Guard parsed-body instrumentation from raw Spring HttpMessageConverters (#9613)

What Does This Do
Skip publishing the requestBodyProcessed AppSec event when Spring’s HttpMessageConverters return raw payloads so only structured converters feed the parsed-body channel.

Add focused instrumentation tests proving that raw converters no longer publish parsed bodies while form conversion still does.

Extend the AppSec smoke test and controller with a custom rule and string-body endpoint to confirm the StringHttpMessageConverter path now completes without triggering the parsed-body WAF rule.

Motivation
Avoid false positives in WAF rules related with structured body processed like in escalation https://datadoghq.atlassian.net/browse/SCRS-1682

Author: jandro996

dd-java-agent/instrumentation/spring/spring-webmvc/spring-webmvc-3.1/src/main/java/datadog/trace/instrumentation/springweb/HttpMessageConverterInstrumentation.java

@@ -96,6 +96,7 @@ public void methodAdvice(MethodTransformer transformer) {
 
   @RequiresRequestContext(RequestContextSlot.APPSEC)
   public static class HttpMessageConverterReadAdvice {
+
     @Advice.OnMethodExit(suppress = Throwable.class, onThrowable = Throwable.class)
     public static void after(
         @Advice.Return final Object obj,
@@ -105,6 +106,17 @@ public static void after(
         return;
       }
 
+      // CharSequence or byte[] cannot be treated as parsed body content, as they may lead to false
+      // positives in the WAF rules.
+      // TODO: These types (CharSequence, byte[]) are candidates to being deserialized before being
+      // sent to the WAF once we implement that feature.
+      // Possible types received by this method include: String, byte[], various DTOs/POJOs,
+      // Collections (List, Map), Jackson JsonNode objects, XML objects, etc.
+      // We may need to add more types to this block list in the future.
+      if (obj instanceof CharSequence || obj instanceof byte[]) {
+        return;
+      }
+
       CallbackProvider cbp = AgentTracer.get().getCallbackProvider(RequestContextSlot.APPSEC);
       BiFunction<RequestContext, Object, Flow<Void>> callback =
           cbp.getCallback(EVENTS.requestBodyProcessed());

dd-java-agent/instrumentation/spring/spring-webmvc/spring-webmvc-3.1/src/test/groovy/datadog/trace/instrumentation/springweb/HttpMessageConverterInstrumentationTest.groovy

@@ -0,0 +1,93 @@
+package datadog.trace.instrumentation.springweb
+
+import datadog.trace.agent.test.InstrumentationSpecification
+import datadog.trace.api.gateway.Flow
+import datadog.trace.api.gateway.RequestContext
+import datadog.trace.api.gateway.RequestContextSlot
+import datadog.trace.bootstrap.instrumentation.api.AgentTracer
+import datadog.trace.bootstrap.instrumentation.api.TagContext
+import org.springframework.http.MediaType
+import org.springframework.http.converter.ByteArrayHttpMessageConverter
+import org.springframework.http.converter.FormHttpMessageConverter
+import org.springframework.http.converter.StringHttpMessageConverter
+import org.springframework.mock.http.MockHttpInputMessage
+import org.springframework.util.MultiValueMap
+
+import java.nio.charset.StandardCharsets
+import java.util.function.BiFunction
+
+import static datadog.trace.api.gateway.Events.EVENTS
+
+class HttpMessageConverterInstrumentationTest extends InstrumentationSpecification {
+
+  def scope
+  def ss = AgentTracer.get().getSubscriptionService(RequestContextSlot.APPSEC)
+  List<Object> publishedBodies = []
+
+  def setup() {
+    publishedBodies.clear()
+    TagContext ctx = new TagContext().withRequestContextDataAppSec(new Object())
+    def span = AgentTracer.startSpan('test-span', ctx)
+    scope = AgentTracer.activateSpan(span)
+
+    ss.registerCallback(EVENTS.requestBodyProcessed(), { RequestContext reqCtx, Object body ->
+      publishedBodies << body
+      Flow.ResultFlow.empty()
+    } as BiFunction<RequestContext, Object, Flow<Void>>)
+  }
+
+  def cleanup() {
+    ss.reset()
+    scope?.close()
+  }
+
+  void 'string http message converter does not publish parsed body event'() {
+    given:
+    def converter = new StringHttpMessageConverter()
+    def raw = '{"value":"example"}'
+    def message = new MockHttpInputMessage(raw.getBytes(StandardCharsets.UTF_8))
+    message.headers.contentType = MediaType.APPLICATION_JSON
+
+    when:
+    def result = converter.read(String, message)
+
+    then:
+    result == raw
+    publishedBodies.isEmpty()
+  }
+
+  void 'byte array http message converter does not publish parsed body event'() {
+    given:
+    def converter = new ByteArrayHttpMessageConverter()
+    def raw = '{"value":"bytes"}'.getBytes(StandardCharsets.UTF_8)
+    def message = new MockHttpInputMessage(raw)
+    message.headers.contentType = MediaType.APPLICATION_JSON
+
+    when:
+    def result = converter.read(byte[].class, message)
+
+    then:
+    Arrays.equals(result, raw)
+    publishedBodies.isEmpty()
+  }
+
+  void 'form converter continues to publish parsed body event'() {
+    given:
+    def converter = new FormHttpMessageConverter()
+    def raw = 'value=object&another=value2'
+    def message = new MockHttpInputMessage(raw.getBytes(StandardCharsets.UTF_8))
+    message.headers.contentType = MediaType.APPLICATION_FORM_URLENCODED
+
+    when:
+    def result = converter.read(MultiValueMap, message)
+
+    then:
+    result instanceof MultiValueMap
+    result.getFirst('value') == 'object'
+    result.getFirst('another') == 'value2'
+    publishedBodies.size() == 1
+    def published = publishedBodies[0] as MultiValueMap
+    published.getFirst('value') == 'object'
+    published.getFirst('another') == 'value2'
+  }
+}

dd-smoke-tests/appsec/springboot/src/main/java/datadog/smoketest/appsec/springboot/controller/WebController.java

@@ -55,6 +55,11 @@ public String requestBody(@RequestBody BodyMappedClass obj) {
     return obj.v;
   }
 
+  @PostMapping("/api_security/request-body-string")
+  public String requestBodyString(@RequestBody String body) {
+    return body;
+  }
+
   @GetMapping("/sqli/query")
   public String sqliQuery(@RequestParam("id") String id) throws Exception {
     Connection conn = DriverManager.getConnection("jdbc:h2:mem:testdb", "sa", "");

dd-smoke-tests/appsec/springboot/src/test/groovy/datadog/smoketest/appsec/AppSecHttpMessageConverterSmokeTest.groovy

@@ -17,10 +17,37 @@ class AppSecHttpMessageConverterSmokeTest extends AbstractAppSecServerSmokeTest
 
   @Override
   ProcessBuilder createProcessBuilder() {
+    String customRulesPath = "${buildDirectory}/tmp/appsec_http_message_converter_rules.json"
+    mergeRules(
+      customRulesPath,
+      [
+        [
+          id          : '__test_string_http_message_converter',
+          name        : 'test rule for string http message converter',
+          tags        : [
+            type      : 'test',
+            category  : 'test',
+            confidence: '1',
+          ],
+          conditions  : [
+            [
+              parameters: [
+                inputs: [[address: 'server.request.body']],
+                regex : 'dd-test-http-message-converter',
+              ],
+              operator  : 'match_regex',
+            ]
+          ],
+          transformers: [],
+          on_match    : ['block']
+        ]
+      ])
+
     String springBootShadowJar = System.getProperty("datadog.smoketest.appsec.springboot.shadowJar.path")
 
     List<String> command = new ArrayList<>()
     command.add(javaPath())
+    //    command.add("-agentlib:jdwp=transport=dt_socket,server=y,suspend=y,address=5005")
     command.addAll(defaultJavaProperties)
     command.addAll(defaultAppSecProperties)
     command.addAll((String[]) [
@@ -63,6 +90,32 @@ class AppSecHttpMessageConverterSmokeTest extends AbstractAppSecServerSmokeTest
     assert schema == [["main": [[[["key": [8], "value": [16]]]], ["len": 2]], "nullable": [1]]]
   }
 
+  void 'string http message converter raw body does not trigger parsed body rule'() {
+    given:
+    def url = "http://localhost:${httpPort}/api_security/request-body-string"
+    def rawBody = '{"value":"dd-test-http-message-converter"}'
+    def request = new Request.Builder()
+      .url(url)
+      .post(RequestBody.create(MediaType.get('application/json'), rawBody))
+      .build()
+
+    when:
+    final response = client.newCall(request).execute()
+
+    then:
+    response.code() == 200
+    response.body().string() == rawBody
+
+    when:
+    waitForTraceCount(1)
+
+    then:
+    def spanWithTrigger = rootSpans.find { span ->
+      (span.triggers ?: []).any { it['rule']['id'] == '__test_string_http_message_converter' }
+    }
+    assert spanWithTrigger == null
+  }
+
   private static byte[] unzip(final String text) {
     final inflaterStream = new GZIPInputStream(new ByteArrayInputStream(text.decodeBase64()))
     return inflaterStream.getBytes()