Skip to content

Add server.request.body.filenames AppSec address for commons-fileupload#10949

Open
jandro996 wants to merge 7 commits intomasterfrom
alejandro.gonzalez/APPSEC-61873-1
Open

Add server.request.body.filenames AppSec address for commons-fileupload#10949
jandro996 wants to merge 7 commits intomasterfrom
alejandro.gonzalez/APPSEC-61873-1

Conversation

@jandro996
Copy link
Member

@jandro996 jandro996 commented Mar 24, 2026
edited
Loading

What Does This Do

  • Introduces the server.request.body.filenames IG address and requestFilesFilenames() event in the gateway API, wired through GatewayBridge
  • Instruments ServletFileUpload.parseRequest(HttpServletRequest) (commons-fileupload ≥ 1.5) to extract uploaded file names and fire the WAF callback; blocks with a BlockingException on RequestBlockingAction
  • Adds a smoke test endpoint (POST /upload) and a test that verifies malicious file names (e.g. exploit.jsp) are blocked via a custom WAF rule matching server.request.body.filenames

Motivation

The customer's application uses Apache Commons FileUpload to handle multipart requests:

// fileupload.jsp (customer app)
ServletFileUpload upload = new ServletFileUpload(factory);
List items = upload.parseRequest(request);
for (FileItem item : items) { ... }

Uploading a file named exploit.jsp was not detected nor blocked because server.request.body.filenames was never populated — the IG event and GatewayBridge wiring did not exist yet.

This PR adds the event and instruments ServletFileUpload.parseRequest() as the first integration since it is the exact entry point the customer is using. Successive PRs will extend coverage to other multipart entry points (HttpServletRequest.getParts(), Spring MultipartFile, etc.).

Additional Notes

Contributor Checklist

Jira ticket: [APPSEC-61873-1]

Note: Once your PR is ready to merge, add it to the merge queue by commenting /merge. /merge -c cancels the queue request. /merge -f --reason "reason" skips all merge queue checks; please use this judiciously, as some checks do not run at the PR-level. For more information, see this doc.

jandro996 and others added 5 commits March 24, 2026 10:54
@jandro996 @claude
Add server.request.body.filenames IG event and GatewayBridge wiring
5918bab 
- Add REQUEST_FILES_FILENAMES_ID=30 event to Events.java with
  BiFunction<RequestContext, List<String>, Flow<Void>> callback type
- Register case in InstrumentationGateway switch to wrap with try-catch
- Wire GatewayBridge: conditional registration, handler, cache field,
  reset, and IGAppSecEventDependencies entry
- Add unit tests in InstrumentationGatewayTest and GatewayBridgeSpecification

tag: ai generated
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@jandro996 @claude
Add server.request.body.filenames support for commons-fileupload
a817780 
Instrument ServletFileUpload.parseRequest() to extract filenames from
non-form-field FileItems and fire the requestFilesFilenames() IG event.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@jandro996 @claude
Add smoke test for malicious file upload filename blocking
9b87129 
Certifies that the commons-fileupload instrumentation fires
server.request.body.filenames and the WAF can block on it end-to-end:
- Add /upload endpoint using ServletFileUpload.parseRequest() (mirrors
  client's fileupload.jsp pattern)
- Disable Spring multipart auto-config so Commons FileUpload handles
  the request before Spring intercepts it
- Add commons-fileupload:1.5 dependency to the smoke test app
- Add __test_file_upload_block WAF rule matching .jsp/.php/.asp/.aspx
  filenames and block request based on malicious file upload filename test

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@jandro996 @claude
Fix smoke test multipart: exclude MultipartAutoConfiguration
2a10f65 
Spring's MultipartAutoConfiguration was activating despite
spring.servlet.multipart.enabled=false in application.properties,
causing StandardServletMultipartResolver to consume the request
InputStream before Commons FileUpload could read it.

Explicitly exclude MultipartAutoConfiguration via @SpringBootApplication
so the raw InputStream is available to ServletFileUpload.parseRequest().

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@jandro996 @claude
Fix import ordering and named() matcher consistency
51adb1e 
- InstrumentationGateway.java: restore alphabetical import order
  (REQUEST_FILES_FILENAMES_ID belongs after REQUEST_ENDED_ID)
- CommonsFileUploadAppSecModule.java: use NameMatchers.named instead of
  ElementMatchers.named, consistent with adjacent IAST instrumentation

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@jandro996 jandro996 added type: enhancement Enhancements and improvements comp: asm waf Application Security Management (WAF) labels Mar 24, 2026
@pr-commenter
Copy link

pr-commenter bot commented Mar 24, 2026

Benchmarks

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/APPSEC-61873-1
git_commit_date 1774307356 1774349955
git_commit_sha 68aa369 f186acc
release_version 1.61.0-SNAPSHOT~68aa369a4f 1.61.0-SNAPSHOT~f186acc614
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1774351994 1774351994
ci_job_id 1533812302 1533812302
ci_pipeline_id 104151677 104151677
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-0-zigkypoa 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-0-zigkypoa 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
module Agent Agent
parent None None

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 62 metrics, 9 unstable metrics.

Startup time reports for petclinic 
gantt
    title petclinic - global startup overhead: candidate=1.61.0-SNAPSHOT~f186acc614, baseline=1.61.0-SNAPSHOT~68aa369a4f

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.063 s) : 0, 1063405
Total [baseline] (11.032 s) : 0, 11031542
Agent [candidate] (1.072 s) : 0, 1072285
Total [candidate] (11.16 s) : 0, 11160347
section appsec
Agent [baseline] (1.245 s) : 0, 1245063
Total [baseline] (11.213 s) : 0, 11213445
Agent [candidate] (1.249 s) : 0, 1248688
Total [candidate] (11.137 s) : 0, 11136683
section iast
Agent [baseline] (1.23 s) : 0, 1229808
Total [baseline] (11.323 s) : 0, 11322514
Agent [candidate] (1.241 s) : 0, 1240663
Total [candidate] (11.282 s) : 0, 11282072
section profiling
Agent [baseline] (1.183 s) : 0, 1183073
Total [baseline] (10.954 s) : 0, 10953856
Agent [candidate] (1.182 s) : 0, 1182478
Total [candidate] (10.954 s) : 0, 10953869
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.063 s -
Agent appsec 1.245 s 181.658 ms (17.1%)
Agent iast 1.23 s 166.403 ms (15.6%)
Agent profiling 1.183 s 119.668 ms (11.3%)
Total tracing 11.032 s -
Total appsec 11.213 s 181.903 ms (1.6%)
Total iast 11.323 s 290.973 ms (2.6%)
Total profiling 10.954 s -77.686 ms (-0.7%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.072 s -
Agent appsec 1.249 s 176.404 ms (16.5%)
Agent iast 1.241 s 168.379 ms (15.7%)
Agent profiling 1.182 s 110.194 ms (10.3%)
Total tracing 11.16 s -
Total appsec 11.137 s -23.664 ms (-0.2%)
Total iast 11.282 s 121.725 ms (1.1%)
Total profiling 10.954 s -206.477 ms (-1.9%) 
gantt
    title petclinic - break down per module: candidate=1.61.0-SNAPSHOT~f186acc614, baseline=1.61.0-SNAPSHOT~68aa369a4f

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.195 ms) : 0, 1195
crashtracking [candidate] (1.211 ms) : 0, 1211
BytebuddyAgent [baseline] (631.681 ms) : 0, 631681
BytebuddyAgent [candidate] (638.0 ms) : 0, 638000
AgentMeter [baseline] (29.543 ms) : 0, 29543
AgentMeter [candidate] (29.823 ms) : 0, 29823
GlobalTracer [baseline] (257.796 ms) : 0, 257796
GlobalTracer [candidate] (259.748 ms) : 0, 259748
AppSec [baseline] (31.853 ms) : 0, 31853
AppSec [candidate] (32.261 ms) : 0, 32261
Debugger [baseline] (60.742 ms) : 0, 60742
Debugger [candidate] (61.066 ms) : 0, 61066
Remote Config [baseline] (590.859 µs) : 0, 591
Remote Config [candidate] (602.644 µs) : 0, 603
Telemetry [baseline] (8.084 ms) : 0, 8084
Telemetry [candidate] (8.845 ms) : 0, 8845
Flare Poller [baseline] (5.807 ms) : 0, 5807
Flare Poller [candidate] (4.441 ms) : 0, 4441
section appsec
crashtracking [baseline] (1.203 ms) : 0, 1203
crashtracking [candidate] (1.185 ms) : 0, 1185
BytebuddyAgent [baseline] (657.516 ms) : 0, 657516
BytebuddyAgent [candidate] (660.198 ms) : 0, 660198
AgentMeter [baseline] (12.079 ms) : 0, 12079
AgentMeter [candidate] (12.086 ms) : 0, 12086
GlobalTracer [baseline] (257.455 ms) : 0, 257455
GlobalTracer [candidate] (258.37 ms) : 0, 258370
AppSec [baseline] (177.832 ms) : 0, 177832
AppSec [candidate] (177.623 ms) : 0, 177623
Debugger [baseline] (66.122 ms) : 0, 66122
Debugger [candidate] (66.158 ms) : 0, 66158
Remote Config [baseline] (620.264 µs) : 0, 620
Remote Config [candidate] (624.38 µs) : 0, 624
Telemetry [baseline] (8.256 ms) : 0, 8256
Telemetry [candidate] (8.353 ms) : 0, 8353
Flare Poller [baseline] (3.546 ms) : 0, 3546
Flare Poller [candidate] (3.633 ms) : 0, 3633
IAST [baseline] (24.114 ms) : 0, 24114
IAST [candidate] (24.16 ms) : 0, 24160
section iast
crashtracking [baseline] (1.22 ms) : 0, 1220
crashtracking [candidate] (1.211 ms) : 0, 1211
BytebuddyAgent [baseline] (798.199 ms) : 0, 798199
BytebuddyAgent [candidate] (806.022 ms) : 0, 806022
AgentMeter [baseline] (11.451 ms) : 0, 11451
AgentMeter [candidate] (11.548 ms) : 0, 11548
GlobalTracer [baseline] (247.22 ms) : 0, 247220
GlobalTracer [candidate] (249.269 ms) : 0, 249269
AppSec [baseline] (26.433 ms) : 0, 26433
AppSec [candidate] (26.815 ms) : 0, 26815
Debugger [baseline] (69.86 ms) : 0, 69860
Debugger [candidate] (70.679 ms) : 0, 70679
Remote Config [baseline] (529.041 µs) : 0, 529
Remote Config [candidate] (524.158 µs) : 0, 524
Telemetry [baseline] (9.781 ms) : 0, 9781
Telemetry [candidate] (9.153 ms) : 0, 9153
Flare Poller [baseline] (3.565 ms) : 0, 3565
Flare Poller [candidate] (3.412 ms) : 0, 3412
IAST [baseline] (25.32 ms) : 0, 25320
IAST [candidate] (25.631 ms) : 0, 25631
section profiling
crashtracking [baseline] (1.174 ms) : 0, 1174
crashtracking [candidate] (1.159 ms) : 0, 1159
BytebuddyAgent [baseline] (683.011 ms) : 0, 683011
BytebuddyAgent [candidate] (682.83 ms) : 0, 682830
AgentMeter [baseline] (8.975 ms) : 0, 8975
AgentMeter [candidate] (8.958 ms) : 0, 8958
GlobalTracer [baseline] (215.572 ms) : 0, 215572
GlobalTracer [candidate] (215.308 ms) : 0, 215308
AppSec [baseline] (32.038 ms) : 0, 32038
AppSec [candidate] (32.109 ms) : 0, 32109
Debugger [baseline] (64.264 ms) : 0, 64264
Debugger [candidate] (64.785 ms) : 0, 64785
Remote Config [baseline] (563.621 µs) : 0, 564
Remote Config [candidate] (564.885 µs) : 0, 565
Telemetry [baseline] (9.306 ms) : 0, 9306
Telemetry [candidate] (8.46 ms) : 0, 8460
Flare Poller [baseline] (3.459 ms) : 0, 3459
Flare Poller [candidate] (3.464 ms) : 0, 3464
ProfilingAgent [baseline] (93.72 ms) : 0, 93720
ProfilingAgent [candidate] (93.924 ms) : 0, 93924
Profiling [baseline] (94.284 ms) : 0, 94284
Profiling [candidate] (94.475 ms) : 0, 94475
Loading
Startup time reports for insecure-bank 
gantt
    title insecure-bank - global startup overhead: candidate=1.61.0-SNAPSHOT~f186acc614, baseline=1.61.0-SNAPSHOT~68aa369a4f

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.069 s) : 0, 1069350
Total [baseline] (8.856 s) : 0, 8855667
Agent [candidate] (1.056 s) : 0, 1055508
Total [candidate] (8.839 s) : 0, 8838953
section iast
Agent [baseline] (1.236 s) : 0, 1235845
Total [baseline] (9.558 s) : 0, 9558397
Agent [candidate] (1.236 s) : 0, 1236389
Total [candidate] (9.556 s) : 0, 9555677
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.069 s -
Agent iast 1.236 s 166.496 ms (15.6%)
Total tracing 8.856 s -
Total iast 9.558 s 702.73 ms (7.9%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.056 s -
Agent iast 1.236 s 180.88 ms (17.1%)
Total tracing 8.839 s -
Total iast 9.556 s 716.724 ms (8.1%) 
gantt
    title insecure-bank - break down per module: candidate=1.61.0-SNAPSHOT~f186acc614, baseline=1.61.0-SNAPSHOT~68aa369a4f

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.211 ms) : 0, 1211
crashtracking [candidate] (1.187 ms) : 0, 1187
BytebuddyAgent [baseline] (636.772 ms) : 0, 636772
BytebuddyAgent [candidate] (628.37 ms) : 0, 628370
AgentMeter [baseline] (29.845 ms) : 0, 29845
AgentMeter [candidate] (29.332 ms) : 0, 29332
GlobalTracer [baseline] (259.5 ms) : 0, 259500
GlobalTracer [candidate] (256.792 ms) : 0, 256792
AppSec [baseline] (32.238 ms) : 0, 32238
AppSec [candidate] (31.866 ms) : 0, 31866
Debugger [baseline] (60.388 ms) : 0, 60388
Debugger [candidate] (59.757 ms) : 0, 59757
Remote Config [baseline] (589.309 µs) : 0, 589
Remote Config [candidate] (597.219 µs) : 0, 597
Telemetry [baseline] (8.12 ms) : 0, 8120
Telemetry [candidate] (8.037 ms) : 0, 8037
Flare Poller [baseline] (4.346 ms) : 0, 4346
Flare Poller [candidate] (3.551 ms) : 0, 3551
section iast
crashtracking [baseline] (1.216 ms) : 0, 1216
crashtracking [candidate] (1.243 ms) : 0, 1243
BytebuddyAgent [baseline] (802.866 ms) : 0, 802866
BytebuddyAgent [candidate] (803.014 ms) : 0, 803014
AgentMeter [baseline] (11.632 ms) : 0, 11632
AgentMeter [candidate] (11.67 ms) : 0, 11670
GlobalTracer [baseline] (248.495 ms) : 0, 248495
GlobalTracer [candidate] (248.91 ms) : 0, 248910
AppSec [baseline] (26.786 ms) : 0, 26786
AppSec [candidate] (26.735 ms) : 0, 26735
Debugger [baseline] (68.526 ms) : 0, 68526
Debugger [candidate] (68.692 ms) : 0, 68692
Remote Config [baseline] (527.206 µs) : 0, 527
Remote Config [candidate] (523.668 µs) : 0, 524
Telemetry [baseline] (10.183 ms) : 0, 10183
Telemetry [candidate] (10.118 ms) : 0, 10118
Flare Poller [baseline] (3.61 ms) : 0, 3610
Flare Poller [candidate] (3.641 ms) : 0, 3641
IAST [baseline] (25.607 ms) : 0, 25607
IAST [candidate] (25.596 ms) : 0, 25596
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/APPSEC-61873-1
git_commit_date 1774307356 1774349955
git_commit_sha 68aa369 f186acc
release_version 1.61.0-SNAPSHOT~68aa369a4f 1.61.0-SNAPSHOT~f186acc614
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1774352626 1774352626
ci_job_id 1533812304 1533812304
ci_pipeline_id 104151677 104151677
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-1-955h3y3d 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-1-955h3y3d 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 0 performance improvements and 3 performance regressions! Performance is the same for 17 metrics, 16 unstable metrics.

scenario Δ mean agg_http_req_duration_p50 Δ mean agg_http_req_duration_p95 Δ mean throughput candidate mean agg_http_req_duration_p50 candidate mean agg_http_req_duration_p95 candidate mean throughput baseline mean agg_http_req_duration_p50 baseline mean agg_http_req_duration_p95 baseline mean throughput
scenario:load:insecure-bank:iast_GLOBAL:high_load worse
[+78.358µs; +170.524µs] or [+2.973%; +6.470%]		 same
[-126.861µs; +297.190µs] or [-1.648%; +3.862%]		 unstable
[-184.779op/s; +103.216op/s] or [-13.675%; +7.639%]		 2.760ms 7.781ms 1310.438op/s 2.635ms 7.696ms 1351.219op/s
scenario:load:petclinic:iast:high_load worse
[+0.784ms; +1.489ms] or [+4.441%; +8.429%]		 worse
[+1.044ms; +2.287ms] or [+3.611%; +7.907%]		 unstable
[-41.337op/s; +10.837op/s] or [-15.966%; +4.186%]		 18.800ms 30.583ms 243.656op/s 17.664ms 28.918ms 258.906op/s
Request duration reports for insecure-bank 
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.61.0-SNAPSHOT~f186acc614, baseline=1.61.0-SNAPSHOT~68aa369a4f
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.174 ms) : 1162, 1186
.   : milestone, 1174,
iast (3.223 ms) : 3180, 3267
.   : milestone, 3223,
iast_FULL (5.959 ms) : 5898, 6020
.   : milestone, 5959,
iast_GLOBAL (3.39 ms) : 3342, 3437
.   : milestone, 3390,
profiling (2.1 ms) : 2082, 2119
.   : milestone, 2100,
tracing (1.772 ms) : 1757, 1786
.   : milestone, 1772,
section candidate
no_agent (1.188 ms) : 1176, 1200
.   : milestone, 1188,
iast (3.299 ms) : 3255, 3343
.   : milestone, 3299,
iast_FULL (5.887 ms) : 5828, 5947
.   : milestone, 5887,
iast_GLOBAL (3.498 ms) : 3447, 3549
.   : milestone, 3498,
profiling (2.067 ms) : 2048, 2086
.   : milestone, 2067,
tracing (1.775 ms) : 1761, 1790
.   : milestone, 1775,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.174 ms [1.162 ms, 1.186 ms] -
iast 3.223 ms [3.18 ms, 3.267 ms] 2.049 ms (174.6%)
iast_FULL 5.959 ms [5.898 ms, 6.02 ms] 4.785 ms (407.7%)
iast_GLOBAL 3.39 ms [3.342 ms, 3.437 ms] 2.216 ms (188.8%)
profiling 2.1 ms [2.082 ms, 2.119 ms] 926.279 µs (78.9%)
tracing 1.772 ms [1.757 ms, 1.786 ms] 597.806 µs (50.9%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.188 ms [1.176 ms, 1.2 ms] -
iast 3.299 ms [3.255 ms, 3.343 ms] 2.111 ms (177.7%)
iast_FULL 5.887 ms [5.828 ms, 5.947 ms] 4.699 ms (395.5%)
iast_GLOBAL 3.498 ms [3.447 ms, 3.549 ms] 2.31 ms (194.4%)
profiling 2.067 ms [2.048 ms, 2.086 ms] 878.571 µs (73.9%)
tracing 1.775 ms [1.761 ms, 1.79 ms] 587.184 µs (49.4%)
Request duration reports for petclinic 
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.61.0-SNAPSHOT~f186acc614, baseline=1.61.0-SNAPSHOT~68aa369a4f
    dateFormat X
    axisFormat %s
section baseline
no_agent (19.232 ms) : 19033, 19431
.   : milestone, 19232,
appsec (18.918 ms) : 18721, 19114
.   : milestone, 18918,
code_origins (17.851 ms) : 17673, 18029
.   : milestone, 17851,
iast (18.023 ms) : 17842, 18205
.   : milestone, 18023,
profiling (19.043 ms) : 18851, 19234
.   : milestone, 19043,
tracing (17.663 ms) : 17486, 17839
.   : milestone, 17663,
section candidate
no_agent (19.449 ms) : 19250, 19648
.   : milestone, 19449,
appsec (18.85 ms) : 18663, 19038
.   : milestone, 18850,
code_origins (17.806 ms) : 17629, 17982
.   : milestone, 17806,
iast (19.152 ms) : 18959, 19345
.   : milestone, 19152,
profiling (18.565 ms) : 18377, 18753
.   : milestone, 18565,
tracing (17.89 ms) : 17713, 18068
.   : milestone, 17890,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 19.232 ms [19.033 ms, 19.431 ms] -
appsec 18.918 ms [18.721 ms, 19.114 ms] -314.232 µs (-1.6%)
code_origins 17.851 ms [17.673 ms, 18.029 ms] -1.381 ms (-7.2%)
iast 18.023 ms [17.842 ms, 18.205 ms] -1.208 ms (-6.3%)
profiling 19.043 ms [18.851 ms, 19.234 ms] -189.162 µs (-1.0%)
tracing 17.663 ms [17.486 ms, 17.839 ms] -1.569 ms (-8.2%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 19.449 ms [19.25 ms, 19.648 ms] -
appsec 18.85 ms [18.663 ms, 19.038 ms] -598.342 µs (-3.1%)
code_origins 17.806 ms [17.629 ms, 17.982 ms] -1.643 ms (-8.4%)
iast 19.152 ms [18.959 ms, 19.345 ms] -296.723 µs (-1.5%)
profiling 18.565 ms [18.377 ms, 18.753 ms] -883.456 µs (-4.5%)
tracing 17.89 ms [17.713 ms, 18.068 ms] -1.558 ms (-8.0%)

Dacapo

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/APPSEC-61873-1
git_commit_date 1774307356 1774349955
git_commit_sha 68aa369 f186acc
release_version 1.61.0-SNAPSHOT~68aa369a4f 1.61.0-SNAPSHOT~f186acc614
See matching parameters
Baseline Candidate
application biojava biojava
ci_job_date 1774352229 1774352229
ci_job_id 1533812306 1533812306
ci_pipeline_id 104151677 104151677
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-0-unazei5f 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-0-unazei5f 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 1 unstable metrics.

Execution time for biojava 
gantt
    title biojava - execution time [CI 0.99] : candidate=1.61.0-SNAPSHOT~f186acc614, baseline=1.61.0-SNAPSHOT~68aa369a4f
    dateFormat X
    axisFormat %s
section baseline
no_agent (14.867 s) : 14867000, 14867000
.   : milestone, 14867000,
appsec (14.5 s) : 14500000, 14500000
.   : milestone, 14500000,
iast (18.175 s) : 18175000, 18175000
.   : milestone, 18175000,
iast_GLOBAL (18.173 s) : 18173000, 18173000
.   : milestone, 18173000,
profiling (15.292 s) : 15292000, 15292000
.   : milestone, 15292000,
tracing (15.139 s) : 15139000, 15139000
.   : milestone, 15139000,
section candidate
no_agent (15.462 s) : 15462000, 15462000
.   : milestone, 15462000,
appsec (15.188 s) : 15188000, 15188000
.   : milestone, 15188000,
iast (18.534 s) : 18534000, 18534000
.   : milestone, 18534000,
iast_GLOBAL (18.068 s) : 18068000, 18068000
.   : milestone, 18068000,
profiling (15.038 s) : 15038000, 15038000
.   : milestone, 15038000,
tracing (14.785 s) : 14785000, 14785000
.   : milestone, 14785000,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 14.867 s [14.867 s, 14.867 s] -
appsec 14.5 s [14.5 s, 14.5 s] -367.0 ms (-2.5%)
iast 18.175 s [18.175 s, 18.175 s] 3.308 s (22.3%)
iast_GLOBAL 18.173 s [18.173 s, 18.173 s] 3.306 s (22.2%)
profiling 15.292 s [15.292 s, 15.292 s] 425.0 ms (2.9%)
tracing 15.139 s [15.139 s, 15.139 s] 272.0 ms (1.8%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.462 s [15.462 s, 15.462 s] -
appsec 15.188 s [15.188 s, 15.188 s] -274.0 ms (-1.8%)
iast 18.534 s [18.534 s, 18.534 s] 3.072 s (19.9%)
iast_GLOBAL 18.068 s [18.068 s, 18.068 s] 2.606 s (16.9%)
profiling 15.038 s [15.038 s, 15.038 s] -424.0 ms (-2.7%)
tracing 14.785 s [14.785 s, 14.785 s] -677.0 ms (-4.4%)
Execution time for tomcat 
gantt
    title tomcat - execution time [CI 0.99] : candidate=1.61.0-SNAPSHOT~f186acc614, baseline=1.61.0-SNAPSHOT~68aa369a4f
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.474 ms) : 1463, 1486
.   : milestone, 1474,
appsec (3.816 ms) : 3594, 4038
.   : milestone, 3816,
iast (2.265 ms) : 2195, 2334
.   : milestone, 2265,
iast_GLOBAL (2.305 ms) : 2236, 2374
.   : milestone, 2305,
profiling (2.112 ms) : 2056, 2168
.   : milestone, 2112,
tracing (2.081 ms) : 2027, 2135
.   : milestone, 2081,
section candidate
no_agent (1.482 ms) : 1470, 1493
.   : milestone, 1482,
appsec (3.818 ms) : 3594, 4042
.   : milestone, 3818,
iast (2.262 ms) : 2193, 2331
.   : milestone, 2262,
iast_GLOBAL (2.3 ms) : 2231, 2369
.   : milestone, 2300,
profiling (2.115 ms) : 2058, 2171
.   : milestone, 2115,
tracing (2.075 ms) : 2022, 2128
.   : milestone, 2075,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.474 ms [1.463 ms, 1.486 ms] -
appsec 3.816 ms [3.594 ms, 4.038 ms] 2.342 ms (158.8%)
iast 2.265 ms [2.195 ms, 2.334 ms] 790.318 µs (53.6%)
iast_GLOBAL 2.305 ms [2.236 ms, 2.374 ms] 830.557 µs (56.3%)
profiling 2.112 ms [2.056 ms, 2.168 ms] 637.738 µs (43.3%)
tracing 2.081 ms [2.027 ms, 2.135 ms] 606.559 µs (41.1%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.482 ms [1.47 ms, 1.493 ms] -
appsec 3.818 ms [3.594 ms, 4.042 ms] 2.337 ms (157.7%)
iast 2.262 ms [2.193 ms, 2.331 ms] 780.038 µs (52.7%)
iast_GLOBAL 2.3 ms [2.231 ms, 2.369 ms] 818.695 µs (55.3%)
profiling 2.115 ms [2.058 ms, 2.171 ms] 633.023 µs (42.7%)
tracing 2.075 ms [2.022 ms, 2.128 ms] 593.557 µs (40.1%)

@jandro996 jandro996 marked this pull request as ready for review March 24, 2026 13:30
@jandro996 jandro996 requested review from a team as code owners March 24, 2026 13:31
chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Mar 24, 2026
View reviewed changes
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f186acc614

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/GatewayBridge.java
Comment on lines +205 to +207
if (additionalIGEvents.contains(EVENTS.requestFilesFilenames())) {
subscriptionService.registerCallback(
EVENTS.requestFilesFilenames(), this::onRequestFilesFilenames);
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Register filename callback regardless of initial subscriptions

requestFilesFilenames is conditionally registered only when the address is present in additionalIGEvents during GatewayBridge.init(). In production, AppSec subscriptions are reloaded via reloadSubscriptions()/GatewayBridge.reset() without rerunning init(), so if server.request.body.filenames is added later (for example by a remote custom rule), this callback remains unregistered and CommonsFileUploadAppSecModule keeps seeing null from getCallback(...); filename rules will not execute until restart.

Useful? React with 👍 / 👎.

Copy link
Member Author

@jandro996 jandro996 Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point in general, but in practice this won't be an issue: server.request.body.filenames will be part of the default ruleset, so it will always be present in additionalIGEvents at startup and the callback will always be registered via init().

The scenario you describe (address added later via remote config without restart) is a pre-existing limitation that equally affects requestPathParams and requestBodyProcessed, which use the same conditional registration pattern. We followed that same pattern intentionally for consistency.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@manuel-alvarez-alvarez manuel-alvarez-alvarez Awaiting requested review from manuel-alvarez-alvarez

@daniel-romano-DD daniel-romano-DD Awaiting requested review from daniel-romano-DD daniel-romano-DD is a code owner automatically assigned from DataDog/asm-java

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

comp: asm waf Application Security Management (WAF) type: enhancement Enhancements and improvements

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jandro996