Skip to content

Add server.request.body.filenames AppSec address for Akka HTTP, Jersey, and Grizzly#11173

Open
jandro996 wants to merge 1 commit intomasterfrom
alejandro.gonzalez/APPSEC-61873-6-akka
Open

Add server.request.body.filenames AppSec address for Akka HTTP, Jersey, and Grizzly#11173
jandro996 wants to merge 1 commit intomasterfrom
alejandro.gonzalez/APPSEC-61873-6-akka

Conversation

@jandro996
Copy link
Copy Markdown
Member

@jandro996 jandro996 commented Apr 21, 2026
edited
Loading

What Does This Do

Akka HTTP 10.0 / 10.6

  • UnmarshallerHelpers.handleMultipartStrictFormData(): extracts filenames from Multipart.FormData.BodyPart.Strict via getFilename() and fires the requestFilesFilenames IG callback. Blocking is supported via AkkaBlockResponseFunction.
  • UnmarshallerHelpers.handleStrictFormData(): adds the same filename extraction for the formFieldMultiMap path, which goes through StrictFormCompanionInstrumentation and never reached handleMultipartStrictFormData.

Jersey 2.0 / 3.0 (covers Grizzly)

  • MultiPartReaderServerSideInstrumentation: extracts filenames from FormDataBodyPart.getContentDisposition().getFileName() and fires requestFilesFilenames after requestBodyProcessed. Grizzly uses Jersey's multipart reader, so this path covers both frameworks.

Motivation

Implements the server.request.body.filenames WAF address for the remaining server frameworks not yet covered: Akka HTTP and Grizzly (via Jersey's multipart reader).

Jira ticket: APPSEC-61873

Additional Notes

The requestBodyProcessed / requestFilesFilenames decoupling fix mirrors commit 870da2ffa5 which applied the same fix to Undertow. Both callbacks map to independent WAF addresses in GatewayBridge.DATA_DEPENDENCIES.

Contributor Checklist

Note: Once your PR is ready to merge, add it to the merge queue by commenting /merge. /merge -c cancels the queue request. /merge -f --reason "reason" skips all merge queue checks; please use this judiciously, as some checks do not run at the PR-level. For more information, see this doc.

@jandro996 jandro996 added type: enhancement Enhancements and improvements comp: asm waf Application Security Management (WAF) labels Apr 21, 2026
@jandro996
Copy link
Copy Markdown
Member Author

jandro996 commented Apr 21, 2026

@codex review

chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Apr 21, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 89592b09a8

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread ...estFixtures/groovy/datadog/trace/instrumentation/play26/server/AbstractPlayServerTest.groovy Outdated
Comment thread ...ain/java/datadog/trace/instrumentation/jersey2/MultiPartReaderServerSideInstrumentation.java Outdated
@pr-commenter
Copy link
Copy Markdown

pr-commenter Bot commented Apr 21, 2026
edited
Loading

Benchmarks

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/APPSEC-61873-6-akka
git_commit_date 1776642285 1776854053
git_commit_sha 081af53 3ee4e5e
release_version 1.62.0-SNAPSHOT~081af53226 1.62.0-SNAPSHOT~3ee4e5e1a6
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1776855938 1776855938
ci_job_id 1618930239 1618930239
ci_pipeline_id 108998201 108998201
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-0-7jfgoy5z 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-0-7jfgoy5z 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
module Agent Agent
parent None None

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 64 metrics, 7 unstable metrics.

Startup time reports for petclinic 
gantt
    title petclinic - global startup overhead: candidate=1.62.0-SNAPSHOT~3ee4e5e1a6, baseline=1.62.0-SNAPSHOT~081af53226

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.058 s) : 0, 1058197
Total [baseline] (11.084 s) : 0, 11084452
Agent [candidate] (1.073 s) : 0, 1073243
Total [candidate] (11.138 s) : 0, 11137557
section appsec
Agent [baseline] (1.252 s) : 0, 1251689
Total [baseline] (10.99 s) : 0, 10990138
Agent [candidate] (1.25 s) : 0, 1249682
Total [candidate] (11.13 s) : 0, 11130477
section iast
Agent [baseline] (1.227 s) : 0, 1226557
Total [baseline] (11.366 s) : 0, 11366201
Agent [candidate] (1.234 s) : 0, 1234261
Total [candidate] (11.309 s) : 0, 11309128
section profiling
Agent [baseline] (1.193 s) : 0, 1193436
Total [baseline] (11.12 s) : 0, 11119663
Agent [candidate] (1.193 s) : 0, 1192720
Total [candidate] (10.986 s) : 0, 10986037
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.058 s -
Agent appsec 1.252 s 193.492 ms (18.3%)
Agent iast 1.227 s 168.36 ms (15.9%)
Agent profiling 1.193 s 135.239 ms (12.8%)
Total tracing 11.084 s -
Total appsec 10.99 s -94.315 ms (-0.9%)
Total iast 11.366 s 281.749 ms (2.5%)
Total profiling 11.12 s 35.211 ms (0.3%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.073 s -
Agent appsec 1.25 s 176.44 ms (16.4%)
Agent iast 1.234 s 161.018 ms (15.0%)
Agent profiling 1.193 s 119.477 ms (11.1%)
Total tracing 11.138 s -
Total appsec 11.13 s -7.08 ms (-0.1%)
Total iast 11.309 s 171.571 ms (1.5%)
Total profiling 10.986 s -151.52 ms (-1.4%) 
gantt
    title petclinic - break down per module: candidate=1.62.0-SNAPSHOT~3ee4e5e1a6, baseline=1.62.0-SNAPSHOT~081af53226

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.236 ms) : 0, 1236
crashtracking [candidate] (1.261 ms) : 0, 1261
BytebuddyAgent [baseline] (632.867 ms) : 0, 632867
BytebuddyAgent [candidate] (642.504 ms) : 0, 642504
AgentMeter [baseline] (29.477 ms) : 0, 29477
AgentMeter [candidate] (30.243 ms) : 0, 30243
GlobalTracer [baseline] (248.939 ms) : 0, 248939
GlobalTracer [candidate] (252.262 ms) : 0, 252262
AppSec [baseline] (32.324 ms) : 0, 32324
AppSec [candidate] (32.805 ms) : 0, 32805
Debugger [baseline] (60.008 ms) : 0, 60008
Debugger [candidate] (60.731 ms) : 0, 60731
Remote Config [baseline] (588.485 µs) : 0, 588
Remote Config [candidate] (602.682 µs) : 0, 603
Telemetry [baseline] (8.042 ms) : 0, 8042
Telemetry [candidate] (8.135 ms) : 0, 8135
Flare Poller [baseline] (8.447 ms) : 0, 8447
Flare Poller [candidate] (8.246 ms) : 0, 8246
section appsec
crashtracking [baseline] (1.238 ms) : 0, 1238
crashtracking [candidate] (1.217 ms) : 0, 1217
BytebuddyAgent [baseline] (663.453 ms) : 0, 663453
BytebuddyAgent [candidate] (663.03 ms) : 0, 663030
AgentMeter [baseline] (12.237 ms) : 0, 12237
AgentMeter [candidate] (12.233 ms) : 0, 12233
GlobalTracer [baseline] (249.393 ms) : 0, 249393
GlobalTracer [candidate] (248.742 ms) : 0, 248742
IAST [baseline] (24.628 ms) : 0, 24628
IAST [candidate] (24.464 ms) : 0, 24464
AppSec [baseline] (185.41 ms) : 0, 185410
AppSec [candidate] (185.235 ms) : 0, 185235
Debugger [baseline] (66.241 ms) : 0, 66241
Debugger [candidate] (65.891 ms) : 0, 65891
Remote Config [baseline] (615.424 µs) : 0, 615
Remote Config [candidate] (594.456 µs) : 0, 594
Telemetry [baseline] (8.477 ms) : 0, 8477
Telemetry [candidate] (8.358 ms) : 0, 8358
Flare Poller [baseline] (3.602 ms) : 0, 3602
Flare Poller [candidate] (3.514 ms) : 0, 3514
section iast
crashtracking [baseline] (1.231 ms) : 0, 1231
crashtracking [candidate] (1.217 ms) : 0, 1217
BytebuddyAgent [baseline] (802.655 ms) : 0, 802655
BytebuddyAgent [candidate] (807.242 ms) : 0, 807242
AgentMeter [baseline] (11.567 ms) : 0, 11567
AgentMeter [candidate] (11.735 ms) : 0, 11735
GlobalTracer [baseline] (239.811 ms) : 0, 239811
GlobalTracer [candidate] (242.015 ms) : 0, 242015
IAST [baseline] (25.744 ms) : 0, 25744
IAST [candidate] (26.07 ms) : 0, 26070
AppSec [baseline] (31.188 ms) : 0, 31188
AppSec [candidate] (33.637 ms) : 0, 33637
Debugger [baseline] (64.748 ms) : 0, 64748
Debugger [candidate] (62.551 ms) : 0, 62551
Remote Config [baseline] (526.447 µs) : 0, 526
Remote Config [candidate] (527.426 µs) : 0, 527
Telemetry [baseline] (9.304 ms) : 0, 9304
Telemetry [candidate] (9.343 ms) : 0, 9343
Flare Poller [baseline] (3.597 ms) : 0, 3597
Flare Poller [candidate] (3.633 ms) : 0, 3633
section profiling
crashtracking [baseline] (1.179 ms) : 0, 1179
crashtracking [candidate] (1.179 ms) : 0, 1179
BytebuddyAgent [baseline] (697.32 ms) : 0, 697320
BytebuddyAgent [candidate] (696.845 ms) : 0, 696845
AgentMeter [baseline] (9.331 ms) : 0, 9331
AgentMeter [candidate] (9.289 ms) : 0, 9289
GlobalTracer [baseline] (208.695 ms) : 0, 208695
GlobalTracer [candidate] (208.649 ms) : 0, 208649
AppSec [baseline] (33.086 ms) : 0, 33086
AppSec [candidate] (32.957 ms) : 0, 32957
Debugger [baseline] (66.346 ms) : 0, 66346
Debugger [candidate] (65.027 ms) : 0, 65027
Remote Config [baseline] (585.217 µs) : 0, 585
Remote Config [candidate] (568.67 µs) : 0, 569
Telemetry [baseline] (7.803 ms) : 0, 7803
Telemetry [candidate] (8.627 ms) : 0, 8627
Flare Poller [baseline] (3.536 ms) : 0, 3536
Flare Poller [candidate] (3.542 ms) : 0, 3542
ProfilingAgent [baseline] (94.117 ms) : 0, 94117
ProfilingAgent [candidate] (94.774 ms) : 0, 94774
Profiling [baseline] (94.687 ms) : 0, 94687
Profiling [candidate] (95.348 ms) : 0, 95348
Loading
Startup time reports for insecure-bank 
gantt
    title insecure-bank - global startup overhead: candidate=1.62.0-SNAPSHOT~3ee4e5e1a6, baseline=1.62.0-SNAPSHOT~081af53226

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.055 s) : 0, 1054968
Total [baseline] (8.853 s) : 0, 8853354
Agent [candidate] (1.053 s) : 0, 1053280
Total [candidate] (8.828 s) : 0, 8827844
section iast
Agent [baseline] (1.226 s) : 0, 1226494
Total [baseline] (9.581 s) : 0, 9580797
Agent [candidate] (1.222 s) : 0, 1221821
Total [candidate] (9.567 s) : 0, 9567445
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.055 s -
Agent iast 1.226 s 171.526 ms (16.3%)
Total tracing 8.853 s -
Total iast 9.581 s 727.444 ms (8.2%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.053 s -
Agent iast 1.222 s 168.542 ms (16.0%)
Total tracing 8.828 s -
Total iast 9.567 s 739.601 ms (8.4%) 
gantt
    title insecure-bank - break down per module: candidate=1.62.0-SNAPSHOT~3ee4e5e1a6, baseline=1.62.0-SNAPSHOT~081af53226

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.235 ms) : 0, 1235
crashtracking [candidate] (1.219 ms) : 0, 1219
BytebuddyAgent [baseline] (631.908 ms) : 0, 631908
BytebuddyAgent [candidate] (632.932 ms) : 0, 632932
AgentMeter [baseline] (29.421 ms) : 0, 29421
AgentMeter [candidate] (29.42 ms) : 0, 29420
GlobalTracer [baseline] (248.406 ms) : 0, 248406
GlobalTracer [candidate] (248.243 ms) : 0, 248243
AppSec [baseline] (32.39 ms) : 0, 32390
AppSec [candidate] (32.298 ms) : 0, 32298
Debugger [baseline] (59.107 ms) : 0, 59107
Debugger [candidate] (58.743 ms) : 0, 58743
Remote Config [baseline] (593.445 µs) : 0, 593
Remote Config [candidate] (583.857 µs) : 0, 584
Telemetry [baseline] (8.028 ms) : 0, 8028
Telemetry [candidate] (7.945 ms) : 0, 7945
Flare Poller [baseline] (7.58 ms) : 0, 7580
Flare Poller [candidate] (5.826 ms) : 0, 5826
section iast
crashtracking [baseline] (1.242 ms) : 0, 1242
crashtracking [candidate] (1.223 ms) : 0, 1223
BytebuddyAgent [baseline] (802.401 ms) : 0, 802401
BytebuddyAgent [candidate] (799.731 ms) : 0, 799731
AgentMeter [baseline] (11.589 ms) : 0, 11589
AgentMeter [candidate] (11.535 ms) : 0, 11535
GlobalTracer [baseline] (239.482 ms) : 0, 239482
GlobalTracer [candidate] (238.75 ms) : 0, 238750
IAST [baseline] (25.905 ms) : 0, 25905
IAST [candidate] (25.807 ms) : 0, 25807
AppSec [baseline] (32.304 ms) : 0, 32304
AppSec [candidate] (31.803 ms) : 0, 31803
Debugger [baseline] (63.902 ms) : 0, 63902
Debugger [candidate] (63.285 ms) : 0, 63285
Remote Config [baseline] (534.988 µs) : 0, 535
Remote Config [candidate] (524.968 µs) : 0, 525
Telemetry [baseline] (9.23 ms) : 0, 9230
Telemetry [candidate] (9.507 ms) : 0, 9507
Flare Poller [baseline] (3.59 ms) : 0, 3590
Flare Poller [candidate] (3.571 ms) : 0, 3571
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/APPSEC-61873-6-akka
git_commit_date 1776642285 1776854053
git_commit_sha 081af53 3ee4e5e
release_version 1.62.0-SNAPSHOT~081af53226 1.62.0-SNAPSHOT~3ee4e5e1a6
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1776856421 1776856421
ci_job_id 1618930241 1618930241
ci_pipeline_id 108998201 108998201
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-0-258f5m0h 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-0-258f5m0h 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 19 metrics, 17 unstable metrics.

Request duration reports for petclinic 
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.62.0-SNAPSHOT~3ee4e5e1a6, baseline=1.62.0-SNAPSHOT~081af53226
    dateFormat X
    axisFormat %s
section baseline
no_agent (19.021 ms) : 18826, 19216
.   : milestone, 19021,
appsec (18.823 ms) : 18631, 19014
.   : milestone, 18823,
code_origins (17.714 ms) : 17536, 17891
.   : milestone, 17714,
iast (17.763 ms) : 17588, 17938
.   : milestone, 17763,
profiling (18.693 ms) : 18502, 18884
.   : milestone, 18693,
tracing (17.789 ms) : 17614, 17964
.   : milestone, 17789,
section candidate
no_agent (19.217 ms) : 19016, 19417
.   : milestone, 19217,
appsec (18.422 ms) : 18235, 18608
.   : milestone, 18422,
code_origins (17.793 ms) : 17621, 17965
.   : milestone, 17793,
iast (17.762 ms) : 17589, 17935
.   : milestone, 17762,
profiling (18.127 ms) : 17947, 18306
.   : milestone, 18127,
tracing (17.878 ms) : 17701, 18055
.   : milestone, 17878,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 19.021 ms [18.826 ms, 19.216 ms] -
appsec 18.823 ms [18.631 ms, 19.014 ms] -198.592 µs (-1.0%)
code_origins 17.714 ms [17.536 ms, 17.891 ms] -1.308 ms (-6.9%)
iast 17.763 ms [17.588 ms, 17.938 ms] -1.258 ms (-6.6%)
profiling 18.693 ms [18.502 ms, 18.884 ms] -327.934 µs (-1.7%)
tracing 17.789 ms [17.614 ms, 17.964 ms] -1.232 ms (-6.5%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 19.217 ms [19.016 ms, 19.417 ms] -
appsec 18.422 ms [18.235 ms, 18.608 ms] -794.985 µs (-4.1%)
code_origins 17.793 ms [17.621 ms, 17.965 ms] -1.424 ms (-7.4%)
iast 17.762 ms [17.589 ms, 17.935 ms] -1.455 ms (-7.6%)
profiling 18.127 ms [17.947 ms, 18.306 ms] -1.09 ms (-5.7%)
tracing 17.878 ms [17.701 ms, 18.055 ms] -1.339 ms (-7.0%)
Request duration reports for insecure-bank 
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.62.0-SNAPSHOT~3ee4e5e1a6, baseline=1.62.0-SNAPSHOT~081af53226
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.25 ms) : 1239, 1262
.   : milestone, 1250,
iast (3.318 ms) : 3270, 3366
.   : milestone, 3318,
iast_FULL (6.027 ms) : 5966, 6088
.   : milestone, 6027,
iast_GLOBAL (3.762 ms) : 3702, 3822
.   : milestone, 3762,
profiling (1.971 ms) : 1955, 1987
.   : milestone, 1971,
tracing (1.916 ms) : 1900, 1931
.   : milestone, 1916,
section candidate
no_agent (1.241 ms) : 1229, 1253
.   : milestone, 1241,
iast (3.278 ms) : 3237, 3320
.   : milestone, 3278,
iast_FULL (6.016 ms) : 5955, 6077
.   : milestone, 6016,
iast_GLOBAL (3.745 ms) : 3681, 3809
.   : milestone, 3745,
profiling (2.093 ms) : 2074, 2112
.   : milestone, 2093,
tracing (1.898 ms) : 1881, 1915
.   : milestone, 1898,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.25 ms [1.239 ms, 1.262 ms] -
iast 3.318 ms [3.27 ms, 3.366 ms] 2.067 ms (165.3%)
iast_FULL 6.027 ms [5.966 ms, 6.088 ms] 4.776 ms (382.0%)
iast_GLOBAL 3.762 ms [3.702 ms, 3.822 ms] 2.511 ms (200.8%)
profiling 1.971 ms [1.955 ms, 1.987 ms] 720.582 µs (57.6%)
tracing 1.916 ms [1.9 ms, 1.931 ms] 665.205 µs (53.2%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.241 ms [1.229 ms, 1.253 ms] -
iast 3.278 ms [3.237 ms, 3.32 ms] 2.037 ms (164.2%)
iast_FULL 6.016 ms [5.955 ms, 6.077 ms] 4.775 ms (384.7%)
iast_GLOBAL 3.745 ms [3.681 ms, 3.809 ms] 2.504 ms (201.8%)
profiling 2.093 ms [2.074 ms, 2.112 ms] 851.705 µs (68.6%)
tracing 1.898 ms [1.881 ms, 1.915 ms] 656.831 µs (52.9%)

Dacapo

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/APPSEC-61873-6-akka
git_commit_date 1776642285 1776854053
git_commit_sha 081af53 3ee4e5e
release_version 1.62.0-SNAPSHOT~081af53226 1.62.0-SNAPSHOT~3ee4e5e1a6
See matching parameters
Baseline Candidate
application biojava biojava
ci_job_date 1776856166 1776856166
ci_job_id 1618930242 1618930242
ci_pipeline_id 108998201 108998201
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-0-mq6ba0x9 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-0-mq6ba0x9 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 1 unstable metrics.

Execution time for tomcat 
gantt
    title tomcat - execution time [CI 0.99] : candidate=1.62.0-SNAPSHOT~3ee4e5e1a6, baseline=1.62.0-SNAPSHOT~081af53226
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.493 ms) : 1481, 1505
.   : milestone, 1493,
appsec (2.551 ms) : 2495, 2606
.   : milestone, 2551,
iast (2.281 ms) : 2211, 2350
.   : milestone, 2281,
iast_GLOBAL (2.323 ms) : 2253, 2393
.   : milestone, 2323,
profiling (2.102 ms) : 2047, 2158
.   : milestone, 2102,
tracing (2.091 ms) : 2037, 2145
.   : milestone, 2091,
section candidate
no_agent (1.488 ms) : 1476, 1499
.   : milestone, 1488,
appsec (3.866 ms) : 3643, 4090
.   : milestone, 3866,
iast (2.284 ms) : 2214, 2354
.   : milestone, 2284,
iast_GLOBAL (2.325 ms) : 2255, 2395
.   : milestone, 2325,
profiling (2.11 ms) : 2054, 2165
.   : milestone, 2110,
tracing (2.096 ms) : 2042, 2150
.   : milestone, 2096,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.493 ms [1.481 ms, 1.505 ms] -
appsec 2.551 ms [2.495 ms, 2.606 ms] 1.058 ms (70.9%)
iast 2.281 ms [2.211 ms, 2.35 ms] 787.706 µs (52.8%)
iast_GLOBAL 2.323 ms [2.253 ms, 2.393 ms] 829.978 µs (55.6%)
profiling 2.102 ms [2.047 ms, 2.158 ms] 609.446 µs (40.8%)
tracing 2.091 ms [2.037 ms, 2.145 ms] 597.867 µs (40.0%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.488 ms [1.476 ms, 1.499 ms] -
appsec 3.866 ms [3.643 ms, 4.09 ms] 2.379 ms (159.9%)
iast 2.284 ms [2.214 ms, 2.354 ms] 796.15 µs (53.5%)
iast_GLOBAL 2.325 ms [2.255 ms, 2.395 ms] 837.363 µs (56.3%)
profiling 2.11 ms [2.054 ms, 2.165 ms] 621.819 µs (41.8%)
tracing 2.096 ms [2.042 ms, 2.15 ms] 608.232 µs (40.9%)
Execution time for biojava 
gantt
    title biojava - execution time [CI 0.99] : candidate=1.62.0-SNAPSHOT~3ee4e5e1a6, baseline=1.62.0-SNAPSHOT~081af53226
    dateFormat X
    axisFormat %s
section baseline
no_agent (14.799 s) : 14799000, 14799000
.   : milestone, 14799000,
appsec (14.815 s) : 14815000, 14815000
.   : milestone, 14815000,
iast (18.298 s) : 18298000, 18298000
.   : milestone, 18298000,
iast_GLOBAL (17.811 s) : 17811000, 17811000
.   : milestone, 17811000,
profiling (14.957 s) : 14957000, 14957000
.   : milestone, 14957000,
tracing (14.864 s) : 14864000, 14864000
.   : milestone, 14864000,
section candidate
no_agent (15.128 s) : 15128000, 15128000
.   : milestone, 15128000,
appsec (14.682 s) : 14682000, 14682000
.   : milestone, 14682000,
iast (18.363 s) : 18363000, 18363000
.   : milestone, 18363000,
iast_GLOBAL (17.888 s) : 17888000, 17888000
.   : milestone, 17888000,
profiling (14.819 s) : 14819000, 14819000
.   : milestone, 14819000,
tracing (15.16 s) : 15160000, 15160000
.   : milestone, 15160000,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 14.799 s [14.799 s, 14.799 s] -
appsec 14.815 s [14.815 s, 14.815 s] 16.0 ms (0.1%)
iast 18.298 s [18.298 s, 18.298 s] 3.499 s (23.6%)
iast_GLOBAL 17.811 s [17.811 s, 17.811 s] 3.012 s (20.4%)
profiling 14.957 s [14.957 s, 14.957 s] 158.0 ms (1.1%)
tracing 14.864 s [14.864 s, 14.864 s] 65.0 ms (0.4%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.128 s [15.128 s, 15.128 s] -
appsec 14.682 s [14.682 s, 14.682 s] -446.0 ms (-2.9%)
iast 18.363 s [18.363 s, 18.363 s] 3.235 s (21.4%)
iast_GLOBAL 17.888 s [17.888 s, 17.888 s] 2.76 s (18.2%)
profiling 14.819 s [14.819 s, 14.819 s] -309.0 ms (-2.0%)
tracing 15.16 s [15.16 s, 15.16 s] 32.0 ms (0.2%)

@jandro996
Add server.request.body.filenames support for Akka HTTP, Jersey, and …
3ee4e5e 
…Grizzly

- Akka HTTP 10.0/10.6: extract filenames in handleMultipartStrictFormData()
  via getFilename() on BodyPart.Strict and fire requestFilesFilenames callback.
  Also covers the formFieldMultiMap path via handleStrictFormData().
- Jersey 2.0/3.0 (MultiPartReaderServerSideInstrumentation): extract filenames
  from FormDataBodyPart.getContentDisposition().getFileName() and fire
  requestFilesFilenames after requestBodyProcessed. Grizzly uses this path.
- Decouple requestBodyProcessed and requestFilesFilenames callbacks in Jersey
  and Akka handleMultipartStrictFormData: fetch both upfront, return early only
  if both are null. Previously an early return on requestBodyProcessed==null
  silently skipped filename detection, breaking deployments with filename-only
  WAF rules (same fix already applied to Undertow).
- Merge the two iterations over strictParts in handleMultipartStrictFormData
  into a single loop.
- Add null guard for getContentDisposition() in Jersey before calling
  getFileName().
- Enable testBodyFilenames() in Akka, Grizzly, Spring Boot, and Jersey3Jetty
  test suites.
@jandro996 jandro996 force-pushed the alejandro.gonzalez/APPSEC-61873-6-akka branch from 77765ec to 3ee4e5e Compare April 22, 2026 10:35
@jandro996 jandro996 changed the title Add server.request.body.filenames support for Akka HTTP, Grizzly, and Spring Boot Add server.request.body.filenames AppSec address for Akka HTTP, Jersey, and Grizzly Apr 22, 2026
@jandro996 jandro996 marked this pull request as ready for review April 22, 2026 11:01
@jandro996 jandro996 requested review from a team as code owners April 22, 2026 11:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@manuel-alvarez-alvarez manuel-alvarez-alvarez Awaiting requested review from manuel-alvarez-alvarez manuel-alvarez-alvarez is a code owner automatically assigned from DataDog/asm-java

@daniel-romano-DD daniel-romano-DD Awaiting requested review from daniel-romano-DD daniel-romano-DD is a code owner automatically assigned from DataDog/asm-java

@claponcet claponcet Awaiting requested review from claponcet

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

comp: asm waf Application Security Management (WAF) type: enhancement Enhancements and improvements

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jandro996