Skip to content

Add server.request.body.filenames support for Undertow and Play#11174

Draft
jandro996 wants to merge 5 commits intomasterfrom
alejandro.gonzalez/APPSEC-61873-4-undertow-play
Draft

Add server.request.body.filenames support for Undertow and Play#11174
jandro996 wants to merge 5 commits intomasterfrom
alejandro.gonzalez/APPSEC-61873-4-undertow-play

Conversation

@jandro996
Copy link
Copy Markdown
Member

@jandro996 jandro996 commented Apr 21, 2026

What Does This Do

Instruments Undertow and Play multipart request handling to fire the requestFilesFilenames AppSec gateway event, enabling WAF rules that act on uploaded file names.

Undertow (undertow-2.0 instrumentation, applied to 2.0–2.2+):

The MultiPartParserDefinition$MultiPartUploadHandler.parseBlocking() exit advice already fires requestBodyProcessed via FormDataMap. This PR extends it to also fire requestFilesFilenames by iterating the parsed FormData and collecting values where getFileName() is non-null. The callback check is done before building the filenames list to avoid allocations on requests where the feature is inactive.

A secondary fix was required in FormDataMap: in undertow 2.0, FormValueImpl.isFile() returns true for all file uploads (they always go to disk). In undertow 2.2+, the FileItem abstraction was introduced to support in-memory storage below a threshold; isFile() now returns false for in-memory files even though value == null. The old !isFile() guard caused getValue() to throw IllegalStateException on every multipart request with small file attachments. Switching to getFileName() == null correctly identifies text fields regardless of undertow version.

Play 2.5 / 2.6 (play-appsec-2.5, play-appsec-2.6):

BodyParserHelpers.handleMultipartFormData() is the central point where Play assembles the body result. Both versions already call a handleMultipartBodyMap() helper; this PR adds a symmetric handleMultipartFilenames() that iterates data.files(), extracts FilePart.filename(), and fires the callback through executeFilenamesCallback() with blocking support. Play 2.6 uses the same approach compiled against the 2.6 API.

Module Change Coverage
undertow-2.0 MultiPartUploadHandlerInstrumentation + FormDataMap fix Undertow 2.0–2.3+
undertow-2.2 tests only (uses undertow-2.0 instrumentation at runtime) 2.2.14+
play-appsec-2.5 BodyParserHelpers.handleMultipartFilenames() Play 2.5.x
play-appsec-2.6 BodyParserHelpers.handleMultipartFilenames() Play 2.6.x

Motivation

Part of APPSEC-61873server.request.body.filenames implementation across server frameworks.

Additional Notes

Depends on #10949 and #10973 (both merged into master).

Contributor Checklist

jandro996 and others added 2 commits April 21, 2026 12:42
@jandro996 @claude
Add server.request.body.filenames support for Undertow and Play
08405ea 
- Undertow: extract filenames from FormData attachments in MultiPartUploadHandlerInstrumentation
- Play 2.5/2.6: extract filenames from MultipartFormData.files() in BodyParserHelpers

Both implementations fire the requestFilesFilenames() IG event and support
blocking on malicious filenames.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@jandro996
Fix server.request.body.filenames for in-memory uploads in Undertow 2.2
f340ebf 
In undertow 2.2+, FormValueImpl.isFile() returns false for in-memory file uploads
(file size below fileSizeThreshold) because it checks fileItem.isInMemory(). Use
getFileName() to identify file uploads regardless of storage, which works across
all undertow versions. Also check the filenames callback before building the list
to avoid allocations on requests where the feature is inactive.
@jandro996 jandro996 added type: enhancement Enhancements and improvements comp: asm waf Application Security Management (WAF) labels Apr 21, 2026
@jandro996
Copy link
Copy Markdown
Member Author

jandro996 commented Apr 21, 2026

@codex review

chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Apr 21, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f340ebfab9

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .../main/java/datadog/trace/instrumentation/undertow/MultiPartUploadHandlerInstrumentation.java Outdated
@jandro996
Decouple requestBodyProcessed and requestFilesFilenames callbacks in …
870da2f 
…Undertow

Both callbacks are now fetched upfront; the method only returns early when both
are null. Previously an early return on requestBodyProcessed==null silently
skipped filename detection, breaking deployments with filename-only WAF rules.
@pr-commenter
Copy link
Copy Markdown

pr-commenter Bot commented Apr 21, 2026
edited
Loading

Benchmarks

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/APPSEC-61873-4-undertow-play
git_commit_date 1776844785 1776847676
git_commit_sha c72f067 15a0168
release_version 1.62.0-SNAPSHOT~c72f06780f 1.62.0-SNAPSHOT~15a0168cf0
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1776849349 1776849349
ci_job_id 1618445340 1618445340
ci_pipeline_id 108969521 108969521
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-0-tp3h9jya 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-0-tp3h9jya 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
module Agent Agent
parent None None

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 64 metrics, 7 unstable metrics.

Startup time reports for insecure-bank 
gantt
    title insecure-bank - global startup overhead: candidate=1.62.0-SNAPSHOT~15a0168cf0, baseline=1.62.0-SNAPSHOT~c72f06780f

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.058 s) : 0, 1058379
Total [baseline] (8.804 s) : 0, 8803692
Agent [candidate] (1.075 s) : 0, 1074840
Total [candidate] (8.879 s) : 0, 8878571
section iast
Agent [baseline] (1.229 s) : 0, 1228708
Total [baseline] (9.521 s) : 0, 9520944
Agent [candidate] (1.238 s) : 0, 1238158
Total [candidate] (9.588 s) : 0, 9588387
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.058 s -
Agent iast 1.229 s 170.329 ms (16.1%)
Total tracing 8.804 s -
Total iast 9.521 s 717.252 ms (8.1%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.075 s -
Agent iast 1.238 s 163.318 ms (15.2%)
Total tracing 8.879 s -
Total iast 9.588 s 709.816 ms (8.0%) 
gantt
    title insecure-bank - break down per module: candidate=1.62.0-SNAPSHOT~15a0168cf0, baseline=1.62.0-SNAPSHOT~c72f06780f

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.248 ms) : 0, 1248
crashtracking [candidate] (1.245 ms) : 0, 1245
BytebuddyAgent [baseline] (633.547 ms) : 0, 633547
BytebuddyAgent [candidate] (642.163 ms) : 0, 642163
AgentMeter [baseline] (29.758 ms) : 0, 29758
AgentMeter [candidate] (30.254 ms) : 0, 30254
GlobalTracer [baseline] (250.15 ms) : 0, 250150
GlobalTracer [candidate] (253.726 ms) : 0, 253726
AppSec [baseline] (32.769 ms) : 0, 32769
AppSec [candidate] (33.151 ms) : 0, 33151
Debugger [baseline] (59.332 ms) : 0, 59332
Debugger [candidate] (60.514 ms) : 0, 60514
Remote Config [baseline] (595.768 µs) : 0, 596
Remote Config [candidate] (616.522 µs) : 0, 617
Telemetry [baseline] (8.002 ms) : 0, 8002
Telemetry [candidate] (8.279 ms) : 0, 8279
Flare Poller [baseline] (6.596 ms) : 0, 6596
Flare Poller [candidate] (8.442 ms) : 0, 8442
section iast
crashtracking [baseline] (1.239 ms) : 0, 1239
crashtracking [candidate] (1.233 ms) : 0, 1233
BytebuddyAgent [baseline] (808.06 ms) : 0, 808060
BytebuddyAgent [candidate] (813.18 ms) : 0, 813180
AgentMeter [baseline] (11.43 ms) : 0, 11430
AgentMeter [candidate] (11.459 ms) : 0, 11459
GlobalTracer [baseline] (238.402 ms) : 0, 238402
GlobalTracer [candidate] (241.333 ms) : 0, 241333
AppSec [baseline] (27.429 ms) : 0, 27429
AppSec [candidate] (27.518 ms) : 0, 27518
Debugger [baseline] (63.62 ms) : 0, 63620
Debugger [candidate] (63.665 ms) : 0, 63665
Remote Config [baseline] (533.446 µs) : 0, 533
Remote Config [candidate] (535.652 µs) : 0, 536
Telemetry [baseline] (7.76 ms) : 0, 7760
Telemetry [candidate] (7.752 ms) : 0, 7752
Flare Poller [baseline] (3.395 ms) : 0, 3395
Flare Poller [candidate] (3.382 ms) : 0, 3382
IAST [baseline] (30.78 ms) : 0, 30780
IAST [candidate] (30.162 ms) : 0, 30162
Loading
Startup time reports for petclinic 
gantt
    title petclinic - global startup overhead: candidate=1.62.0-SNAPSHOT~15a0168cf0, baseline=1.62.0-SNAPSHOT~c72f06780f

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.053 s) : 0, 1052894
Total [baseline] (4.36 s) : 0, 4360233
Agent [candidate] (1.068 s) : 0, 1067523
Total [candidate] (11.175 s) : 0, 11174908
section appsec
Agent [baseline] (1.272 s) : 0, 1271619
Total [baseline] (11.138 s) : 0, 11138219
Agent [candidate] (1.269 s) : 0, 1268524
Total [candidate] (11.116 s) : 0, 11116287
section iast
Agent [baseline] (1.247 s) : 0, 1246954
Total [baseline] (11.403 s) : 0, 11403316
Agent [candidate] (1.25 s) : 0, 1249599
Total [candidate] (11.376 s) : 0, 11375668
section profiling
Agent [baseline] (1.194 s) : 0, 1194147
Total [baseline] (11.089 s) : 0, 11089164
Agent [candidate] (1.193 s) : 0, 1192504
Total [candidate] (11.047 s) : 0, 11047221
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.053 s -
Agent appsec 1.272 s 218.725 ms (20.8%)
Agent iast 1.247 s 194.06 ms (18.4%)
Agent profiling 1.194 s 141.253 ms (13.4%)
Total tracing 4.36 s -
Total appsec 11.138 s 6.778 s (155.5%)
Total iast 11.403 s 7.043 s (161.5%)
Total profiling 11.089 s 6.729 s (154.3%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.068 s -
Agent appsec 1.269 s 201.001 ms (18.8%)
Agent iast 1.25 s 182.076 ms (17.1%)
Agent profiling 1.193 s 124.981 ms (11.7%)
Total tracing 11.175 s -
Total appsec 11.116 s -58.621 ms (-0.5%)
Total iast 11.376 s 200.759 ms (1.8%)
Total profiling 11.047 s -127.687 ms (-1.1%) 
gantt
    title petclinic - break down per module: candidate=1.62.0-SNAPSHOT~15a0168cf0, baseline=1.62.0-SNAPSHOT~c72f06780f

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.227 ms) : 0, 1227
crashtracking [candidate] (1.255 ms) : 0, 1255
BytebuddyAgent [baseline] (627.525 ms) : 0, 627525
BytebuddyAgent [candidate] (637.362 ms) : 0, 637362
AgentMeter [baseline] (29.575 ms) : 0, 29575
AgentMeter [candidate] (29.779 ms) : 0, 29779
GlobalTracer [baseline] (247.064 ms) : 0, 247064
GlobalTracer [candidate] (250.919 ms) : 0, 250919
AppSec [baseline] (32.097 ms) : 0, 32097
AppSec [candidate] (32.713 ms) : 0, 32713
Debugger [baseline] (59.29 ms) : 0, 59290
Debugger [candidate] (60.292 ms) : 0, 60292
Remote Config [baseline] (609.553 µs) : 0, 610
Remote Config [candidate] (594.475 µs) : 0, 594
Telemetry [baseline] (8.03 ms) : 0, 8030
Telemetry [candidate] (8.128 ms) : 0, 8128
Flare Poller [baseline] (11.405 ms) : 0, 11405
Flare Poller [candidate] (9.845 ms) : 0, 9845
section appsec
crashtracking [baseline] (1.244 ms) : 0, 1244
crashtracking [candidate] (1.235 ms) : 0, 1235
BytebuddyAgent [baseline] (678.032 ms) : 0, 678032
BytebuddyAgent [candidate] (677.181 ms) : 0, 677181
AgentMeter [baseline] (12.163 ms) : 0, 12163
AgentMeter [candidate] (12.18 ms) : 0, 12180
GlobalTracer [baseline] (251.126 ms) : 0, 251126
GlobalTracer [candidate] (250.174 ms) : 0, 250174
AppSec [baseline] (187.77 ms) : 0, 187770
AppSec [candidate] (187.266 ms) : 0, 187266
Debugger [baseline] (67.762 ms) : 0, 67762
Debugger [candidate] (67.156 ms) : 0, 67156
Remote Config [baseline] (577.481 µs) : 0, 577
Remote Config [candidate] (579.947 µs) : 0, 580
Telemetry [baseline] (8.037 ms) : 0, 8037
Telemetry [candidate] (7.962 ms) : 0, 7962
Flare Poller [baseline] (3.53 ms) : 0, 3530
Flare Poller [candidate] (3.475 ms) : 0, 3475
IAST [baseline] (24.599 ms) : 0, 24599
IAST [candidate] (24.63 ms) : 0, 24630
section iast
crashtracking [baseline] (1.239 ms) : 0, 1239
crashtracking [candidate] (1.255 ms) : 0, 1255
BytebuddyAgent [baseline] (819.903 ms) : 0, 819903
BytebuddyAgent [candidate] (820.585 ms) : 0, 820585
AgentMeter [baseline] (11.613 ms) : 0, 11613
AgentMeter [candidate] (11.624 ms) : 0, 11624
GlobalTracer [baseline] (241.833 ms) : 0, 241833
GlobalTracer [candidate] (242.035 ms) : 0, 242035
AppSec [baseline] (27.454 ms) : 0, 27454
AppSec [candidate] (29.077 ms) : 0, 29077
Debugger [baseline] (65.262 ms) : 0, 65262
Debugger [candidate] (67.51 ms) : 0, 67510
Remote Config [baseline] (540.651 µs) : 0, 541
Remote Config [candidate] (546.024 µs) : 0, 546
Telemetry [baseline] (7.854 ms) : 0, 7854
Telemetry [candidate] (8.053 ms) : 0, 8053
Flare Poller [baseline] (3.525 ms) : 0, 3525
Flare Poller [candidate] (3.566 ms) : 0, 3566
IAST [baseline] (31.22 ms) : 0, 31220
IAST [candidate] (28.627 ms) : 0, 28627
section profiling
crashtracking [baseline] (1.22 ms) : 0, 1220
crashtracking [candidate] (1.196 ms) : 0, 1196
BytebuddyAgent [baseline] (696.977 ms) : 0, 696977
BytebuddyAgent [candidate] (695.434 ms) : 0, 695434
AgentMeter [baseline] (9.251 ms) : 0, 9251
AgentMeter [candidate] (9.245 ms) : 0, 9245
GlobalTracer [baseline] (208.577 ms) : 0, 208577
GlobalTracer [candidate] (208.344 ms) : 0, 208344
AppSec [baseline] (33.198 ms) : 0, 33198
AppSec [candidate] (33.151 ms) : 0, 33151
Debugger [baseline] (66.251 ms) : 0, 66251
Debugger [candidate] (66.442 ms) : 0, 66442
Remote Config [baseline] (581.716 µs) : 0, 582
Remote Config [candidate] (587.854 µs) : 0, 588
Telemetry [baseline] (7.879 ms) : 0, 7879
Telemetry [candidate] (7.845 ms) : 0, 7845
Flare Poller [baseline] (3.565 ms) : 0, 3565
Flare Poller [candidate] (3.612 ms) : 0, 3612
ProfilingAgent [baseline] (94.756 ms) : 0, 94756
ProfilingAgent [candidate] (94.828 ms) : 0, 94828
Profiling [baseline] (95.313 ms) : 0, 95313
Profiling [candidate] (95.386 ms) : 0, 95386
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/APPSEC-61873-4-undertow-play
git_commit_date 1776844785 1776847676
git_commit_sha c72f067 15a0168
release_version 1.62.0-SNAPSHOT~c72f06780f 1.62.0-SNAPSHOT~15a0168cf0
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1776849937 1776849937
ci_job_id 1618445341 1618445341
ci_pipeline_id 108969521 108969521
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-0-4w24ij2q 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-0-4w24ij2q 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 2 performance improvements and 2 performance regressions! Performance is the same for 15 metrics, 17 unstable metrics.

scenario Δ mean agg_http_req_duration_p50 Δ mean agg_http_req_duration_p95 Δ mean throughput candidate mean agg_http_req_duration_p50 candidate mean agg_http_req_duration_p95 candidate mean throughput baseline mean agg_http_req_duration_p50 baseline mean agg_http_req_duration_p95 baseline mean throughput
scenario:load:petclinic:appsec:high_load worse
[+0.520ms; +1.669ms] or [+2.775%; +8.909%]		 unsure
[+0.480ms; +1.955ms] or [+1.597%; +6.505%]		 unstable
[-35.446op/s; +14.446op/s] or [-14.512%; +5.914%]		 19.830ms 31.268ms 233.750op/s 18.736ms 30.050ms 244.250op/s
scenario:load:petclinic:profiling:high_load worse
[+464.099µs; +1210.760µs] or [+2.551%; +6.656%]		 same
[-564.670µs; +1107.270µs] or [-1.878%; +3.682%]		 unstable
[-33.542op/s; +17.730op/s] or [-13.417%; +7.092%]		 19.028ms 30.344ms 242.094op/s 18.191ms 30.073ms 250.000op/s
scenario:load:petclinic:tracing:high_load better
[-1.467ms; -0.771ms] or [-7.879%; -4.143%]		 better
[-2.213ms; -0.826ms] or [-7.423%; -2.772%]		 unstable
[-11.996op/s; +40.121op/s] or [-4.841%; +16.190%]		 17.501ms 28.298ms 261.875op/s 18.621ms 29.818ms 247.812op/s
Request duration reports for petclinic 
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.62.0-SNAPSHOT~15a0168cf0, baseline=1.62.0-SNAPSHOT~c72f06780f
    dateFormat X
    axisFormat %s
section baseline
no_agent (18.79 ms) : 18597, 18984
.   : milestone, 18790,
appsec (19.105 ms) : 18915, 19296
.   : milestone, 19105,
code_origins (18.187 ms) : 18003, 18371
.   : milestone, 18187,
iast (17.792 ms) : 17618, 17966
.   : milestone, 17792,
profiling (18.663 ms) : 18474, 18852
.   : milestone, 18663,
tracing (18.833 ms) : 18644, 19022
.   : milestone, 18833,
section candidate
no_agent (18.245 ms) : 18061, 18429
.   : milestone, 18245,
appsec (19.969 ms) : 19765, 20172
.   : milestone, 19969,
code_origins (17.954 ms) : 17776, 18132
.   : milestone, 17954,
iast (17.929 ms) : 17757, 18102
.   : milestone, 17929,
profiling (19.279 ms) : 19086, 19471
.   : milestone, 19279,
tracing (17.812 ms) : 17641, 17984
.   : milestone, 17812,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 18.79 ms [18.597 ms, 18.984 ms] -
appsec 19.105 ms [18.915 ms, 19.296 ms] 315.085 µs (1.7%)
code_origins 18.187 ms [18.003 ms, 18.371 ms] -603.48 µs (-3.2%)
iast 17.792 ms [17.618 ms, 17.966 ms] -998.532 µs (-5.3%)
profiling 18.663 ms [18.474 ms, 18.852 ms] -127.722 µs (-0.7%)
tracing 18.833 ms [18.644 ms, 19.022 ms] 42.461 µs (0.2%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 18.245 ms [18.061 ms, 18.429 ms] -
appsec 19.969 ms [19.765 ms, 20.172 ms] 1.724 ms (9.4%)
code_origins 17.954 ms [17.776 ms, 18.132 ms] -290.932 µs (-1.6%)
iast 17.929 ms [17.757 ms, 18.102 ms] -315.878 µs (-1.7%)
profiling 19.279 ms [19.086 ms, 19.471 ms] 1.034 ms (5.7%)
tracing 17.812 ms [17.641 ms, 17.984 ms] -432.508 µs (-2.4%)
Request duration reports for insecure-bank 
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.62.0-SNAPSHOT~15a0168cf0, baseline=1.62.0-SNAPSHOT~c72f06780f
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.266 ms) : 1253, 1278
.   : milestone, 1266,
iast (3.479 ms) : 3427, 3530
.   : milestone, 3479,
iast_FULL (6.03 ms) : 5969, 6091
.   : milestone, 6030,
iast_GLOBAL (3.73 ms) : 3668, 3793
.   : milestone, 3730,
profiling (2.419 ms) : 2391, 2446
.   : milestone, 2419,
tracing (1.898 ms) : 1882, 1915
.   : milestone, 1898,
section candidate
no_agent (1.251 ms) : 1239, 1264
.   : milestone, 1251,
iast (3.403 ms) : 3352, 3455
.   : milestone, 3403,
iast_FULL (6.103 ms) : 6041, 6165
.   : milestone, 6103,
iast_GLOBAL (3.676 ms) : 3614, 3737
.   : milestone, 3676,
profiling (2.173 ms) : 2150, 2196
.   : milestone, 2173,
tracing (1.899 ms) : 1883, 1915
.   : milestone, 1899,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.266 ms [1.253 ms, 1.278 ms] -
iast 3.479 ms [3.427 ms, 3.53 ms] 2.213 ms (174.8%)
iast_FULL 6.03 ms [5.969 ms, 6.091 ms] 4.764 ms (376.3%)
iast_GLOBAL 3.73 ms [3.668 ms, 3.793 ms] 2.464 ms (194.7%)
profiling 2.419 ms [2.391 ms, 2.446 ms] 1.153 ms (91.1%)
tracing 1.898 ms [1.882 ms, 1.915 ms] 632.633 µs (50.0%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.251 ms [1.239 ms, 1.264 ms] -
iast 3.403 ms [3.352 ms, 3.455 ms] 2.152 ms (172.0%)
iast_FULL 6.103 ms [6.041 ms, 6.165 ms] 4.851 ms (387.7%)
iast_GLOBAL 3.676 ms [3.614 ms, 3.737 ms] 2.424 ms (193.7%)
profiling 2.173 ms [2.15 ms, 2.196 ms] 921.654 µs (73.6%)
tracing 1.899 ms [1.883 ms, 1.915 ms] 647.777 µs (51.8%)

Dacapo

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/APPSEC-61873-4-undertow-play
git_commit_date 1776844785 1776847676
git_commit_sha c72f067 15a0168
release_version 1.62.0-SNAPSHOT~c72f06780f 1.62.0-SNAPSHOT~15a0168cf0
See matching parameters
Baseline Candidate
application biojava biojava
ci_job_date 1776849736 1776849736
ci_job_id 1618445342 1618445342
ci_pipeline_id 108969521 108969521
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-1-t8wtle4z 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-1-t8wtle4z 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 1 unstable metrics.

Execution time for tomcat 
gantt
    title tomcat - execution time [CI 0.99] : candidate=1.62.0-SNAPSHOT~15a0168cf0, baseline=1.62.0-SNAPSHOT~c72f06780f
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.488 ms) : 1476, 1499
.   : milestone, 1488,
appsec (3.765 ms) : 3548, 3983
.   : milestone, 3765,
iast (2.278 ms) : 2208, 2347
.   : milestone, 2278,
iast_GLOBAL (2.326 ms) : 2256, 2396
.   : milestone, 2326,
profiling (2.107 ms) : 2052, 2162
.   : milestone, 2107,
tracing (2.088 ms) : 2034, 2141
.   : milestone, 2088,
section candidate
no_agent (1.491 ms) : 1479, 1503
.   : milestone, 1491,
appsec (3.823 ms) : 3603, 4043
.   : milestone, 3823,
iast (2.278 ms) : 2209, 2348
.   : milestone, 2278,
iast_GLOBAL (2.327 ms) : 2257, 2397
.   : milestone, 2327,
profiling (2.097 ms) : 2042, 2151
.   : milestone, 2097,
tracing (2.096 ms) : 2042, 2149
.   : milestone, 2096,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.488 ms [1.476 ms, 1.499 ms] -
appsec 3.765 ms [3.548 ms, 3.983 ms] 2.278 ms (153.1%)
iast 2.278 ms [2.208 ms, 2.347 ms] 790.014 µs (53.1%)
iast_GLOBAL 2.326 ms [2.256 ms, 2.396 ms] 838.538 µs (56.4%)
profiling 2.107 ms [2.052 ms, 2.162 ms] 619.24 µs (41.6%)
tracing 2.088 ms [2.034 ms, 2.141 ms] 599.998 µs (40.3%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.491 ms [1.479 ms, 1.503 ms] -
appsec 3.823 ms [3.603 ms, 4.043 ms] 2.332 ms (156.4%)
iast 2.278 ms [2.209 ms, 2.348 ms] 787.272 µs (52.8%)
iast_GLOBAL 2.327 ms [2.257 ms, 2.397 ms] 835.808 µs (56.1%)
profiling 2.097 ms [2.042 ms, 2.151 ms] 605.666 µs (40.6%)
tracing 2.096 ms [2.042 ms, 2.149 ms] 604.633 µs (40.6%)
Execution time for biojava 
gantt
    title biojava - execution time [CI 0.99] : candidate=1.62.0-SNAPSHOT~15a0168cf0, baseline=1.62.0-SNAPSHOT~c72f06780f
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.637 s) : 15637000, 15637000
.   : milestone, 15637000,
appsec (14.776 s) : 14776000, 14776000
.   : milestone, 14776000,
iast (18.631 s) : 18631000, 18631000
.   : milestone, 18631000,
iast_GLOBAL (17.775 s) : 17775000, 17775000
.   : milestone, 17775000,
profiling (15.329 s) : 15329000, 15329000
.   : milestone, 15329000,
tracing (15.067 s) : 15067000, 15067000
.   : milestone, 15067000,
section candidate
no_agent (14.871 s) : 14871000, 14871000
.   : milestone, 14871000,
appsec (14.639 s) : 14639000, 14639000
.   : milestone, 14639000,
iast (18.252 s) : 18252000, 18252000
.   : milestone, 18252000,
iast_GLOBAL (17.908 s) : 17908000, 17908000
.   : milestone, 17908000,
profiling (15.019 s) : 15019000, 15019000
.   : milestone, 15019000,
tracing (15.09 s) : 15090000, 15090000
.   : milestone, 15090000,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.637 s [15.637 s, 15.637 s] -
appsec 14.776 s [14.776 s, 14.776 s] -861.0 ms (-5.5%)
iast 18.631 s [18.631 s, 18.631 s] 2.994 s (19.1%)
iast_GLOBAL 17.775 s [17.775 s, 17.775 s] 2.138 s (13.7%)
profiling 15.329 s [15.329 s, 15.329 s] -308.0 ms (-2.0%)
tracing 15.067 s [15.067 s, 15.067 s] -570.0 ms (-3.6%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 14.871 s [14.871 s, 14.871 s] -
appsec 14.639 s [14.639 s, 14.639 s] -232.0 ms (-1.6%)
iast 18.252 s [18.252 s, 18.252 s] 3.381 s (22.7%)
iast_GLOBAL 17.908 s [17.908 s, 17.908 s] 3.037 s (20.4%)
profiling 15.019 s [15.019 s, 15.019 s] 148.0 ms (1.0%)
tracing 15.09 s [15.09 s, 15.09 s] 219.0 ms (1.5%)

@jandro996
Merge branch 'master' into alejandro.gonzalez/APPSEC-61873-4-undertow…
15a0168 
…-play
@jandro996
Fix Scala 2.13 muzzle incompatibility in Play multipart filenames sup…
d33f384 
…port

Use reflection to invoke MultipartFormData.files() so the bytecode does not
embed a hard reference to the Scala 2.11/2.12 return type
(Lscala/collection/Seq;). In Scala 2.13 (Play 2.7+) the method returns
scala.collection.immutable.Seq, causing muzzle to disable the entire
PlayBodyParsersInstrumentation and breaking all body-parsing features.

Also enable testBodyFilenames() in Play 2.5/2.6/2.7 test suites.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

comp: asm waf Application Security Management (WAF) type: enhancement Enhancements and improvements

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jandro996