Jetty leaking out of :dd-java-agent:testing (#10218)

* fix: Workaround for :dd-java-agent:testing coming with a more recent version of jetty

* fix: Proper shadowing of jetty in agent-testing

* chore: lockfiles

* fix: jsp instrumentation needlessly requiring jetty http status

* fix: Exports servlet request api

This was lost when jetty server got shadowed.

* fix: Use config lazy API

* chore: Make spotless happy

* fix: Replaces testing http client by raw jetty in Apache Http Client instrumentation

Now that :dd-java-agent:testing shadows jetty, the jetty instrumentation was not applied.

* chore: Make spotless happy

Author: bric3

dd-java-agent/instrumentation/apache-httpclient/apache-httpclient-4.0/build.gradle

@@ -39,9 +39,12 @@ dependencies {
   // to instrument the integration test
   iastIntegrationTestImplementation project(':dd-java-agent:agent-iast:iast-test-fixtures')
   iastIntegrationTestImplementation group: 'org.apache.httpcomponents', name: 'httpclient', version: '4.0'
-  iastIntegrationTestRuntimeOnly(project(':dd-java-agent:instrumentation:jetty:jetty-server:jetty-server-9.0'))
+  // Provide real (non-shadowed) jetty for the test server bootstrap
+  iastIntegrationTestImplementation group: 'org.eclipse.jetty', name: 'jetty-server', version: '9.4.56.v20240826'
+  iastIntegrationTestImplementation group: 'org.eclipse.jetty', name: 'jetty-servlet', version: '9.4.56.v20240826'
   iastIntegrationTestRuntimeOnly(project(':dd-java-agent:instrumentation:apache-httpcore:apache-httpcore-4.0'))
   iastIntegrationTestRuntimeOnly(project(':dd-java-agent:instrumentation:servlet:javax-servlet:javax-servlet-common'))
+  iastIntegrationTestRuntimeOnly(project(':dd-java-agent:instrumentation:jetty:jetty-server:jetty-server-9.0'))
   iastIntegrationTestRuntimeOnly(project(':dd-java-agent:instrumentation:java:java-lang:java-lang-1.8'))
   iastIntegrationTestRuntimeOnly(project(':dd-java-agent:instrumentation:java:java-net:java-net-1.8'))
   iastIntegrationTestRuntimeOnly project(':dd-java-agent:instrumentation:iast-instrumenter')

dd-java-agent/instrumentation/apache-httpclient/apache-httpclient-4.0/src/iastIntegrationTest/groovy/IastHttpClientIntegrationTest.groovy

@@ -5,10 +5,16 @@ import datadog.trace.agent.test.base.HttpServer
 import foo.bar.VulnerableUrlBuilder
 import okhttp3.HttpUrl
 import okhttp3.Request
+import org.eclipse.jetty.server.Server
+import org.eclipse.jetty.server.ServerConnector
+import org.eclipse.jetty.servlet.ServletContextHandler
+import org.eclipse.jetty.servlet.ServletHolder
 
-import static datadog.trace.agent.test.server.http.TestHttpServer.httpServer
+import javax.servlet.http.HttpServlet
+import javax.servlet.http.HttpServletRequest
+import javax.servlet.http.HttpServletResponse
 
-class IastHttpClientIntegrationTest extends IastHttpServerTest<HttpServer> {
+class IastHttpClientIntegrationTest extends IastHttpServerTest<Server> {
 
   static final CLIENTS = [
     'org.apache.http.impl.client.AutoRetryHttpClient',
@@ -20,28 +26,58 @@ class IastHttpClientIntegrationTest extends IastHttpServerTest<HttpServer> {
   @Override
   HttpServer server() {
     final controller = new SsrfController()
-    return httpServer {
-      handlers {
-        prefix('/ssrf/execute') {
-          final msg = controller.apacheSsrf(
-          VulnerableUrlBuilder.url(request),
-          (String) request.getParameter('clientClassName'),
-          (String) request.getParameter('method'),
-          (String) request.getParameter('requestType'),
-          (String) request.getParameter('scheme')
-          )
-          response.status(200).send(msg)
-        }
+
+    // Use _raw_ jetty API, so the jetty instrumentation is applied
+    // (the :dd-java-agent:testing has a shadowed jetty server.)
+    return new HttpServer() {
+      Server jettyServer
+      int port
+
+      @Override
+      void start() {
+        jettyServer = new Server(0) // 0 = random port
+
+        ServletContextHandler context = new ServletContextHandler(ServletContextHandler.SESSIONS)
+        context.setContextPath('/')
+        jettyServer.setHandler(context)
+
+        // Add servlet for the /ssrf/execute endpoint
+        context.addServlet(new ServletHolder(new HttpServlet() {
+          @Override
+          protected void doGet(HttpServletRequest req, HttpServletResponse resp) {
+            final msg = controller.apacheSsrf(
+            VulnerableUrlBuilder.url(req),
+            req.getParameter('clientClassName'),
+            req.getParameter('method'),
+            req.getParameter('requestType'),
+            req.getParameter('scheme')
+            )
+            resp.setStatus(200)
+            resp.writer.write(msg)
+          }
+        }), '/ssrf/execute')
+
+        jettyServer.start()
+        port = ((ServerConnector) jettyServer.connectors[0]).localPort
       }
-    }.asHttpServer()
+
+      @Override
+      void stop() {
+        jettyServer?.stop()
+      }
+
+      @Override
+      URI address() {
+        return new URI("http://localhost:${port}/")
+      }
+    }
   }
 
   void 'ssrf is present: #suite'() {
     setup:
     final url = suite.url(address)
     final request = new Request.Builder().url(url).get().build()
 
-
     when:
     def response = client.newCall(request).execute()
 
@@ -52,6 +88,9 @@ class IastHttpClientIntegrationTest extends IastHttpServerTest<HttpServer> {
     assert to != null
     hasVulnerability(vul -> vul.type == VulnerabilityType.SSRF && suite.evidenceMatches(vul.evidence))
 
+    cleanup:
+    response?.close()
+
     where:
     suite << createTestSuite()
   }
@@ -129,7 +168,7 @@ class IastHttpClientIntegrationTest extends IastHttpServerTest<HttpServer> {
   }
 
   private static enum TaintedTarget {
-    URL{
+    URL {
       void addTainted(HttpUrl.Builder builder, TestSuite suite) {
         builder.addQueryParameter('url', suite.scheme + '://inexistent/test?1=1')
       }
@@ -138,7 +177,7 @@ class IastHttpClientIntegrationTest extends IastHttpServerTest<HttpServer> {
         return assertTainted(evidence, 'url', suite.scheme + '://inexistent/test?1=1')
       }
     },
-    SCHEME{
+    SCHEME {
       void addTainted(HttpUrl.Builder builder, TestSuite suite) {
         // already added by the test
       }
@@ -147,7 +186,7 @@ class IastHttpClientIntegrationTest extends IastHttpServerTest<HttpServer> {
         return assertTainted(evidence, 'scheme', suite.scheme)
       }
     },
-    HOST{
+    HOST {
       void addTainted(HttpUrl.Builder builder, TestSuite suite) {
         builder.addQueryParameter('host', 'inexistent')
       }
@@ -156,7 +195,7 @@ class IastHttpClientIntegrationTest extends IastHttpServerTest<HttpServer> {
         return assertTainted(evidence, 'host', 'inexistent')
       }
     },
-    PATH{
+    PATH {
       void addTainted(HttpUrl.Builder builder, TestSuite suite) {
         builder.addQueryParameter('path', '/test')
       }
@@ -165,7 +204,7 @@ class IastHttpClientIntegrationTest extends IastHttpServerTest<HttpServer> {
         return assertTainted(evidence, 'path', '/test')
       }
     },
-    QUERY{
+    QUERY {
       void addTainted(HttpUrl.Builder builder, TestSuite suite) {
         builder.addQueryParameter('query', '?1=1')
       }

dd-java-agent/instrumentation/apache-httpclient/apache-httpclient-4.0/src/iastIntegrationTest/java/foo/bar/VulnerableUrlBuilder.java

@@ -1,28 +1,28 @@
 package foo.bar;
 
-import datadog.trace.agent.test.server.http.TestHttpServer.HandlerApi.RequestApi;
+import javax.servlet.http.HttpServletRequest;
 
 /** Class to be instrumented by IAST call sites containing methods to work with urls */
 public abstract class VulnerableUrlBuilder {
 
   private VulnerableUrlBuilder() {}
 
-  public static String url(RequestApi request) {
-    final String url = (String) request.getParameter("url");
+  public static String url(HttpServletRequest request) {
+    final String url = request.getParameter("url");
     if (url != null) {
       return url;
     }
-    final String scheme = (String) request.getParameter("scheme");
+    final String scheme = request.getParameter("scheme");
     final boolean https = "https".equals(scheme);
-    final String host = (String) request.getParameter("host");
+    final String host = request.getParameter("host");
     if (host != null) {
       return (https ? "https://" : "http://") + host + "/test?1=1";
     }
-    final String path = (String) request.getParameter("path");
+    final String path = request.getParameter("path");
     if (path != null) {
       return (https ? "https://inexistent/" : "http://inexistent/") + path + "?1=1";
     }
-    final String query = (String) request.getParameter("query");
+    final String query = request.getParameter("query");
     if (query != null) {
       return (https ? "https://inexistent/test" : "http://inexistent/test") + query;
     }

dd-java-agent/instrumentation/dropwizard/build.gradle

@@ -6,11 +6,6 @@ dependencies {
   testImplementation project(':dd-java-agent:instrumentation:rs:jax-rs:jax-rs-annotations:jax-rs-annotations-2')
   testImplementation project(':dd-java-agent:instrumentation:servlet:javax-servlet:javax-servlet-3.0')
 
-  // Don't want to conflict with jetty from the test server.
-  testImplementation(project(':dd-java-agent:instrumentation-testing')) {
-    exclude group: 'org.eclipse.jetty', module: 'jetty-server'
-  }
-
   // First version with DropwizardTestSupport:
   testImplementation group: 'io.dropwizard', name: 'dropwizard-testing', version: '0.8.0'
   testImplementation group: 'javax.xml.bind', name: 'jaxb-api', version: '2.2.3'

dd-java-agent/instrumentation/jetty/jetty-client/jetty-client-9.1/build.gradle

@@ -51,13 +51,10 @@ dependencies {
   implementation(project(':dd-java-agent:instrumentation:jetty:jetty-client:jetty-client-common')) {
     transitive = false
   }
-  testImplementation(project(':dd-java-agent:instrumentation-testing')) {
-    // explicitly declared below.
-    exclude group: 'org.eclipse.jetty'
-  }
   testImplementation project(':dd-java-agent:instrumentation:jetty:jetty-util-9.4.31')
   testImplementation group: 'org.eclipse.jetty', name: 'jetty-client', version: '9.1.0.v20131115'
   testImplementation group: 'org.eclipse.jetty', name: 'jetty-server', version: '9.1.0.v20131115'
+
   latestDepTestImplementation group: 'org.eclipse.jetty', name: 'jetty-client', version: '9.+'
   latestDepTestImplementation group: 'org.eclipse.jetty', name: 'jetty-server', version: '9.+'
 }

dd-java-agent/instrumentation/jetty/jetty-client/jetty-client-9.1/gradle.lockfile

@@ -82,8 +82,7 @@ org.eclipse.jetty:jetty-http:9.1.0.v20131115=compileClasspath,testCompileClasspa
 org.eclipse.jetty:jetty-http:9.4.58.v20250814=latestDepTestCompileClasspath,latestDepTestRuntimeClasspath
 org.eclipse.jetty:jetty-io:9.1.0.v20131115=compileClasspath,testCompileClasspath,testRuntimeClasspath
 org.eclipse.jetty:jetty-io:9.4.58.v20250814=latestDepTestCompileClasspath,latestDepTestRuntimeClasspath
-org.eclipse.jetty:jetty-server:9.1.0.v20131115=testCompileClasspath,testRuntimeClasspath
-org.eclipse.jetty:jetty-server:9.4.58.v20250814=latestDepTestCompileClasspath,latestDepTestRuntimeClasspath
+org.eclipse.jetty:jetty-server:9.1.0.v20131115=latestDepTestCompileClasspath,latestDepTestRuntimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.eclipse.jetty:jetty-util:9.1.0.v20131115=compileClasspath,testCompileClasspath,testRuntimeClasspath
 org.eclipse.jetty:jetty-util:9.4.58.v20250814=latestDepTestCompileClasspath,latestDepTestRuntimeClasspath
 org.gmetrics:GMetrics:2.1.0=codenarc

dd-java-agent/instrumentation/jetty/jetty-server/jetty-server-9.0.4/build.gradle

@@ -17,10 +17,6 @@ dependencies {
   implementation project(":dd-java-agent:instrumentation:jetty:jetty-server:jetty-server-9.0")
   compileOnly group: 'org.eclipse.jetty', name: 'jetty-server', version: '9.0.4.v20130625'
 
-  // Don't want to conflict with jetty from the test server.
-  testImplementation(project(':dd-java-agent:instrumentation-testing')) {
-    exclude group: 'org.eclipse.jetty', module: 'jetty-server'
-  }
   testImplementation project(':dd-java-agent:instrumentation:jetty:jetty-util-9.4.31')
 
   testImplementation group: 'org.eclipse.jetty', name: 'jetty-server', version: '9.0.4.v20130625'

dd-java-agent/instrumentation/jetty/jetty-server/jetty-server-9.0/build.gradle

@@ -26,10 +26,7 @@ dependencies {
   testFixturesImplementation(project(':dd-java-agent:instrumentation-testing')) {
     exclude group: 'org.eclipse.jetty', module: 'jetty-server'
   }
-  // Don't want to conflict with jetty from the test server.
-  testImplementation(project(':dd-java-agent:instrumentation-testing')) {
-    exclude group: 'org.eclipse.jetty', module: 'jetty-server'
-  }
+
   testImplementation project(':dd-java-agent:instrumentation:jetty:jetty-util-9.4.31')
 
   String jetty9Version = '9.0.0.v20130308'

dd-java-agent/instrumentation/jsp-2.3/src/test/groovy/JSPInstrumentationBasicTests.groovy

@@ -6,7 +6,6 @@ import okhttp3.Request
 import okhttp3.RequestBody
 import okhttp3.Response
 import org.apache.jasper.JasperException
-import org.eclipse.jetty.http.HttpStatus
 
 class JSPInstrumentationBasicTests extends JSPTestBase {
   def "non-erroneous GET #test test"() {
@@ -72,7 +71,7 @@ class JSPInstrumentationBasicTests extends JSPTestBase {
         }
       }
     }
-    res.code() == HttpStatus.OK_200
+    res.code() == HTTP_OK
 
     cleanup:
     res.close()
@@ -149,7 +148,7 @@ class JSPInstrumentationBasicTests extends JSPTestBase {
         }
       }
     }
-    res.code() == HttpStatus.OK_200
+    res.code() == HTTP_OK
 
     cleanup:
     res.close()
@@ -222,7 +221,7 @@ class JSPInstrumentationBasicTests extends JSPTestBase {
         }
       }
     }
-    res.code() == HttpStatus.OK_200
+    res.code() == HTTP_OK
 
     cleanup:
     res.close()
@@ -305,7 +304,7 @@ class JSPInstrumentationBasicTests extends JSPTestBase {
         }
       }
     }
-    res.code() == HttpStatus.INTERNAL_SERVER_ERROR_500
+    res.code() == HTTP_INTERNAL_ERROR
 
     cleanup:
     res.close()
@@ -380,7 +379,7 @@ class JSPInstrumentationBasicTests extends JSPTestBase {
         }
       }
     }
-    res.code() == HttpStatus.OK_200
+    res.code() == HTTP_OK
 
     cleanup:
     res.close()
@@ -503,7 +502,7 @@ class JSPInstrumentationBasicTests extends JSPTestBase {
         }
       }
     }
-    res.code() == HttpStatus.OK_200
+    res.code() == HTTP_OK
 
     cleanup:
     res.close()
@@ -561,7 +560,7 @@ class JSPInstrumentationBasicTests extends JSPTestBase {
         }
       }
     }
-    res.code() == HttpStatus.INTERNAL_SERVER_ERROR_500
+    res.code() == HTTP_INTERNAL_ERROR
 
     cleanup:
     res.close()
@@ -581,7 +580,7 @@ class JSPInstrumentationBasicTests extends JSPTestBase {
     Response res = client.newCall(req).execute()
 
     then:
-    res.code() == HttpStatus.OK_200
+    res.code() == HTTP_OK
     assertTraces(1) {
       trace(1) {
         span {

dd-java-agent/instrumentation/jsp-2.3/src/test/groovy/JSPInstrumentationForwardTests.groovy

@@ -3,7 +3,6 @@ import datadog.trace.bootstrap.instrumentation.api.Tags
 import okhttp3.Request
 import okhttp3.Response
 import org.apache.jasper.JasperException
-import org.eclipse.jetty.http.HttpStatus
 
 class JSPInstrumentationForwardTests extends JSPTestBase {
   def "non-erroneous GET forward to #forwardTo"() {
@@ -97,7 +96,7 @@ class JSPInstrumentationForwardTests extends JSPTestBase {
         }
       }
     }
-    res.code() == HttpStatus.OK_200
+    res.code() == HTTP_OK
 
     cleanup:
     res.close()
@@ -171,7 +170,7 @@ class JSPInstrumentationForwardTests extends JSPTestBase {
         }
       }
     }
-    res.code() == HttpStatus.OK_200
+    res.code() == HTTP_OK
 
     cleanup:
     res.close()
@@ -324,7 +323,7 @@ class JSPInstrumentationForwardTests extends JSPTestBase {
         }
       }
     }
-    res.code() == HttpStatus.OK_200
+    res.code() == HTTP_OK
 
     cleanup:
     res.close()
@@ -449,7 +448,7 @@ class JSPInstrumentationForwardTests extends JSPTestBase {
         }
       }
     }
-    res.code() == HttpStatus.OK_200
+    res.code() == HTTP_OK
 
     cleanup:
     res.close()
@@ -535,7 +534,7 @@ class JSPInstrumentationForwardTests extends JSPTestBase {
         }
       }
     }
-    res.code() == HttpStatus.INTERNAL_SERVER_ERROR_500
+    res.code() == HTTP_INTERNAL_ERROR
 
     cleanup:
     res.close()
@@ -604,7 +603,7 @@ class JSPInstrumentationForwardTests extends JSPTestBase {
         }
       }
     }
-    res.code() == HttpStatus.NOT_FOUND_404
+    res.code() == HTTP_NOT_FOUND
 
     cleanup:
     res.close()