Skip to content

Fix unbounded multipart form-field buffering in Jetty 8 PartHelper#11876

Merged
gh-worker-dd-mergequeue-cf854d[bot] merged 3 commits into
masterfrom
APMSP-3580
Jul 7, 2026
Merged

Fix unbounded multipart form-field buffering in Jetty 8 PartHelper#11876
gh-worker-dd-mergequeue-cf854d[bot] merged 3 commits into
masterfrom
APMSP-3580

Conversation

@jandro996

@jandro996 jandro996 commented Jul 7, 2026

Copy link
Copy Markdown
Member

What Does This Do

  • Bounds PartHelper.readPartContent() (jetty-appsec-8.1.3) so it no longer buffers a multipart form-field's InputStream into an unbounded ByteArrayOutputStream.
  • Caps the read at Config.get().getAppSecMaxFileContentBytes() (appsec.max.file-content.bytes, default 4096 bytes). There is no dedicated "max form-field bytes" config, so this intentionally reuses the existing file-content knob — documented with a code comment at the call site.
  • Caps the number of form-field parts processed in PartHelper.extractFormFields() via Config.get().getAppSecMaxFileContentCount(), mirroring the MAX_FILES_TO_INSPECT pattern used by MultipartHelper#extractContents() (PR Add server.request.body.files_content AppSec address support for Jetty #11706) for file content. Bounding only the per-field byte read left the total allocation unbounded as O(fields × byteCap) — an attacker could still exhaust memory with many small fields instead of one large one.
  • Leaves charsetFromContentType() and its explicit UTF-8 fallback untouched; the fix does not switch to MultipartContentDecoder (used for file content elsewhere), since that decoder falls back to Charset.defaultCharset(), which would make WAF pattern-matching non-deterministic across hosts.
  • Adds extractFormFieldsTruncatesFieldExceedingMaxContentBytes and extractFormFieldsCapsAtMaxFileContentCount to PartHelperTest.java, asserting the byte truncation and the field-count cap land exactly at their respective configured limits.

Motivation

Jetty 8 (Servlet 3.0) has no getParameterMap()-equivalent for multipart requests, so PartHelper must manually read each form-field Part's stream to extract its text value. Before this fix, that read had no upper bound — either per field or across all fields — so a remote attacker could exhaust heap / cause severe GC pressure with a single oversized text field, or with a large number of small fields. Found via automated security scan (APMSP-3580).

Additional Notes

  • PR Add server.request.body.files_content AppSec address support for Jetty #11706 (pending merge, same file) adds MultipartContentDecoder/MAX_CONTENT_BYTES/MAX_FILES_TO_INSPECT to this same class for an unrelated files_content feature, and explicitly leaves readPartContent()/extractFormFields() untouched. Expect a small, easily-resolvable merge conflict on imports/constants depending on merge order — this fix does not depend on Add server.request.body.files_content AppSec address support for Jetty #11706 landing first, since both Config.get().getAppSecMaxFileContentBytes() and Config.get().getAppSecMaxFileContentCount() already exist independently in internal-api.
  • Release-blocking assessment (for team confirmation): not release-blocking. This is a DoS/memory-pressure issue only (no RCE or data exfiltration), requires a legacy Jetty 8.1.3 deployment with a multipart endpoint, and the fix itself is small and low-risk.
  • Reusing the file-content byte and count caps for form-field text is a deliberate tradeoff (avoids introducing a new AppSec config surface for a bug fix); see the code comments in readPartContent() and extractFormFields().

Contributor Checklist

Jira ticket: APMSP-3580

Note: Once your PR is ready to merge, add it to the merge queue by commenting /merge. /merge -c cancels the queue request. /merge -f --reason "reason" skips all merge queue checks; please use this judiciously, as some checks do not run at the PR-level. For more information, see this doc.

… advice

PartHelper.readPartContent() copied a multipart Part's InputStream into an
unbounded ByteArrayOutputStream before any WAF size check applied, allowing
a single oversized text field to exhaust heap. Cap the read at
Config.get().getAppSecMaxFileContentBytes(), reusing the existing
file-content byte cap since there is no dedicated form-field knob.
@jandro996

Copy link
Copy Markdown
Member Author

@codex review

@chatgpt-codex-connector

Copy link
Copy Markdown

Codex Review: Didn't find any major issues. What shall we delve into next?

Reviewed commit: 92bebe4ef1

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@jandro996 jandro996 marked this pull request as ready for review July 7, 2026 15:25
@jandro996 jandro996 requested a review from a team as a code owner July 7, 2026 15:25
@jandro996 jandro996 requested review from jordan-wong and removed request for a team July 7, 2026 15:25
@dd-octo-sts

dd-octo-sts Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Hi! 👋 Thanks for your pull request! 🎉

To help us review it, please make sure to:

  • Add at least one type, and one component or instrumentation label to the pull request

If you need help, please check our contributing guidelines.

@jandro996 jandro996 added type: bug fix Bug fix comp: asm waf Application Security Management (WAF) labels Jul 7, 2026
extractFormFields() bounded the bytes read per field but not the number
of fields processed, leaving total allocation unbounded as O(fields x
byteCap). Cap the field count via Config.get().getAppSecMaxFileContentCount(),
mirroring the MAX_FILES_TO_INSPECT pattern used by MultipartHelper#extractContents()
(PR #11706) for file content.
@jandro996

Copy link
Copy Markdown
Member Author

@codex review

1 similar comment
@jandro996

Copy link
Copy Markdown
Member Author

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 37fc40deb4

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@datadog-official

datadog-official Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

🎯 Code Coverage (details)
Patch Coverage: 100.00%
Overall Coverage: 69.73% (+12.80%)

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 54eabd9 | Docs | Datadog PR Page | Give us feedback!

@dd-octo-sts

dd-octo-sts Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

🟢 Java Benchmark SLOs — All performance SLOs passed

Suite Status
Startup 🟢 pass

SLO thresholds are defined here based on automatically generated metrics. A warning is raised when results are within 5% of the threshold.

PR vs. master results
Scenario Candidate master Δ (95% CI of mean)
startup:insecure-bank:iast:Agent 14.78 s 14.64 s [+0.1%; +1.9%] (maybe worse)
startup:insecure-bank:tracing:Agent 13.63 s 13.73 s [-1.5%; +0.1%] (no difference)
startup:petclinic:appsec:Agent 16.99 s 16.79 s [+0.3%; +2.1%] (maybe worse)
startup:petclinic:iast:Agent 16.94 s 16.85 s [-0.3%; +1.3%] (no difference)
startup:petclinic:profiling:Agent 16.59 s 16.10 s [-1.4%; +7.4%] (no difference)
startup:petclinic:sca:Agent 16.92 s 16.91 s [-0.8%; +0.9%] (no difference)
startup:petclinic:tracing:Agent 16.09 s 16.13 s [-1.3%; +0.8%] (no difference)

Commit: 54eabd9d · CI Pipeline · Benchmarking Platform UI


Load and DaCapo benchmarks can be triggered manually in the GitLab pipeline. Results will appear in the Benchmarking Platform UI after completion.

@jandro996 jandro996 added this pull request to the merge queue Jul 7, 2026
@dd-octo-sts

dd-octo-sts Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

/merge

@gh-worker-devflow-routing-ef8351

gh-worker-devflow-routing-ef8351 Bot commented Jul 7, 2026

Copy link
Copy Markdown

View all feedbacks in Devflow UI.

2026-07-07 16:23:17 UTC ℹ️ Start processing command /merge


2026-07-07 16:23:23 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in master is approximately 1h (p90).


2026-07-07 18:23:59 UTCMergeQueue: The build pipeline has timeout

The merge request has been interrupted because the build 217473510677503781 took longer than expected. The current limit for the base branch 'master' is 120 minutes.

Possible reasons:

  • some mandatory checkruns are failing:
    • Check pull request labels
    • Check pull requests
    • Enforce Groovy migration

@github-merge-queue github-merge-queue Bot removed this pull request from the merge queue due to failed status checks Jul 7, 2026
@jandro996 jandro996 enabled auto-merge July 7, 2026 18:43
@jandro996 jandro996 added this pull request to the merge queue Jul 7, 2026
@dd-octo-sts

dd-octo-sts Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

/merge

@gh-worker-devflow-routing-ef8351

gh-worker-devflow-routing-ef8351 Bot commented Jul 7, 2026

Copy link
Copy Markdown

View all feedbacks in Devflow UI.

2026-07-07 19:21:41 UTC ℹ️ Start processing command /merge


2026-07-07 19:21:46 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in master is approximately 1h (p90).


2026-07-07 20:26:31 UTC ℹ️ MergeQueue: This merge request was merged

@github-merge-queue github-merge-queue Bot removed this pull request from the merge queue due to failed status checks Jul 7, 2026
@gh-worker-dd-mergequeue-cf854d gh-worker-dd-mergequeue-cf854d Bot merged commit f570544 into master Jul 7, 2026
588 checks passed
@gh-worker-dd-mergequeue-cf854d gh-worker-dd-mergequeue-cf854d Bot deleted the APMSP-3580 branch July 7, 2026 20:26
@github-actions github-actions Bot added this to the 1.64.0 milestone Jul 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

comp: asm waf Application Security Management (WAF) type: bug fix Bug fix

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants