Skip to content

Add server.request.body.filenames support for Undertow and Play#11174

Draft
jandro996 wants to merge 5 commits intomasterfrom
alejandro.gonzalez/APPSEC-61873-4-undertow-play
Draft

Add server.request.body.filenames support for Undertow and Play#11174
jandro996 wants to merge 5 commits intomasterfrom
alejandro.gonzalez/APPSEC-61873-4-undertow-play

Conversation

@jandro996
Copy link
Copy Markdown
Member

@jandro996 jandro996 commented Apr 21, 2026

What Does This Do

Instruments Undertow and Play multipart request handling to fire the requestFilesFilenames AppSec gateway event, enabling WAF rules that act on uploaded file names.

Undertow (undertow-2.0 instrumentation, applied to 2.0–2.2+):

The MultiPartParserDefinition$MultiPartUploadHandler.parseBlocking() exit advice already fires requestBodyProcessed via FormDataMap. This PR extends it to also fire requestFilesFilenames by iterating the parsed FormData and collecting values where getFileName() is non-null. The callback check is done before building the filenames list to avoid allocations on requests where the feature is inactive.

A secondary fix was required in FormDataMap: in undertow 2.0, FormValueImpl.isFile() returns true for all file uploads (they always go to disk). In undertow 2.2+, the FileItem abstraction was introduced to support in-memory storage below a threshold; isFile() now returns false for in-memory files even though value == null. The old !isFile() guard caused getValue() to throw IllegalStateException on every multipart request with small file attachments. Switching to getFileName() == null correctly identifies text fields regardless of undertow version.

Play 2.5 / 2.6 (play-appsec-2.5, play-appsec-2.6):

BodyParserHelpers.handleMultipartFormData() is the central point where Play assembles the body result. Both versions already call a handleMultipartBodyMap() helper; this PR adds a symmetric handleMultipartFilenames() that iterates data.files(), extracts FilePart.filename(), and fires the callback through executeFilenamesCallback() with blocking support. Play 2.6 uses the same approach compiled against the 2.6 API.

Module Change Coverage
undertow-2.0 MultiPartUploadHandlerInstrumentation + FormDataMap fix Undertow 2.0–2.3+
undertow-2.2 tests only (uses undertow-2.0 instrumentation at runtime) 2.2.14+
play-appsec-2.5 BodyParserHelpers.handleMultipartFilenames() Play 2.5.x
play-appsec-2.6 BodyParserHelpers.handleMultipartFilenames() Play 2.6.x

Motivation

Part of APPSEC-61873server.request.body.filenames implementation across server frameworks.

Additional Notes

Depends on #10949 and #10973 (both merged into master).

Contributor Checklist

jandro996 and others added 2 commits April 21, 2026 12:42
@jandro996 @claude
Add server.request.body.filenames support for Undertow and Play
08405ea 
- Undertow: extract filenames from FormData attachments in MultiPartUploadHandlerInstrumentation
- Play 2.5/2.6: extract filenames from MultipartFormData.files() in BodyParserHelpers

Both implementations fire the requestFilesFilenames() IG event and support
blocking on malicious filenames.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@jandro996
Fix server.request.body.filenames for in-memory uploads in Undertow 2.2
f340ebf 
In undertow 2.2+, FormValueImpl.isFile() returns false for in-memory file uploads
(file size below fileSizeThreshold) because it checks fileItem.isInMemory(). Use
getFileName() to identify file uploads regardless of storage, which works across
all undertow versions. Also check the filenames callback before building the list
to avoid allocations on requests where the feature is inactive.
@jandro996 jandro996 added type: enhancement Enhancements and improvements comp: asm waf Application Security Management (WAF) labels Apr 21, 2026
@jandro996
Copy link
Copy Markdown
Member Author

jandro996 commented Apr 21, 2026

@codex review

chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Apr 21, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f340ebfab9

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .../main/java/datadog/trace/instrumentation/undertow/MultiPartUploadHandlerInstrumentation.java Outdated
@jandro996
Decouple requestBodyProcessed and requestFilesFilenames callbacks in …
870da2f 
…Undertow

Both callbacks are now fetched upfront; the method only returns early when both
are null. Previously an early return on requestBodyProcessed==null silently
skipped filename detection, breaking deployments with filename-only WAF rules.
@pr-commenter
Copy link
Copy Markdown

pr-commenter Bot commented Apr 21, 2026
edited
Loading

Benchmarks

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/APPSEC-61873-4-undertow-play
git_commit_date 1776844785 1776854692
git_commit_sha c72f067 d33f384
release_version 1.62.0-SNAPSHOT~c72f06780f 1.62.0-SNAPSHOT~d33f38425a
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1776856459 1776856459
ci_job_id 1618961709 1618961709
ci_pipeline_id 109000033 109000033
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-0-7ko6hhnr 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-0-7ko6hhnr 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
module Agent Agent
parent None None

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 61 metrics, 10 unstable metrics.

Startup time reports for petclinic 
gantt
    title petclinic - global startup overhead: candidate=1.62.0-SNAPSHOT~d33f38425a, baseline=1.62.0-SNAPSHOT~c72f06780f

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.059 s) : 0, 1059242
Total [baseline] (11.108 s) : 0, 11108243
Agent [candidate] (1.06 s) : 0, 1059912
Total [candidate] (11.009 s) : 0, 11009129
section appsec
Agent [baseline] (1.257 s) : 0, 1257225
Total [baseline] (10.906 s) : 0, 10906308
Agent [candidate] (1.267 s) : 0, 1267058
Total [candidate] (10.974 s) : 0, 10974324
section iast
Agent [baseline] (1.23 s) : 0, 1230066
Total [baseline] (11.313 s) : 0, 11313011
Agent [candidate] (1.23 s) : 0, 1230231
Total [candidate] (11.281 s) : 0, 11280735
section profiling
Agent [baseline] (1.186 s) : 0, 1186323
Total [baseline] (11.075 s) : 0, 11074586
Agent [candidate] (1.193 s) : 0, 1192602
Total [candidate] (11.001 s) : 0, 11000963
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.059 s -
Agent appsec 1.257 s 197.982 ms (18.7%)
Agent iast 1.23 s 170.824 ms (16.1%)
Agent profiling 1.186 s 127.08 ms (12.0%)
Total tracing 11.108 s -
Total appsec 10.906 s -201.935 ms (-1.8%)
Total iast 11.313 s 204.768 ms (1.8%)
Total profiling 11.075 s -33.656 ms (-0.3%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.06 s -
Agent appsec 1.267 s 207.147 ms (19.5%)
Agent iast 1.23 s 170.319 ms (16.1%)
Agent profiling 1.193 s 132.69 ms (12.5%)
Total tracing 11.009 s -
Total appsec 10.974 s -34.805 ms (-0.3%)
Total iast 11.281 s 271.606 ms (2.5%)
Total profiling 11.001 s -8.166 ms (-0.1%) 
gantt
    title petclinic - break down per module: candidate=1.62.0-SNAPSHOT~d33f38425a, baseline=1.62.0-SNAPSHOT~c72f06780f

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.23 ms) : 0, 1230
crashtracking [candidate] (1.224 ms) : 0, 1224
BytebuddyAgent [baseline] (632.117 ms) : 0, 632117
BytebuddyAgent [candidate] (632.756 ms) : 0, 632756
AgentMeter [baseline] (29.573 ms) : 0, 29573
AgentMeter [candidate] (29.593 ms) : 0, 29593
GlobalTracer [baseline] (249.088 ms) : 0, 249088
GlobalTracer [candidate] (249.532 ms) : 0, 249532
AppSec [baseline] (32.378 ms) : 0, 32378
AppSec [candidate] (32.459 ms) : 0, 32459
Debugger [baseline] (60.064 ms) : 0, 60064
Debugger [candidate] (59.785 ms) : 0, 59785
Remote Config [baseline] (598.558 µs) : 0, 599
Remote Config [candidate] (604.534 µs) : 0, 605
Telemetry [baseline] (8.802 ms) : 0, 8802
Telemetry [candidate] (8.039 ms) : 0, 8039
Flare Poller [baseline] (9.24 ms) : 0, 9240
Flare Poller [candidate] (9.815 ms) : 0, 9815
section appsec
crashtracking [baseline] (1.211 ms) : 0, 1211
crashtracking [candidate] (1.226 ms) : 0, 1226
BytebuddyAgent [baseline] (671.909 ms) : 0, 671909
BytebuddyAgent [candidate] (678.418 ms) : 0, 678418
AgentMeter [baseline] (12.151 ms) : 0, 12151
AgentMeter [candidate] (12.204 ms) : 0, 12204
GlobalTracer [baseline] (247.926 ms) : 0, 247926
GlobalTracer [candidate] (249.694 ms) : 0, 249694
IAST [baseline] (24.225 ms) : 0, 24225
IAST [candidate] (24.217 ms) : 0, 24217
AppSec [baseline] (185.916 ms) : 0, 185916
AppSec [candidate] (186.059 ms) : 0, 186059
Debugger [baseline] (65.782 ms) : 0, 65782
Debugger [candidate] (66.789 ms) : 0, 66789
Remote Config [baseline] (567.335 µs) : 0, 567
Remote Config [candidate] (566.85 µs) : 0, 567
Telemetry [baseline] (7.881 ms) : 0, 7881
Telemetry [candidate] (7.899 ms) : 0, 7899
Flare Poller [baseline] (3.473 ms) : 0, 3473
Flare Poller [candidate] (3.463 ms) : 0, 3463
section iast
crashtracking [baseline] (1.225 ms) : 0, 1225
crashtracking [candidate] (1.217 ms) : 0, 1217
BytebuddyAgent [baseline] (806.987 ms) : 0, 806987
BytebuddyAgent [candidate] (808.394 ms) : 0, 808394
AgentMeter [baseline] (11.396 ms) : 0, 11396
AgentMeter [candidate] (11.397 ms) : 0, 11397
GlobalTracer [baseline] (238.344 ms) : 0, 238344
GlobalTracer [candidate] (238.983 ms) : 0, 238983
IAST [baseline] (28.235 ms) : 0, 28235
IAST [candidate] (30.795 ms) : 0, 30795
AppSec [baseline] (28.89 ms) : 0, 28890
AppSec [candidate] (27.379 ms) : 0, 27379
Debugger [baseline] (67.087 ms) : 0, 67087
Debugger [candidate] (64.453 ms) : 0, 64453
Remote Config [baseline] (540.863 µs) : 0, 541
Remote Config [candidate] (528.483 µs) : 0, 528
Telemetry [baseline] (7.919 ms) : 0, 7919
Telemetry [candidate] (7.769 ms) : 0, 7769
Flare Poller [baseline] (3.439 ms) : 0, 3439
Flare Poller [candidate] (3.385 ms) : 0, 3385
section profiling
crashtracking [baseline] (1.188 ms) : 0, 1188
crashtracking [candidate] (1.194 ms) : 0, 1194
BytebuddyAgent [baseline] (691.772 ms) : 0, 691772
BytebuddyAgent [candidate] (697.171 ms) : 0, 697171
AgentMeter [baseline] (9.239 ms) : 0, 9239
AgentMeter [candidate] (9.268 ms) : 0, 9268
GlobalTracer [baseline] (207.497 ms) : 0, 207497
GlobalTracer [candidate] (208.306 ms) : 0, 208306
AppSec [baseline] (32.877 ms) : 0, 32877
AppSec [candidate] (33.158 ms) : 0, 33158
Debugger [baseline] (66.191 ms) : 0, 66191
Debugger [candidate] (66.052 ms) : 0, 66052
Remote Config [baseline] (580.743 µs) : 0, 581
Remote Config [candidate] (619.362 µs) : 0, 619
Telemetry [baseline] (7.902 ms) : 0, 7902
Telemetry [candidate] (7.984 ms) : 0, 7984
Flare Poller [baseline] (3.586 ms) : 0, 3586
Flare Poller [candidate] (3.636 ms) : 0, 3636
ProfilingAgent [baseline] (94.152 ms) : 0, 94152
ProfilingAgent [candidate] (93.758 ms) : 0, 93758
Profiling [baseline] (94.716 ms) : 0, 94716
Profiling [candidate] (94.313 ms) : 0, 94313
Loading
Startup time reports for insecure-bank 
gantt
    title insecure-bank - global startup overhead: candidate=1.62.0-SNAPSHOT~d33f38425a, baseline=1.62.0-SNAPSHOT~c72f06780f

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.059 s) : 0, 1058687
Total [baseline] (8.837 s) : 0, 8837039
Agent [candidate] (1.06 s) : 0, 1060007
Total [candidate] (8.819 s) : 0, 8819478
section iast
Agent [baseline] (1.228 s) : 0, 1227776
Total [baseline] (9.528 s) : 0, 9528220
Agent [candidate] (1.227 s) : 0, 1227496
Total [candidate] (9.577 s) : 0, 9576770
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.059 s -
Agent iast 1.228 s 169.089 ms (16.0%)
Total tracing 8.837 s -
Total iast 9.528 s 691.181 ms (7.8%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.06 s -
Agent iast 1.227 s 167.489 ms (15.8%)
Total tracing 8.819 s -
Total iast 9.577 s 757.291 ms (8.6%) 
gantt
    title insecure-bank - break down per module: candidate=1.62.0-SNAPSHOT~d33f38425a, baseline=1.62.0-SNAPSHOT~c72f06780f

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.229 ms) : 0, 1229
crashtracking [candidate] (1.227 ms) : 0, 1227
BytebuddyAgent [baseline] (633.98 ms) : 0, 633980
BytebuddyAgent [candidate] (636.473 ms) : 0, 636473
AgentMeter [baseline] (29.521 ms) : 0, 29521
AgentMeter [candidate] (29.731 ms) : 0, 29731
GlobalTracer [baseline] (249.341 ms) : 0, 249341
GlobalTracer [candidate] (250.24 ms) : 0, 250240
AppSec [baseline] (32.439 ms) : 0, 32439
AppSec [candidate] (32.581 ms) : 0, 32581
Debugger [baseline] (59.158 ms) : 0, 59158
Debugger [candidate] (59.171 ms) : 0, 59171
Remote Config [baseline] (589.017 µs) : 0, 589
Remote Config [candidate] (589.228 µs) : 0, 589
Telemetry [baseline] (8.013 ms) : 0, 8013
Telemetry [candidate] (8.0 ms) : 0, 8000
Flare Poller [baseline] (8.258 ms) : 0, 8258
Flare Poller [candidate] (5.786 ms) : 0, 5786
section iast
crashtracking [baseline] (1.241 ms) : 0, 1241
crashtracking [candidate] (1.227 ms) : 0, 1227
BytebuddyAgent [baseline] (806.476 ms) : 0, 806476
BytebuddyAgent [candidate] (808.145 ms) : 0, 808145
AgentMeter [baseline] (11.351 ms) : 0, 11351
AgentMeter [candidate] (11.404 ms) : 0, 11404
GlobalTracer [baseline] (238.579 ms) : 0, 238579
GlobalTracer [candidate] (237.87 ms) : 0, 237870
IAST [baseline] (29.229 ms) : 0, 29229
IAST [candidate] (31.712 ms) : 0, 31712
AppSec [baseline] (28.427 ms) : 0, 28427
AppSec [candidate] (27.086 ms) : 0, 27086
Debugger [baseline] (64.684 ms) : 0, 64684
Debugger [candidate] (62.541 ms) : 0, 62541
Remote Config [baseline] (531.742 µs) : 0, 532
Remote Config [candidate] (531.056 µs) : 0, 531
Telemetry [baseline] (7.76 ms) : 0, 7760
Telemetry [candidate] (7.63 ms) : 0, 7630
Flare Poller [baseline] (3.45 ms) : 0, 3450
Flare Poller [candidate] (3.449 ms) : 0, 3449
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/APPSEC-61873-4-undertow-play
git_commit_date 1776844785 1776854692
git_commit_sha c72f067 d33f384
release_version 1.62.0-SNAPSHOT~c72f06780f 1.62.0-SNAPSHOT~d33f38425a
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1776856852 1776856852
ci_job_id 1618961711 1618961711
ci_pipeline_id 109000033 109000033
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-0-stwu4wfp 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-0-stwu4wfp 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 3 performance improvements and 4 performance regressions! Performance is the same for 14 metrics, 15 unstable metrics.

scenario Δ mean agg_http_req_duration_p50 Δ mean agg_http_req_duration_p95 Δ mean throughput candidate mean agg_http_req_duration_p50 candidate mean agg_http_req_duration_p95 candidate mean throughput baseline mean agg_http_req_duration_p50 baseline mean agg_http_req_duration_p95 baseline mean throughput
scenario:load:insecure-bank:profiling:high_load worse
[+50.119µs; +217.751µs] or [+2.799%; +12.161%]		 unstable
[+76.223µs; +944.880µs] or [+1.423%; +17.637%]		 unstable
[-423.878op/s; +56.191op/s] or [-21.042%; +2.789%]		 1.925ms 5.868ms 1830.562op/s 1.791ms 5.357ms 2014.406op/s
scenario:load:insecure-bank:iast:high_load worse
[+116.734µs; +243.625µs] or [+4.617%; +9.635%]		 unsure
[+25.353µs; +712.243µs] or [+0.338%; +9.485%]		 unstable
[-231.970op/s; +87.595op/s] or [-16.685%; +6.300%]		 2.709ms 7.878ms 1318.125op/s 2.528ms 7.510ms 1390.312op/s
scenario:load:insecure-bank:iast_GLOBAL:high_load worse
[+125.340µs; +255.103µs] or [+4.404%; +8.964%]		 unsure
[+154.759µs; +584.733µs] or [+1.916%; +7.237%]		 unstable
[-213.310op/s; +64.810op/s] or [-16.771%; +5.096%]		 3.036ms 8.449ms 1197.656op/s 2.846ms 8.079ms 1271.906op/s
scenario:load:insecure-bank:iast_FULL:high_load worse
[+161.904µs; +355.536µs] or [+3.057%; +6.714%]		 same
[-17.947µs; +719.667µs] or [-0.142%; +5.708%]		 unstable
[-115.286op/s; +48.723op/s] or [-14.786%; +6.249%]		 5.554ms 12.959ms 746.438op/s 5.295ms 12.608ms 779.719op/s
scenario:load:petclinic:appsec:high_load better
[-1.740ms; -0.740ms] or [-8.876%; -3.774%]		 better
[-2.241ms; -0.763ms] or [-7.153%; -2.435%]		 unstable
[-11.869op/s; +40.682op/s] or [-5.047%; +17.300%]		 18.363ms 29.829ms 249.562op/s 19.602ms 31.331ms 235.156op/s
scenario:load:petclinic:profiling:high_load better
[-1422.291µs; -531.851µs] or [-7.478%; -2.796%]		 same
[-1815.480µs; +76.468µs] or [-5.988%; +0.252%]		 unstable
[-15.625op/s; +37.812op/s] or [-6.466%; +15.647%]		 18.043ms 29.449ms 252.750op/s 19.020ms 30.319ms 241.656op/s
Request duration reports for insecure-bank 
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.62.0-SNAPSHOT~d33f38425a, baseline=1.62.0-SNAPSHOT~c72f06780f
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.287 ms) : 1275, 1300
.   : milestone, 1287,
iast (3.292 ms) : 3245, 3339
.   : milestone, 3292,
iast_FULL (5.927 ms) : 5867, 5986
.   : milestone, 5927,
iast_GLOBAL (3.617 ms) : 3558, 3677
.   : milestone, 3617,
profiling (2.248 ms) : 2227, 2270
.   : milestone, 2248,
tracing (1.994 ms) : 1976, 2012
.   : milestone, 1994,
section candidate
no_agent (1.237 ms) : 1225, 1249
.   : milestone, 1237,
iast (3.476 ms) : 3422, 3530
.   : milestone, 3476,
iast_FULL (6.197 ms) : 6135, 6260
.   : milestone, 6197,
iast_GLOBAL (3.833 ms) : 3767, 3899
.   : milestone, 3833,
profiling (2.481 ms) : 2455, 2508
.   : milestone, 2481,
tracing (1.9 ms) : 1883, 1916
.   : milestone, 1900,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.287 ms [1.275 ms, 1.3 ms] -
iast 3.292 ms [3.245 ms, 3.339 ms] 2.005 ms (155.7%)
iast_FULL 5.927 ms [5.867 ms, 5.986 ms] 4.639 ms (360.4%)
iast_GLOBAL 3.617 ms [3.558 ms, 3.677 ms] 2.33 ms (181.0%)
profiling 2.248 ms [2.227 ms, 2.27 ms] 961.151 µs (74.7%)
tracing 1.994 ms [1.976 ms, 2.012 ms] 706.474 µs (54.9%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.237 ms [1.225 ms, 1.249 ms] -
iast 3.476 ms [3.422 ms, 3.53 ms] 2.239 ms (181.0%)
iast_FULL 6.197 ms [6.135 ms, 6.26 ms] 4.96 ms (401.0%)
iast_GLOBAL 3.833 ms [3.767 ms, 3.899 ms] 2.596 ms (209.9%)
profiling 2.481 ms [2.455 ms, 2.508 ms] 1.245 ms (100.6%)
tracing 1.9 ms [1.883 ms, 1.916 ms] 663.069 µs (53.6%)
Request duration reports for petclinic 
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.62.0-SNAPSHOT~d33f38425a, baseline=1.62.0-SNAPSHOT~c72f06780f
    dateFormat X
    axisFormat %s
section baseline
no_agent (18.142 ms) : 17959, 18325
.   : milestone, 18142,
appsec (19.858 ms) : 19652, 20064
.   : milestone, 19858,
code_origins (17.958 ms) : 17780, 18136
.   : milestone, 17958,
iast (18.132 ms) : 17952, 18312
.   : milestone, 18132,
profiling (19.314 ms) : 19121, 19507
.   : milestone, 19314,
tracing (17.811 ms) : 17636, 17986
.   : milestone, 17811,
section candidate
no_agent (18.185 ms) : 18003, 18367
.   : milestone, 18185,
appsec (18.7 ms) : 18512, 18888
.   : milestone, 18700,
code_origins (18.289 ms) : 18109, 18470
.   : milestone, 18289,
iast (18.029 ms) : 17852, 18205
.   : milestone, 18029,
profiling (18.463 ms) : 18280, 18646
.   : milestone, 18463,
tracing (17.915 ms) : 17734, 18096
.   : milestone, 17915,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 18.142 ms [17.959 ms, 18.325 ms] -
appsec 19.858 ms [19.652 ms, 20.064 ms] 1.716 ms (9.5%)
code_origins 17.958 ms [17.78 ms, 18.136 ms] -184.292 µs (-1.0%)
iast 18.132 ms [17.952 ms, 18.312 ms] -10.022 µs (-0.1%)
profiling 19.314 ms [19.121 ms, 19.507 ms] 1.172 ms (6.5%)
tracing 17.811 ms [17.636 ms, 17.986 ms] -330.677 µs (-1.8%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 18.185 ms [18.003 ms, 18.367 ms] -
appsec 18.7 ms [18.512 ms, 18.888 ms] 514.664 µs (2.8%)
code_origins 18.289 ms [18.109 ms, 18.47 ms] 104.228 µs (0.6%)
iast 18.029 ms [17.852 ms, 18.205 ms] -156.669 µs (-0.9%)
profiling 18.463 ms [18.28 ms, 18.646 ms] 277.579 µs (1.5%)
tracing 17.915 ms [17.734 ms, 18.096 ms] -269.844 µs (-1.5%)

Dacapo

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/APPSEC-61873-4-undertow-play
git_commit_date 1776844785 1776854692
git_commit_sha c72f067 d33f384
release_version 1.62.0-SNAPSHOT~c72f06780f 1.62.0-SNAPSHOT~d33f38425a
See matching parameters
Baseline Candidate
application biojava biojava
ci_job_date 1776856658 1776856658
ci_job_id 1618961713 1618961713
ci_pipeline_id 109000033 109000033
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-0-jzwh2w1h 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-0-jzwh2w1h 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 1 unstable metrics.

Execution time for tomcat 
gantt
    title tomcat - execution time [CI 0.99] : candidate=1.62.0-SNAPSHOT~d33f38425a, baseline=1.62.0-SNAPSHOT~c72f06780f
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.495 ms) : 1483, 1507
.   : milestone, 1495,
appsec (2.546 ms) : 2491, 2601
.   : milestone, 2546,
iast (2.278 ms) : 2209, 2348
.   : milestone, 2278,
iast_GLOBAL (2.325 ms) : 2255, 2395
.   : milestone, 2325,
profiling (2.114 ms) : 2059, 2170
.   : milestone, 2114,
tracing (2.104 ms) : 2050, 2158
.   : milestone, 2104,
section candidate
no_agent (1.492 ms) : 1480, 1504
.   : milestone, 1492,
appsec (3.86 ms) : 3637, 4084
.   : milestone, 3860,
iast (2.294 ms) : 2225, 2364
.   : milestone, 2294,
iast_GLOBAL (2.334 ms) : 2264, 2405
.   : milestone, 2334,
profiling (2.113 ms) : 2058, 2168
.   : milestone, 2113,
tracing (2.089 ms) : 2035, 2143
.   : milestone, 2089,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.495 ms [1.483 ms, 1.507 ms] -
appsec 2.546 ms [2.491 ms, 2.601 ms] 1.051 ms (70.3%)
iast 2.278 ms [2.209 ms, 2.348 ms] 783.538 µs (52.4%)
iast_GLOBAL 2.325 ms [2.255 ms, 2.395 ms] 830.501 µs (55.6%)
profiling 2.114 ms [2.059 ms, 2.17 ms] 619.474 µs (41.4%)
tracing 2.104 ms [2.05 ms, 2.158 ms] 609.405 µs (40.8%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.492 ms [1.48 ms, 1.504 ms] -
appsec 3.86 ms [3.637 ms, 4.084 ms] 2.368 ms (158.7%)
iast 2.294 ms [2.225 ms, 2.364 ms] 802.403 µs (53.8%)
iast_GLOBAL 2.334 ms [2.264 ms, 2.405 ms] 842.468 µs (56.5%)
profiling 2.113 ms [2.058 ms, 2.168 ms] 621.117 µs (41.6%)
tracing 2.089 ms [2.035 ms, 2.143 ms] 597.224 µs (40.0%)
Execution time for biojava 
gantt
    title biojava - execution time [CI 0.99] : candidate=1.62.0-SNAPSHOT~d33f38425a, baseline=1.62.0-SNAPSHOT~c72f06780f
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.707 s) : 15707000, 15707000
.   : milestone, 15707000,
appsec (14.376 s) : 14376000, 14376000
.   : milestone, 14376000,
iast (19.214 s) : 19214000, 19214000
.   : milestone, 19214000,
iast_GLOBAL (18.069 s) : 18069000, 18069000
.   : milestone, 18069000,
profiling (15.073 s) : 15073000, 15073000
.   : milestone, 15073000,
tracing (15.029 s) : 15029000, 15029000
.   : milestone, 15029000,
section candidate
no_agent (14.878 s) : 14878000, 14878000
.   : milestone, 14878000,
appsec (14.953 s) : 14953000, 14953000
.   : milestone, 14953000,
iast (18.314 s) : 18314000, 18314000
.   : milestone, 18314000,
iast_GLOBAL (17.982 s) : 17982000, 17982000
.   : milestone, 17982000,
profiling (14.567 s) : 14567000, 14567000
.   : milestone, 14567000,
tracing (14.945 s) : 14945000, 14945000
.   : milestone, 14945000,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.707 s [15.707 s, 15.707 s] -
appsec 14.376 s [14.376 s, 14.376 s] -1.331 s (-8.5%)
iast 19.214 s [19.214 s, 19.214 s] 3.507 s (22.3%)
iast_GLOBAL 18.069 s [18.069 s, 18.069 s] 2.362 s (15.0%)
profiling 15.073 s [15.073 s, 15.073 s] -634.0 ms (-4.0%)
tracing 15.029 s [15.029 s, 15.029 s] -678.0 ms (-4.3%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 14.878 s [14.878 s, 14.878 s] -
appsec 14.953 s [14.953 s, 14.953 s] 75.0 ms (0.5%)
iast 18.314 s [18.314 s, 18.314 s] 3.436 s (23.1%)
iast_GLOBAL 17.982 s [17.982 s, 17.982 s] 3.104 s (20.9%)
profiling 14.567 s [14.567 s, 14.567 s] -311.0 ms (-2.1%)
tracing 14.945 s [14.945 s, 14.945 s] 67.0 ms (0.5%)

@jandro996
Merge branch 'master' into alejandro.gonzalez/APPSEC-61873-4-undertow…
15a0168 
…-play
@jandro996
Fix Scala 2.13 muzzle incompatibility in Play multipart filenames sup…
d33f384 
…port

Use reflection to invoke MultipartFormData.files() so the bytecode does not
embed a hard reference to the Scala 2.11/2.12 return type
(Lscala/collection/Seq;). In Scala 2.13 (Play 2.7+) the method returns
scala.collection.immutable.Seq, causing muzzle to disable the entire
PlayBodyParsersInstrumentation and breaking all body-parsing features.

Also enable testBodyFilenames() in Play 2.5/2.6/2.7 test suites.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

comp: asm waf Application Security Management (WAF) type: enhancement Enhancements and improvements

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jandro996