Add server.request.body.files_content AppSec address for Akka HTTP

[jandro996]

What Does This Do

Extends the Akka HTTP AppSec instrumentation to dispatch the `server.request.body.files_content` WAF address for multipart file uploads.

• Adds `contentCallback` (`EVENTS.requestFilesContent()`) to both multipart parsing routes in `UnmarshallerHelpers`:
  • `handleMultipartStrictFormData` — used by the `entity(as[Multipart.FormData.Strict])` / strict unmarshaller variant
  • `handleStrictFormData` — used by the `formFieldMultiMap` / `entity(as[StrictForm])` default route
• Per-part file content is read via `ByteString.getData().take(MAX_CONTENT_BYTES).toArray()` to avoid allocating the full file in memory
• Content is decoded using `MultipartContentDecoder.decodeBytes()` (introduced in Fix charset decoding for server.request.body.files_content in commons-fileupload #11212), with the correct `ContentType` API per route:
  • Route 1 (Java API): `entity.getContentType().toString()`
  • Route 2 (Scala API): `sentity.contentType().toString()`
• `MAX_CONTENT_BYTES` and `MAX_FILES_TO_INSPECT` read from `Config.get()` (not hardcoded)
• Dispatch follows the established sequential ordering: body and filenames always fire; `files_content` fires only if neither prior callback blocked the request
• Hoists `reqCtx` in `handleStrictFormData` so it is shared by both the filenames and content dispatch blocks
• Skips body decoding in `handleStrictFormData` when body callback is absent (avoids full-file string allocation for content-only subscribers)
• Adds `testBodyFilesContent()` overrides in `akka-http-10.0` and `akka-http-10.6` test modules: `true` for async/bind variants, `false` for sync variants that do not process body

Motivation

Part of APPSEC-61875: extending `server.request.body.files_content` WAF address support across Java frameworks. Akka HTTP already has `server.request.body.filenames` support since #11173; this PR adds the content counterpart following the same pattern established in #11198 (Tomcat + Netty) and #11229 (Jersey + RESTEasy).

Additional Notes

`akka-http-10.6` tests require an Akka commercial repository token (`akkaRepositoryToken`) which is only available in CI. Local test runs cover `akka-http-10.0` only.

Contributor Checklist

• Format the title according to the contribution guidelines
• Assign the `type:` and (`comp:` or `inst:`) labels in addition to any other useful labels
• Avoid using `close`, `fix`, or any linking keywords when referencing an issue
  Use `solves` instead, and assign the PR milestone to the issue
• Update the CODEOWNERS file on source file addition, migration, or deletion
• Update public documentation with any new configuration flags or behaviors

Jira ticket: APPSEC-61875

Note: Once your PR is ready to merge, add it to the merge queue by commenting `/merge`. `/merge -c` cancels the queue request. `/merge -f --reason "reason"` skips all merge queue checks; please use this judiciously, as some checks do not run at the PR-level. For more information, see this doc.

[jandro996]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ace3f1abca

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".