Fix ObjectIntrospection exposing JDK internal toString() to the WAF

Author: jandro996

dd-java-agent/appsec/src/main/java/com/datadog/appsec/event/data/ObjectIntrospection.java

@@ -303,10 +303,13 @@ private static Object doConversion(Object obj, int depth, State state) {
             // TODO: Use invalid object
           }
         } else {
-          // One of fields is inaccessible, might be it's Strongly Encapsulated Internal class
-          // consider it as integral object without introspection
-          // TODO: Use invalid object
-          return obj.toString();
+          // This field is inaccessible (Strongly Encapsulated Internal class on Java 9+).
+          // Skip it and continue with the remaining fields — other accessible fields on the
+          // same object may still contain useful data for WAF inspection. Do NOT call
+          // obj.toString() here: JDK internal toString() representations (e.g.
+          // "class java.lang.Object") can match legitimate WAF phrase_match rules and
+          // produce false positives (e.g. crs-944-130 java_code_injection).
+          continue;
         }
       }
     }

dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/event/data/ObjectIntrospectionSpecification.groovy

@@ -164,7 +164,9 @@ class ObjectIntrospectionSpecification extends DDSpecification {
   void 'max number of elements is honored'() {
     setup:
     def m = [:]
-    128.times { m[it] = 'b' }
+    128.times {
+      m[it] = 'b'
+    }
 
     when:
     def result1 = convert([['a'] * 255], ctx)[0]
@@ -184,7 +186,9 @@ class ObjectIntrospectionSpecification extends DDSpecification {
     // Build a nested array 22 levels deep
     Object[] objArray = new Object[1]
     def p = objArray
-    22.times { p = p[0] = new Object[1] }
+    22.times {
+      p = p[0] = new Object[1]
+    }
 
     when:
     // Invoke conversion with context
@@ -208,7 +212,9 @@ class ObjectIntrospectionSpecification extends DDSpecification {
     // Build a nested list 22 levels deep
     def list = []
     def p = list
-    22.times { p << []; p = p[0] }
+    22.times {
+      p << []; p = p[0]
+    }
 
     when:
     // Invoke conversion with context
@@ -232,7 +238,9 @@ class ObjectIntrospectionSpecification extends DDSpecification {
     // Build a nested map 22 levels deep under key 'a'
     def map = [:]
     def p = map
-    22.times { p['a'] = [:]; p = p['a'] }
+    22.times {
+      p['a'] = [:]; p = p['a']
+    }
 
     when:
     // Invoke conversion with context
@@ -413,7 +421,9 @@ class ObjectIntrospectionSpecification extends DDSpecification {
     setup:
     // Create deeply nested JSON
     final json = JsonOutput.toJson(
-    (1..(MAX_DEPTH + 1)).inject([:], { result, i -> [("child_$i".toString()) : result] })
+    (1..(MAX_DEPTH + 1)).inject([:], {
+      result, i -> [("child_$i".toString()) : result]
+    })
     )
 
     when:
@@ -478,6 +488,39 @@ class ObjectIntrospectionSpecification extends DDSpecification {
     MAPPER.readTree('"unicode: \\u0041"')          || 'unicode: A'
   }
 
+  void 'objects with inaccessible JDK fields skip those fields rather than expose toString()'() {
+    given: '''An object with two fields: one normal, one holding a java.lang.ref.SoftReference.
+             java.lang.ref is NOT opened in the test JVM (only java.lang and java.util are),
+             so trySetAccessible() returns false for SoftReference's own fields on Java 9+.
+
+             Bug: ObjectIntrospection fell back to obj.toString() when any field was inaccessible,
+             exposing internal JDK string representations to the WAF and discarding all other
+             accessible fields on the same object. For example, java.lang.Class.toString() produces
+             "class java.lang.Object" which matches WAF phrase_match rule crs-944-130
+             (java_code_injection) — a false positive causing a CPU spike.
+
+             Fix: skip inaccessible fields (continue) instead of aborting the whole object.
+             Accessible fields on the same object are still reported to the WAF.'''
+    def input = new WrapperWithSoftRef()
+
+    when:
+    def result = convert(input, ctx) as Map
+
+    then:
+    // The accessible field 'name' must be preserved
+    result['name'] == 'test'
+    // The inaccessible-field object must NOT expose toString() — it should be an empty Map
+    // (all fields of java.lang.ref.SoftReference/Reference are inaccessible without --add-opens)
+    // Before fix: result['ref'] == "java.lang.ref.SoftReference@..." (false WAF positive)
+    // After fix:  result['ref'] == [:] (empty map — object present, no accessible fields)
+    result['ref'] == [:]
+  }
+
+  static class WrapperWithSoftRef {
+    String name = 'test'
+    java.lang.ref.SoftReference<String> ref = new java.lang.ref.SoftReference<>("test")
+  }
+
   void 'iterable json objects'() {
     setup:
     final map = [name: 'This is just a test', list: [1, 2, 3, 4, 5]]