ms) : 2178, 2221
.   : milestone, 2200,
tracing (1.861 ms) : 1846, 1876
.   : milestone, 1861,

Loading

• baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.28 ms [1.269 ms, 1.292 ms]	-
iast	3.318 ms [3.274 ms, 3.363 ms]	2.038 ms (159.2%)
iast_FULL	5.978 ms [5.917 ms, 6.038 ms]	4.698 ms (366.9%)
iast_GLOBAL	3.683 ms [3.619 ms, 3.747 ms]	2.403 ms (187.7%)
profiling	2.182 ms [2.162 ms, 2.202 ms]	901.532 µs (70.4%)
tracing	1.879 ms [1.863 ms, 1.895 ms]	598.738 µs (46.8%)

• candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.244 ms [1.233 ms, 1.255 ms]	-
iast	3.365 ms [3.316 ms, 3.415 ms]	2.121 ms (170.4%)
iast_FULL	5.961 ms [5.902 ms, 6.02 ms]	4.717 ms (379.1%)
iast_GLOBAL	3.82 ms [3.75 ms, 3.889 ms]	2.575 ms (207.0%)
profiling	2.2 ms [2.178 ms, 2.221 ms]	955.272 µs (76.8%)
tracing	1.861 ms [1.846 ms, 1.876 ms]	616.482 µs (49.5%)

Dacapo

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	alejandro.gonzalez/APPSEC-61873-5-jersey-resteasy
git_commit_date	1776642285	1776855026
git_commit_sha	081af53	21a5777
release_version	1.62.0-SNAPSHOT~081af53226	1.62.0-SNAPSHOT~21a57776c3

See matching parameters

	Baseline	Candidate
application	biojava	biojava
ci_job_date	1776857004	1776857004
ci_job_id	1618978011	1618978011
ci_pipeline_id	109001300	109001300
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-zfyrx7zua-project-304-concurrent-1-ya3njrkr 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-zfyrx7zua-project-304-concurrent-1-ya3njrkr 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 1 unstable metrics.

Execution time for biojava

gantt
    title biojava - execution time [CI 0.99] : candidate=1.62.0-SNAPSHOT~21a57776c3, baseline=1.62.0-SNAPSHOT~081af53226
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.685 s) : 15685000, 15685000
.   : milestone, 15685000,
appsec (14.763 s) : 14763000, 14763000
.   : milestone, 14763000,
iast (18.421 s) : 18421000, 18421000
.   : milestone, 18421000,
iast_GLOBAL (18.073 s) : 18073000, 18073000
.   : milestone, 18073000,
profiling (14.954 s) : 14954000, 14954000
.   : milestone, 14954000,
tracing (14.979 s) : 14979000, 14979000
.   : milestone, 14979000,
section candidate
no_agent (15.319 s) : 15319000, 15319000
.   : milestone, 15319000,
appsec (14.823 s) : 14823000, 14823000
.   : milestone, 14823000,
iast (18.059 s) : 18059000, 18059000
.   : milestone, 18059000,
iast_GLOBAL (17.868 s) : 17868000, 17868000
.   : milestone, 17868000,
profiling (15.17 s) : 15170000, 15170000
.   : milestone, 15170000,
tracing (14.906 s) : 14906000, 14906000
.   : milestone, 14906000,

Loading

• baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	15.685 s [15.685 s, 15.685 s]	-
appsec	14.763 s [14.763 s, 14.763 s]	-922.0 ms (-5.9%)
iast	18.421 s [18.421 s, 18.421 s]	2.736 s (17.4%)
iast_GLOBAL	18.073 s [18.073 s, 18.073 s]	2.388 s (15.2%)
profiling	14.954 s [14.954 s, 14.954 s]	-731.0 ms (-4.7%)
tracing	14.979 s [14.979 s, 14.979 s]	-706.0 ms (-4.5%)

• candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	15.319 s [15.319 s, 15.319 s]	-
appsec	14.823 s [14.823 s, 14.823 s]	-496.0 ms (-3.2%)
iast	18.059 s [18.059 s, 18.059 s]	2.74 s (17.9%)
iast_GLOBAL	17.868 s [17.868 s, 17.868 s]	2.549 s (16.6%)
profiling	15.17 s [15.17 s, 15.17 s]	-149.0 ms (-1.0%)
tracing	14.906 s [14.906 s, 14.906 s]	-413.0 ms (-2.7%)

Execution time for tomcat

gantt
    title tomcat - execution time [CI 0.99] : candidate=1.62.0-SNAPSHOT~21a57776c3, baseline=1.62.0-SNAPSHOT~081af53226
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.482 ms) : 1470, 1493
.   : milestone, 1482,
appsec (3.803 ms) : 3581, 4025
.   : milestone, 3803,
iast (2.265 ms) : 2196, 2335
.   : milestone, 2265,
iast_GLOBAL (2.305 ms) : 2236, 2375
.   : milestone, 2305,
profiling (2.102 ms) : 2047, 2158
.   : milestone, 2102,
tracing (2.068 ms) : 2014, 2121
.   : milestone, 2068,
section candidate
no_agent (1.486 ms) : 1474, 1498
.   : milestone, 1486,
appsec (3.825 ms) : 3602, 4047
.   : milestone, 3825,
iast (2.265 ms) : 2196, 2334
.   : milestone, 2265,
iast_GLOBAL (2.308 ms) : 2239, 2377
.   : milestone, 2308,
profiling (2.103 ms) : 2047, 2158
.   : milestone, 2103,
tracing (2.075 ms) : 2021, 2128
.   : milestone, 2075,

Loading

• baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.482 ms [1.47 ms, 1.493 ms]	-
appsec	3.803 ms [3.581 ms, 4.025 ms]	2.321 ms (156.6%)
iast	2.265 ms [2.196 ms, 2.335 ms]	783.29 µs (52.9%)
iast_GLOBAL	2.305 ms [2.236 ms, 2.375 ms]	823.565 µs (55.6%)
profiling	2.102 ms [2.047 ms, 2.158 ms]	620.448 µs (41.9%)
tracing	2.068 ms [2.014 ms, 2.121 ms]	585.872 µs (39.5%)

• candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.486 ms [1.474 ms, 1.498 ms]	-
appsec	3.825 ms [3.602 ms, 4.047 ms]	2.339 ms (157.4%)
iast	2.265 ms [2.196 ms, 2.334 ms]	778.972 µs (52.4%)
iast_GLOBAL	2.308 ms [2.239 ms, 2.377 ms]	822.168 µs (55.3%)
profiling	2.103 ms [2.047 ms, 2.158 ms]	616.625 µs (41.5%)
tracing	2.075 ms [2.021 ms, 2.128 ms]	588.513 µs (39.6%)

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 510fca6013

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 21a57776c3

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Parse quoted Content-Disposition filenames

For RESTEasy uploads where the client sends a valid quoted filename containing a semicolon, for example filename="report;.php", this split treats the semicolon inside the quoted string as a parameter separator and reports only "report to server.request.body.filenames. That corrupts the filename signal and can make filename-based AppSec rules miss the actual uploaded name; parse the Content-Disposition parameters while respecting quoted strings instead of splitting the raw header on every semicolon.

Useful? React with 👍 / 👎.