Skip to content

Add file upload WAF rules from appsec-event-rules#277#11093

Merged
gh-worker-dd-mergequeue-cf854d[bot] merged 1 commit intomasterfrom
alejandro.gonzalez/appsec-event-rules-277-file-upload-rules
Apr 14, 2026
Merged

Add file upload WAF rules from appsec-event-rules#277#11093
gh-worker-dd-mergequeue-cf854d[bot] merged 1 commit intomasterfrom
alejandro.gonzalez/appsec-event-rules-277-file-upload-rules

Conversation

@jandro996
Copy link
Copy Markdown
Member

@jandro996 jandro996 commented Apr 13, 2026
edited by atlassian bot
Loading

What Does This Do

Ports two new WAF rules introduced in DataDog/appsec-event-rules#277 into the default AppSec config (default_config.json).

Motivation

Both rules were added to tackle issues in APPSEC-61873

Additional Notes

  • crs-944-140Java Injection Attack: Java Script File Upload Found

    • Type: unrestricted_file_upload | CWE-434 | confidence: 1
    • Matches .jsp/.jspx filenames in server.request.body.filenames and x-filename-style headers

  • dog-920-100File upload with double extension

    • Type: http_protocol_violation | CWE-176 | confidence: 0
    • Matches files with double extensions (e.g. shell.php.jpg) via regex \w\.[a-zA-Z0-9]{2,5}\.[a-zA-Z0-9]{2,5}$

Contributor Checklist

@jandro996 jandro996 added type: enhancement Enhancements and improvements tag: no release notes Changes to exclude from release notes comp: asm waf Application Security Management (WAF) labels Apr 13, 2026
@jandro996 jandro996 force-pushed the alejandro.gonzalez/appsec-event-rules-277-file-upload-rules branch from 7ceb952 to 1055574 Compare April 13, 2026 13:42
@jandro996 jandro996 marked this pull request as ready for review April 13, 2026 13:49
@jandro996 jandro996 requested a review from a team as a code owner April 13, 2026 13:49
chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Apr 13, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 10555742f5

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@jandro996 jandro996 enabled auto-merge April 13, 2026 13:53
@pr-commenter
Copy link
Copy Markdown

pr-commenter bot commented Apr 13, 2026
edited
Loading

Benchmarks

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/appsec-event-rules-277-file-upload-rules
git_commit_date 1776158168 1776158777
git_commit_sha da8bdd2 85593a1
release_version 1.62.0-SNAPSHOT~da8bdd22c1 1.62.0-SNAPSHOT~85593a1b73
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1776160483 1776160483
ci_job_id 1592599766 1592599766
ci_pipeline_id 107538385 107538385
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-2-ze4218sx 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-2-ze4218sx 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
module Agent Agent
parent None None

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 61 metrics, 10 unstable metrics.

Startup time reports for petclinic 
gantt
    title petclinic - global startup overhead: candidate=1.62.0-SNAPSHOT~85593a1b73, baseline=1.62.0-SNAPSHOT~da8bdd22c1

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.059 s) : 0, 1059433
Total [baseline] (11.145 s) : 0, 11144751
Agent [candidate] (1.059 s) : 0, 1059159
Total [candidate] (11.102 s) : 0, 11102442
section appsec
Agent [baseline] (1.249 s) : 0, 1249219
Total [baseline] (11.177 s) : 0, 11177288
Agent [candidate] (1.255 s) : 0, 1255415
Total [candidate] (11.246 s) : 0, 11246261
section iast
Agent [baseline] (1.224 s) : 0, 1224019
Total [baseline] (11.291 s) : 0, 11290840
Agent [candidate] (1.228 s) : 0, 1228118
Total [candidate] (11.401 s) : 0, 11400889
section profiling
Agent [baseline] (1.184 s) : 0, 1184242
Total [baseline] (11.155 s) : 0, 11155444
Agent [candidate] (1.198 s) : 0, 1198465
Total [candidate] (11.204 s) : 0, 11203801
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.059 s -
Agent appsec 1.249 s 189.787 ms (17.9%)
Agent iast 1.224 s 164.586 ms (15.5%)
Agent profiling 1.184 s 124.809 ms (11.8%)
Total tracing 11.145 s -
Total appsec 11.177 s 32.537 ms (0.3%)
Total iast 11.291 s 146.089 ms (1.3%)
Total profiling 11.155 s 10.693 ms (0.1%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.059 s -
Agent appsec 1.255 s 196.256 ms (18.5%)
Agent iast 1.228 s 168.959 ms (16.0%)
Agent profiling 1.198 s 139.306 ms (13.2%)
Total tracing 11.102 s -
Total appsec 11.246 s 143.819 ms (1.3%)
Total iast 11.401 s 298.446 ms (2.7%)
Total profiling 11.204 s 101.359 ms (0.9%) 
gantt
    title petclinic - break down per module: candidate=1.62.0-SNAPSHOT~85593a1b73, baseline=1.62.0-SNAPSHOT~da8bdd22c1

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.238 ms) : 0, 1238
crashtracking [candidate] (1.232 ms) : 0, 1232
BytebuddyAgent [baseline] (632.864 ms) : 0, 632864
BytebuddyAgent [candidate] (633.132 ms) : 0, 633132
AgentMeter [baseline] (29.384 ms) : 0, 29384
AgentMeter [candidate] (29.449 ms) : 0, 29449
GlobalTracer [baseline] (249.177 ms) : 0, 249177
GlobalTracer [candidate] (249.059 ms) : 0, 249059
AppSec [baseline] (32.292 ms) : 0, 32292
AppSec [candidate] (32.36 ms) : 0, 32360
Debugger [baseline] (59.878 ms) : 0, 59878
Debugger [candidate] (59.987 ms) : 0, 59987
Remote Config [baseline] (596.456 µs) : 0, 596
Remote Config [candidate] (586.389 µs) : 0, 586
Telemetry [baseline] (8.088 ms) : 0, 8088
Telemetry [candidate] (8.072 ms) : 0, 8072
Flare Poller [baseline] (9.659 ms) : 0, 9659
Flare Poller [candidate] (8.996 ms) : 0, 8996
section appsec
crashtracking [baseline] (1.233 ms) : 0, 1233
crashtracking [candidate] (1.233 ms) : 0, 1233
BytebuddyAgent [baseline] (661.853 ms) : 0, 661853
BytebuddyAgent [candidate] (667.092 ms) : 0, 667092
AgentMeter [baseline] (12.087 ms) : 0, 12087
AgentMeter [candidate] (12.125 ms) : 0, 12125
GlobalTracer [baseline] (249.176 ms) : 0, 249176
GlobalTracer [candidate] (249.791 ms) : 0, 249791
IAST [baseline] (24.552 ms) : 0, 24552
IAST [candidate] (24.598 ms) : 0, 24598
AppSec [baseline] (184.986 ms) : 0, 184986
AppSec [candidate] (185.294 ms) : 0, 185294
Debugger [baseline] (66.243 ms) : 0, 66243
Debugger [candidate] (66.083 ms) : 0, 66083
Remote Config [baseline] (610.799 µs) : 0, 611
Remote Config [candidate] (620.596 µs) : 0, 621
Telemetry [baseline] (8.469 ms) : 0, 8469
Telemetry [candidate] (8.472 ms) : 0, 8472
Flare Poller [baseline] (3.54 ms) : 0, 3540
Flare Poller [candidate] (3.523 ms) : 0, 3523
section iast
crashtracking [baseline] (1.225 ms) : 0, 1225
crashtracking [candidate] (1.222 ms) : 0, 1222
BytebuddyAgent [baseline] (800.6 ms) : 0, 800600
BytebuddyAgent [candidate] (801.949 ms) : 0, 801949
AgentMeter [baseline] (11.388 ms) : 0, 11388
AgentMeter [candidate] (11.386 ms) : 0, 11386
GlobalTracer [baseline] (239.083 ms) : 0, 239083
GlobalTracer [candidate] (240.154 ms) : 0, 240154
IAST [baseline] (25.784 ms) : 0, 25784
IAST [candidate] (25.818 ms) : 0, 25818
AppSec [baseline] (32.762 ms) : 0, 32762
AppSec [candidate] (31.52 ms) : 0, 31520
Debugger [baseline] (57.97 ms) : 0, 57970
Debugger [candidate] (64.257 ms) : 0, 64257
Remote Config [baseline] (2.901 ms) : 0, 2901
Remote Config [candidate] (1.771 ms) : 0, 1771
Telemetry [baseline] (12.552 ms) : 0, 12552
Telemetry [candidate] (10.247 ms) : 0, 10247
Flare Poller [baseline] (3.538 ms) : 0, 3538
Flare Poller [candidate] (3.526 ms) : 0, 3526
section profiling
crashtracking [baseline] (1.187 ms) : 0, 1187
crashtracking [candidate] (1.203 ms) : 0, 1203
BytebuddyAgent [baseline] (690.563 ms) : 0, 690563
BytebuddyAgent [candidate] (699.014 ms) : 0, 699014
AgentMeter [baseline] (9.134 ms) : 0, 9134
AgentMeter [candidate] (9.238 ms) : 0, 9238
GlobalTracer [baseline] (206.804 ms) : 0, 206804
GlobalTracer [candidate] (209.805 ms) : 0, 209805
AppSec [baseline] (32.806 ms) : 0, 32806
AppSec [candidate] (33.482 ms) : 0, 33482
Debugger [baseline] (65.869 ms) : 0, 65869
Debugger [candidate] (66.591 ms) : 0, 66591
Remote Config [baseline] (577.641 µs) : 0, 578
Remote Config [candidate] (576.154 µs) : 0, 576
Telemetry [baseline] (7.772 ms) : 0, 7772
Telemetry [candidate] (7.924 ms) : 0, 7924
Flare Poller [baseline] (3.488 ms) : 0, 3488
Flare Poller [candidate] (3.633 ms) : 0, 3633
ProfilingAgent [baseline] (94.712 ms) : 0, 94712
ProfilingAgent [candidate] (95.17 ms) : 0, 95170
Profiling [baseline] (95.293 ms) : 0, 95293
Profiling [candidate] (95.75 ms) : 0, 95750
Loading
Startup time reports for insecure-bank 
gantt
    title insecure-bank - global startup overhead: candidate=1.62.0-SNAPSHOT~85593a1b73, baseline=1.62.0-SNAPSHOT~da8bdd22c1

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.08 s) : 0, 1079788
Total [baseline] (8.939 s) : 0, 8939429
Agent [candidate] (1.061 s) : 0, 1060579
Total [candidate] (8.859 s) : 0, 8858686
section iast
Agent [baseline] (1.23 s) : 0, 1230169
Total [baseline] (9.589 s) : 0, 9588812
Agent [candidate] (1.224 s) : 0, 1223814
Total [candidate] (9.552 s) : 0, 9552384
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.08 s -
Agent iast 1.23 s 150.381 ms (13.9%)
Total tracing 8.939 s -
Total iast 9.589 s 649.383 ms (7.3%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.061 s -
Agent iast 1.224 s 163.235 ms (15.4%)
Total tracing 8.859 s -
Total iast 9.552 s 693.698 ms (7.8%) 
gantt
    title insecure-bank - break down per module: candidate=1.62.0-SNAPSHOT~85593a1b73, baseline=1.62.0-SNAPSHOT~da8bdd22c1

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.266 ms) : 0, 1266
crashtracking [candidate] (1.231 ms) : 0, 1231
BytebuddyAgent [baseline] (645.5 ms) : 0, 645500
BytebuddyAgent [candidate] (637.163 ms) : 0, 637163
AgentMeter [baseline] (30.157 ms) : 0, 30157
AgentMeter [candidate] (29.688 ms) : 0, 29688
GlobalTracer [baseline] (253.189 ms) : 0, 253189
GlobalTracer [candidate] (249.375 ms) : 0, 249375
AppSec [baseline] (33.081 ms) : 0, 33081
AppSec [candidate] (32.324 ms) : 0, 32324
Debugger [baseline] (60.501 ms) : 0, 60501
Debugger [candidate] (59.19 ms) : 0, 59190
Remote Config [baseline] (619.455 µs) : 0, 619
Remote Config [candidate] (590.273 µs) : 0, 590
Telemetry [baseline] (8.271 ms) : 0, 8271
Telemetry [candidate] (8.008 ms) : 0, 8008
Flare Poller [baseline] (10.603 ms) : 0, 10603
Flare Poller [candidate] (6.676 ms) : 0, 6676
section iast
crashtracking [baseline] (1.239 ms) : 0, 1239
crashtracking [candidate] (1.23 ms) : 0, 1230
BytebuddyAgent [baseline] (804.937 ms) : 0, 804937
BytebuddyAgent [candidate] (801.927 ms) : 0, 801927
AgentMeter [baseline] (11.483 ms) : 0, 11483
AgentMeter [candidate] (11.408 ms) : 0, 11408
GlobalTracer [baseline] (240.805 ms) : 0, 240805
GlobalTracer [candidate] (239.188 ms) : 0, 239188
IAST [baseline] (26.017 ms) : 0, 26017
IAST [candidate] (25.734 ms) : 0, 25734
AppSec [baseline] (29.794 ms) : 0, 29794
AppSec [candidate] (31.03 ms) : 0, 31030
Debugger [baseline] (64.335 ms) : 0, 64335
Debugger [candidate] (59.599 ms) : 0, 59599
Remote Config [baseline] (533.862 µs) : 0, 534
Remote Config [candidate] (2.961 ms) : 0, 2961
Telemetry [baseline] (11.222 ms) : 0, 11222
Telemetry [candidate] (11.161 ms) : 0, 11161
Flare Poller [baseline] (3.454 ms) : 0, 3454
Flare Poller [candidate] (3.426 ms) : 0, 3426
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/appsec-event-rules-277-file-upload-rules
git_commit_date 1776158168 1776158777
git_commit_sha da8bdd2 85593a1
release_version 1.62.0-SNAPSHOT~da8bdd22c1 1.62.0-SNAPSHOT~85593a1b73
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1776161033 1776161033
ci_job_id 1592599767 1592599767
ci_pipeline_id 107538385 107538385
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-3-n1u442ni 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-3-n1u442ni 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 2 performance improvements and 1 performance regressions! Performance is the same for 18 metrics, 15 unstable metrics.

scenario Δ mean agg_http_req_duration_p50 Δ mean agg_http_req_duration_p95 Δ mean throughput candidate mean agg_http_req_duration_p50 candidate mean agg_http_req_duration_p95 candidate mean throughput baseline mean agg_http_req_duration_p50 baseline mean agg_http_req_duration_p95 baseline mean throughput
scenario:load:insecure-bank:iast:high_load better
[-205.560µs; -64.088µs] or [-7.830%; -2.441%]		 unsure
[-629.363µs; -25.980µs] or [-8.137%; -0.336%]		 unstable
[-120.506op/s; +215.006op/s] or [-8.800%; +15.702%]		 2.490ms 7.407ms 1416.562op/s 2.625ms 7.735ms 1369.312op/s
scenario:load:petclinic:appsec:high_load better
[-1129.770µs; -502.199µs] or [-6.055%; -2.691%]		 same
[-1457.636µs; +50.626µs] or [-4.845%; +0.168%]		 unstable
[-14.317op/s; +32.317op/s] or [-5.830%; +13.160%]		 17.843ms 29.384ms 254.562op/s 18.659ms 30.087ms 245.562op/s
scenario:load:petclinic:code_origins:high_load unsure
[+281.966µs; +698.108µs] or [+1.646%; +4.074%]		 worse
[+0.709ms; +1.774ms] or [+2.531%; +6.328%]		 unstable
[-30.533op/s; +17.970op/s] or [-11.497%; +6.767%]		 17.624ms 29.275ms 259.281op/s 17.134ms 28.033ms 265.562op/s
Request duration reports for petclinic 
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.62.0-SNAPSHOT~85593a1b73, baseline=1.62.0-SNAPSHOT~da8bdd22c1
    dateFormat X
    axisFormat %s
section baseline
no_agent (18.632 ms) : 18447, 18817
.   : milestone, 18632,
appsec (19.007 ms) : 18815, 19199
.   : milestone, 19007,
code_origins (17.569 ms) : 17398, 17740
.   : milestone, 17569,
iast (17.881 ms) : 17705, 18057
.   : milestone, 17881,
profiling (18.162 ms) : 17983, 18342
.   : milestone, 18162,
tracing (17.858 ms) : 17681, 18035
.   : milestone, 17858,
section candidate
no_agent (17.919 ms) : 17736, 18103
.   : milestone, 17919,
appsec (18.331 ms) : 18149, 18514
.   : milestone, 18331,
code_origins (17.994 ms) : 17813, 18175
.   : milestone, 17994,
iast (17.852 ms) : 17677, 18028
.   : milestone, 17852,
profiling (18.222 ms) : 18044, 18400
.   : milestone, 18222,
tracing (17.588 ms) : 17416, 17760
.   : milestone, 17588,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 18.632 ms [18.447 ms, 18.817 ms] -
appsec 19.007 ms [18.815 ms, 19.199 ms] 375.096 µs (2.0%)
code_origins 17.569 ms [17.398 ms, 17.74 ms] -1.063 ms (-5.7%)
iast 17.881 ms [17.705 ms, 18.057 ms] -751.153 µs (-4.0%)
profiling 18.162 ms [17.983 ms, 18.342 ms] -469.844 µs (-2.5%)
tracing 17.858 ms [17.681 ms, 18.035 ms] -773.785 µs (-4.2%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 17.919 ms [17.736 ms, 18.103 ms] -
appsec 18.331 ms [18.149 ms, 18.514 ms] 411.927 µs (2.3%)
code_origins 17.994 ms [17.813 ms, 18.175 ms] 75.118 µs (0.4%)
iast 17.852 ms [17.677 ms, 18.028 ms] -67.164 µs (-0.4%)
profiling 18.222 ms [18.044 ms, 18.4 ms] 302.727 µs (1.7%)
tracing 17.588 ms [17.416 ms, 17.76 ms] -330.9 µs (-1.8%)
Request duration reports for insecure-bank 
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.62.0-SNAPSHOT~85593a1b73, baseline=1.62.0-SNAPSHOT~da8bdd22c1
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.257 ms) : 1246, 1269
.   : milestone, 1257,
iast (3.343 ms) : 3304, 3383
.   : milestone, 3343,
iast_FULL (6.012 ms) : 5951, 6073
.   : milestone, 6012,
iast_GLOBAL (3.629 ms) : 3569, 3689
.   : milestone, 3629,
profiling (2.215 ms) : 2195, 2235
.   : milestone, 2215,
tracing (1.89 ms) : 1875, 1905
.   : milestone, 1890,
section candidate
no_agent (1.257 ms) : 1244, 1269
.   : milestone, 1257,
iast (3.23 ms) : 3184, 3275
.   : milestone, 3230,
iast_FULL (5.952 ms) : 5893, 6011
.   : milestone, 5952,
iast_GLOBAL (3.57 ms) : 3513, 3628
.   : milestone, 3570,
profiling (2.096 ms) : 2078, 2114
.   : milestone, 2096,
tracing (1.897 ms) : 1879, 1916
.   : milestone, 1897,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.257 ms [1.246 ms, 1.269 ms] -
iast 3.343 ms [3.304 ms, 3.383 ms] 2.086 ms (165.9%)
iast_FULL 6.012 ms [5.951 ms, 6.073 ms] 4.755 ms (378.1%)
iast_GLOBAL 3.629 ms [3.569 ms, 3.689 ms] 2.372 ms (188.6%)
profiling 2.215 ms [2.195 ms, 2.235 ms] 957.437 µs (76.1%)
tracing 1.89 ms [1.875 ms, 1.905 ms] 632.104 µs (50.3%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.257 ms [1.244 ms, 1.269 ms] -
iast 3.23 ms [3.184 ms, 3.275 ms] 1.973 ms (157.0%)
iast_FULL 5.952 ms [5.893 ms, 6.011 ms] 4.695 ms (373.6%)
iast_GLOBAL 3.57 ms [3.513 ms, 3.628 ms] 2.314 ms (184.1%)
profiling 2.096 ms [2.078 ms, 2.114 ms] 839.729 µs (66.8%)
tracing 1.897 ms [1.879 ms, 1.916 ms] 640.689 µs (51.0%)

Dacapo

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master alejandro.gonzalez/appsec-event-rules-277-file-upload-rules
git_commit_date 1776158168 1776158777
git_commit_sha da8bdd2 85593a1
release_version 1.62.0-SNAPSHOT~da8bdd22c1 1.62.0-SNAPSHOT~85593a1b73
See matching parameters
Baseline Candidate
application biojava biojava
ci_job_date 1776160748 1776160748
ci_job_id 1592599768 1592599768
ci_pipeline_id 107538385 107538385
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-0-gfck6y8l 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-0-gfck6y8l 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 1 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 0 unstable metrics.

scenario Δ mean execution_time candidate mean execution_time baseline mean execution_time
scenario:dacapo:tomcat:appsec better
[-1.437ms; -1.091ms] or [-37.695%; -28.608%]		 2.549ms 3.812ms
Execution time for tomcat 
gantt
    title tomcat - execution time [CI 0.99] : candidate=1.62.0-SNAPSHOT~85593a1b73, baseline=1.62.0-SNAPSHOT~da8bdd22c1
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.489 ms) : 1477, 1500
.   : milestone, 1489,
appsec (3.812 ms) : 3592, 4033
.   : milestone, 3812,
iast (2.274 ms) : 2205, 2344
.   : milestone, 2274,
iast_GLOBAL (2.32 ms) : 2250, 2390
.   : milestone, 2320,
profiling (2.116 ms) : 2060, 2171
.   : milestone, 2116,
tracing (2.077 ms) : 2023, 2130
.   : milestone, 2077,
section candidate
no_agent (1.486 ms) : 1475, 1498
.   : milestone, 1486,
appsec (2.549 ms) : 2493, 2604
.   : milestone, 2549,
iast (2.273 ms) : 2203, 2342
.   : milestone, 2273,
iast_GLOBAL (2.318 ms) : 2249, 2388
.   : milestone, 2318,
profiling (2.107 ms) : 2052, 2163
.   : milestone, 2107,
tracing (2.084 ms) : 2030, 2138
.   : milestone, 2084,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.489 ms [1.477 ms, 1.5 ms] -
appsec 3.812 ms [3.592 ms, 4.033 ms] 2.324 ms (156.1%)
iast 2.274 ms [2.205 ms, 2.344 ms] 785.547 µs (52.8%)
iast_GLOBAL 2.32 ms [2.25 ms, 2.39 ms] 831.592 µs (55.9%)
profiling 2.116 ms [2.06 ms, 2.171 ms] 627.062 µs (42.1%)
tracing 2.077 ms [2.023 ms, 2.13 ms] 588.119 µs (39.5%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.486 ms [1.475 ms, 1.498 ms] -
appsec 2.549 ms [2.493 ms, 2.604 ms] 1.062 ms (71.5%)
iast 2.273 ms [2.203 ms, 2.342 ms] 786.603 µs (52.9%)
iast_GLOBAL 2.318 ms [2.249 ms, 2.388 ms] 832.093 µs (56.0%)
profiling 2.107 ms [2.052 ms, 2.163 ms] 620.948 µs (41.8%)
tracing 2.084 ms [2.03 ms, 2.138 ms] 597.302 µs (40.2%)
Execution time for biojava 
gantt
    title biojava - execution time [CI 0.99] : candidate=1.62.0-SNAPSHOT~85593a1b73, baseline=1.62.0-SNAPSHOT~da8bdd22c1
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.05 s) : 15050000, 15050000
.   : milestone, 15050000,
appsec (14.631 s) : 14631000, 14631000
.   : milestone, 14631000,
iast (18.674 s) : 18674000, 18674000
.   : milestone, 18674000,
iast_GLOBAL (18.367 s) : 18367000, 18367000
.   : milestone, 18367000,
profiling (15.575 s) : 15575000, 15575000
.   : milestone, 15575000,
tracing (14.978 s) : 14978000, 14978000
.   : milestone, 14978000,
section candidate
no_agent (15.436 s) : 15436000, 15436000
.   : milestone, 15436000,
appsec (15.245 s) : 15245000, 15245000
.   : milestone, 15245000,
iast (18.536 s) : 18536000, 18536000
.   : milestone, 18536000,
iast_GLOBAL (18.161 s) : 18161000, 18161000
.   : milestone, 18161000,
profiling (14.755 s) : 14755000, 14755000
.   : milestone, 14755000,
tracing (15.13 s) : 15130000, 15130000
.   : milestone, 15130000,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.05 s [15.05 s, 15.05 s] -
appsec 14.631 s [14.631 s, 14.631 s] -419.0 ms (-2.8%)
iast 18.674 s [18.674 s, 18.674 s] 3.624 s (24.1%)
iast_GLOBAL 18.367 s [18.367 s, 18.367 s] 3.317 s (22.0%)
profiling 15.575 s [15.575 s, 15.575 s] 525.0 ms (3.5%)
tracing 14.978 s [14.978 s, 14.978 s] -72.0 ms (-0.5%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.436 s [15.436 s, 15.436 s] -
appsec 15.245 s [15.245 s, 15.245 s] -191.0 ms (-1.2%)
iast 18.536 s [18.536 s, 18.536 s] 3.1 s (20.1%)
iast_GLOBAL 18.161 s [18.161 s, 18.161 s] 2.725 s (17.7%)
profiling 14.755 s [14.755 s, 14.755 s] -681.0 ms (-4.4%)
tracing 15.13 s [15.13 s, 15.13 s] -306.0 ms (-2.0%)

@jandro996 jandro996 force-pushed the alejandro.gonzalez/appsec-event-rules-277-file-upload-rules branch from 1055574 to 6b66dc2 Compare April 14, 2026 08:15
@jandro996
Add file upload WAF rules crs-944-140 and dog-920-100 to default config
85593a1 
Ports two new rules from DataDog/appsec-event-rules#277:
- crs-944-140: detects JSP/JSPX script file uploads via server.request.body.filenames and x-filename headers
- dog-920-100: detects double-extension file uploads (e.g. file.php.jpg)
@jandro996 jandro996 force-pushed the alejandro.gonzalez/appsec-event-rules-277-file-upload-rules branch from abbfb13 to 85593a1 Compare April 14, 2026 09:26
@jandro996 jandro996 added this pull request to the merge queue Apr 14, 2026
@dd-octo-sts
Copy link
Copy Markdown
Contributor

dd-octo-sts bot commented Apr 14, 2026

/merge

@gh-worker-devflow-routing-ef8351
Copy link
Copy Markdown

gh-worker-devflow-routing-ef8351 bot commented Apr 14, 2026
edited
Loading

View all feedbacks in Devflow UI.

2026-04-14 10:17:27 UTC ℹ️ Start processing command /merge

2026-04-14 10:17:31 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in master is approximately 2h (p90).

2026-04-14 11:22:08 UTC ℹ️ MergeQueue: This merge request was merged

@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Apr 14, 2026
@gh-worker-dd-mergequeue-cf854d gh-worker-dd-mergequeue-cf854d bot merged commit 4521827 into master Apr 14, 2026
567 checks passed
@gh-worker-dd-mergequeue-cf854d gh-worker-dd-mergequeue-cf854d bot deleted the alejandro.gonzalez/appsec-event-rules-277-file-upload-rules branch April 14, 2026 11:22
@github-actions github-actions bot added this to the 1.62.0 milestone Apr 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@manuel-alvarez-alvarez manuel-alvarez-alvarez manuel-alvarez-alvarez approved these changes

@daniel-romano-DD daniel-romano-DD Awaiting requested review from daniel-romano-DD daniel-romano-DD is a code owner automatically assigned from DataDog/asm-java

Assignees

No one assigned

Labels

comp: asm waf Application Security Management (WAF) tag: no release notes Changes to exclude from release notes type: enhancement Enhancements and improvements

Projects

None yet

Milestone

1.62.0

Development

Successfully merging this pull request may close these issues.

2 participants

@jandro996 @manuel-alvarez-alvarez