Skip to content

Add server.request.body.filenames AppSec address for Vert.x 3.4, 4.0 and 5.0#11268

Merged
gh-worker-dd-mergequeue-cf854d[bot] merged 14 commits into
masterfrom
alejandro.gonzalez/APPSEC-61873-vertx
Jun 4, 2026
Merged

Add server.request.body.filenames AppSec address for Vert.x 3.4, 4.0 and 5.0#11268
gh-worker-dd-mergequeue-cf854d[bot] merged 14 commits into
masterfrom
alejandro.gonzalez/APPSEC-61873-vertx

Conversation

@jandro996

@jandro996 jandro996 commented May 4, 2026

Copy link
Copy Markdown
Member

What Does This Do

Instruments RoutingContextImpl.fileUploads() in the Vert.x Web 3.4, 4.0 and 5.0 modules to fire the server.request.body.filenames AppSec IG event, enabling WAF-level detection and blocking on uploaded file names.

New callsites

  • vertx-web-3.4: new RoutingContextFilenamesAdvice (returns Set<FileUpload>), wired in RoutingContextImplInstrumentation
  • vertx-web-4.0: new RoutingContextFilenamesAdvice (returns Collection<FileUpload> to cover both Set in 4.0.x and List in 4.5.x+), wired in RoutingContextImplInstrumentation
  • vertx-web-5.0: new RoutingContextFilenamesAdvice (returns List<FileUpload>) + new RoutingContextImplInstrumentation

All three advice classes use FileUpload.class as the CallDepthThreadLocalMap key (public interface, avoids IllegalAccessError when ByteBuddy inlines the advice into RoutingContextImpl).

Test server fixes

All four VertxTestServer variants (3.4, 4.0/test, 4.0/latestDep, 5.0) had a broken BODY_MULTIPART handler that used setExpectMultipart(true) + an async endHandler, bypassing BodyHandler. This prevented fileUploads() from ever being populated. Replaced with:

  1. BodyHandler.create() registered as a prior handler on the same route
  2. A synchronous handler that calls ctx.fileUploads() before convertFormAttributes(ctx)

testBodyMultipart() continues to pass because BodyHandler also populates formAttributes().

Added .gitignore files in each module root to suppress the file-uploads/ temporary directories that BodyHandler.create() creates on disk during test execution.

NettyMultipartHelper fix

Vert.x's internal NettyFileUpload throws UnsupportedOperationException from getHttpDataType(). Added a try-catch to skip such items silently - they are handled by Vert.x's own instrumentation. Without the fix, the exception was swallowed by ByteBuddy's suppress = Throwable.class but incremented INSTRUMENTATION_ERROR_COUNT, causing the Vert.x 5.0 integration tests to fail with "1 instrumentation error". Coverage is provided by the Vert.x 5.0 forked tests in this PR.

vertx-rx-3.5 fix

VertxRxCircuitBreakerHttpServerForkedTest extends VertxHttpServerForkedTest (vertx-web-3.4) and inherited the new testBodyFilenames() { true } override. Its internal test server (VertxRxCircuitBreakerWebTestServer) uses the legacy expectMultipart + endHandler pattern without BodyHandler or fileUploads(), so the filename tag is never emitted. Added an explicit testBodyFilenames() { false } override, consistent with the existing testBodyJson(), testRequestBody(), and testSessionId() overrides in the same class.

Motivation

solves APPSEC-61873 (partial - Vert.x coverage)

Additional Notes

Double-instrumentation in 5.0 tests: the vertx-web-5.0 test module includes vertx-web-4.0 as testImplementation, so both RoutingContextImplInstrumentation classes are applied in the same test run. Using Collection<FileUpload> in the 4.0 advice (instead of Set<FileUpload>) was necessary to avoid a ByteBuddy type-mismatch error when Vert.x 4.5.x+ changed the return type of fileUploads() from Set to List. Once the type error was gone, both advices coexist correctly via the shared CallDepthThreadLocalMap key.

Static reflection pattern: FILE_UPLOAD_REF is defined as a static final Reference in each RoutingContextImplInstrumentation (not a VertxVersionMatcher constant) because it is only needed by that single class. The 5.0 instrumentation uses HTTP_HEADERS_INTERNAL (io.vertx.core.internal.http.HttpHeadersInternal, absent in 4.x) as the version discriminator to prevent the 5.0 advice from applying to Vert.x 4.x classloaders.

JVM constraint: vertx-web-3.4 and vertx-web-4.0 default test set maxJavaVersion = VERSION_15; tests must be run with -PtestJvm=11 via forkedTest (not test).

Contributor Checklist

Jira ticket: APPSEC-61873

Note: Once your PR is ready to merge, add it to the merge queue by commenting /merge. /merge -c cancels the queue request. /merge -f --reason "reason" skips all merge queue checks; please use this judiciously, as some checks do not run at the PR-level. For more information, see this doc.

jandro996 added 3 commits May 4, 2026 15:47
…and 5.0

Instruments RoutingContextImpl.fileUploads() in vertx-web-3.4, vertx-web-4.0
and vertx-web-5.0 to fire EVENTS.requestFilesFilenames() with the list of
uploaded filenames, enabling WAF-level blocking on malicious file names.
@datadog-official

This comment has been minimized.

@jandro996

Copy link
Copy Markdown
Member Author

@codex review

@chatgpt-codex-connector

Copy link
Copy Markdown

Codex Review: Didn't find any major issues. Delightful!

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

jandro996 added 6 commits May 21, 2026 12:56
…mp dirs

- Replace em dash with hyphen in UnsupportedOperationException catch comment
- Add .gitignore for file-uploads/ in vertx-web-3.4, 4.0, and 5.0 modules
  to suppress the temporary upload directories created by BodyHandler.create()
  during test execution
…vertx' into alejandro.gonzalez/APPSEC-61873-vertx
@jandro996 jandro996 marked this pull request as ready for review May 22, 2026 10:02
@jandro996 jandro996 requested a review from a team as a code owner May 22, 2026 10:02
@jandro996 jandro996 requested review from ygree and removed request for a team May 22, 2026 10:02
@dd-octo-sts

dd-octo-sts Bot commented May 22, 2026

Copy link
Copy Markdown
Contributor

Hi! 👋 Thanks for your pull request! 🎉

To help us review it, please make sure to:

  • Add at least one type, and one component or instrumentation label to the pull request

If you need help, please check our contributing guidelines.

@jandro996 jandro996 added type: feature Enhancements and improvements comp: asm waf Application Security Management (WAF) labels May 22, 2026
The circuit breaker test server uses the legacy expectMultipart+endHandler
pattern and never calls fileUploads(), so the filenames tag is never emitted.
Opt out explicitly to avoid inheriting the true override from VertxHttpServerForkedTest.
jandro996 added a commit that referenced this pull request May 27, 2026
Remove Vert.x sections (pending #11268) and Jetty 8.x/9.4 sections
(pending #10988) from docs and AGENTS.md files. Content will be added
once the respective PRs are merged.
@dd-octo-sts

dd-octo-sts Bot commented May 29, 2026

Copy link
Copy Markdown
Contributor

🟢 Java Benchmark SLOs — All performance SLOs passed

Suite Status
Startup 🟢 pass

SLO thresholds are defined here based on automatically generated metrics. A warning is raised when results are within 5% of the threshold.

PR vs. master results

Startup Time

Scenario This PR master Change
insecure-bank / iast 13,950 ms 14,049 ms -0.7%
insecure-bank / tracing 12,944 ms 13,010 ms -0.5%
petclinic / appsec 16,610 ms 16,485 ms +0.8%
petclinic / iast 16,546 ms 16,655 ms -0.7%
petclinic / profiling 16,456 ms 16,644 ms -1.1%
petclinic / tracing 16,028 ms 15,796 ms +1.5%

Commit: ef19609f · CI Pipeline · Benchmarking Platform UI


Load and DaCapo benchmarks can be triggered manually in the GitLab pipeline. Results will appear in the Benchmarking Platform UI after completion.

@jandro996 jandro996 added this pull request to the merge queue Jun 4, 2026
@dd-octo-sts

dd-octo-sts Bot commented Jun 4, 2026

Copy link
Copy Markdown
Contributor

/merge

@gh-worker-devflow-routing-ef8351

gh-worker-devflow-routing-ef8351 Bot commented Jun 4, 2026

Copy link
Copy Markdown

View all feedbacks in Devflow UI.

2026-06-04 08:21:55 UTC ℹ️ Start processing command /merge


2026-06-04 08:22:00 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in master is approximately 1h (p90).


2026-06-04 09:33:33 UTC ℹ️ MergeQueue: This merge request was merged

@github-merge-queue github-merge-queue Bot removed this pull request from the merge queue due to failed status checks Jun 4, 2026
@gh-worker-dd-mergequeue-cf854d gh-worker-dd-mergequeue-cf854d Bot merged commit 421d468 into master Jun 4, 2026
572 checks passed
@gh-worker-dd-mergequeue-cf854d gh-worker-dd-mergequeue-cf854d Bot deleted the alejandro.gonzalez/APPSEC-61873-vertx branch June 4, 2026 09:33
@github-actions github-actions Bot added this to the 1.64.0 milestone Jun 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

comp: asm waf Application Security Management (WAF) type: feature Enhancements and improvements

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants