Alejandro González García

Maybe we must discuss if we have to instrument this methods that are not available in this PR `append(char[])` `append(char[] str, int offset, int len)` `append(CharSequence s, int start, int ...

We decide to split this PR as many changes belong to application vulnerabilities instead of session rewriting. There is no need to review it right now

All changes reviewed to avoid logging at error level

Blocked! At this momento WAF shell injection detection rule available has been designed to specifically target functions which are explicitly or implicitly calling a shell such as /bin/sh or otherwise...

Correct me if I'm wrong but I think that SsrfModule#onURLConnection(@Nullable String url, @Nullable Object host, @Nullable Object uri) is not used anymore with these changes, so it's better to remove...

LGTM! but please check the build, it seems that datadog.trace.api.iast.util.PropagationUtils is not passing the test coverage job

Looks good! I updated the title of the PR because you’re solving the problem for both request and response.

> 🎯 Code Coverage• **Patch Coverage**: 68.99%• **Total Coverage**: 59.63% (-0.22%) [View detailed report](https://app.datadoghq.com/ci/code-coverage/github.com%2Fdatadog%2Fdd-trace-java/pull-requests/9553) > > This comment will be updated automatically if new data arrives. > 🔗 Commit SHA:...