feat(crashtracking): Redact args after agentlib and javaagent

bric3 · bric3 · commit 8844be33a34c · 2026-04-03T10:18:23.000+02:00
diff --git a/dd-java-agent/agent-crashtracking/src/main/java/datadog/crashtracking/parsers/RuntimeArgs.java b/dd-java-agent/agent-crashtracking/src/main/java/datadog/crashtracking/parsers/RuntimeArgs.java
@@ -62,11 +62,13 @@ private static List<String> filterArgs(List<String> args) {
       if (arg == null || arg.isEmpty()) {
         continue;
       }
-      if (isAllowedSystemProperty(arg)
-          || arg.startsWith("-javaagent:")
-          || arg.startsWith("-agentlib:")
-          || arg.startsWith("-X")
-          || isModuleOrNativeAccessOption(arg)) {
+      if (isAllowedSystemProperty(arg)) {
+        filtered.add(arg);
+      } else if (arg.startsWith("-javaagent:") || arg.startsWith("-agentlib:")) {
+        // Redact options after '=' — only the jar path / library name is sent
+        int eq = arg.indexOf('=', arg.indexOf(':') + 1);
+        filtered.add(eq >= 0 ? arg.substring(0, eq) + "=REDACTED" : arg);
+      } else if (arg.startsWith("-X") || isModuleOrNativeAccessOption(arg)) {
         filtered.add(arg);
       }
     }
diff --git a/dd-java-agent/agent-crashtracking/src/test/java/datadog/crashtracking/parsers/RuntimeArgsTest.java b/dd-java-agent/agent-crashtracking/src/test/java/datadog/crashtracking/parsers/RuntimeArgsTest.java
@@ -43,12 +43,16 @@ public void testParseVmArgsHotspotArgs(String resource, boolean isIncluded, Stri
   }
 
   @TableTest({
-    "scenario               | raw                                                   | expectedIncluded                                 ",
-    "quoted onerror unix    | -XX:OnError=\"gcore %p;gdb -p %p\"                    | -XX:OnError=gcore %p;gdb -p %p                   ",
-    "quoted onerror windows | -XX:OnError=\"userdump.exe %p\"                       | -XX:OnError=userdump.exe %p                      ",
-    "quoted module path     | --module-path \"/opt/app-modules:/opt/other-modules\" | --module-path /opt/app-modules:/opt/other-modules"
+    "scenario                   | raw                                                   | expectedIncluded                                 ",
+    "quoted onerror unix        | -XX:OnError=\"gcore %p;gdb -p %p\"                    | -XX:OnError=gcore %p;gdb -p %p                   ",
+    "quoted onerror windows     | -XX:OnError=\"userdump.exe %p\"                       | -XX:OnError=userdump.exe %p                      ",
+    "quoted module path         | --module-path \"/opt/app-modules:/opt/other-modules\" | --module-path /opt/app-modules:/opt/other-modules",
+    "javaagent without options  | -javaagent:/opt/dd-java-agent.jar                     | -javaagent:/opt/dd-java-agent.jar                ",
+    "javaagent options redacted | -javaagent:/opt/dd-java-agent.jar=apikey=deadbeef     | -javaagent:/opt/dd-java-agent.jar=REDACTED       ",
+    "agentlib without options   | -agentlib:jdwp                                        | -agentlib:jdwp                                   ",
+    "agentlib options redacted  | -agentlib:jdwp=transport=dt_socket,server=y           | -agentlib:jdwp=REDACTED                          "
   })
-  public void testParseVmArgsHandlesQuotedArguments(String raw, String expectedIncluded) {
+  public void testParseVmArgsHandlesArgNormalization(String raw, String expectedIncluded) {
     List<String> runtimeArgs = RuntimeArgs.parseVmArgs(raw);
 
     assertThat(runtimeArgs).isNotNull().contains(expectedIncluded);
@@ -60,7 +64,7 @@ public void testParseVmArgsHandlesQuotedArguments(String raw, String expectedInc
     "sun token excluded          | -Dsun.auth.token=abc123           | false      | -Dsun.auth.token=abc123          ",
     "dd api key excluded         | -Ddd.api-key=deadbeef             | false      | -Ddd.api-key=deadbeef            ",
     "dd app key excluded         | -Ddd.app-key=deadbeef             | false      | -Ddd.app-key=deadbeef            ",
-    "dd application key excluded | -Ddd.application-key=deadbeef    | false      | -Ddd.application-key=deadbeef   ",
+    "dd application key excluded | -Ddd.application-key=deadbeef     | false      | -Ddd.application-key=deadbeef    ",
     "java logging kept           | -Djava.util.logging.config.file=x | true       | -Djava.util.logging.config.file=x",
     "osgi install kept           | -Dosgi.install.area=/opt/app      | true       | -Dosgi.install.area=/opt/app     "
   })

Original file line number	Diff line number	Diff line change
`@@ -62,11 +62,13 @@ private static List<String> filterArgs(List<String> args) {`
`62`	`62`	`if (arg == null \|\| arg.isEmpty()) {`
`63`	`63`	`continue;`
`64`	`64`	`}`
`65`		`- if (isAllowedSystemProperty(arg)`
`66`		`- \|\| arg.startsWith("-javaagent:")`
`67`		`- \|\| arg.startsWith("-agentlib:")`
`68`		`- \|\| arg.startsWith("-X")`
`69`		`- \|\| isModuleOrNativeAccessOption(arg)) {`
	`65`	`+ if (isAllowedSystemProperty(arg)) {`
	`66`	`+ filtered.add(arg);`
	`67`	`+ } else if (arg.startsWith("-javaagent:") \|\| arg.startsWith("-agentlib:")) {`
	`68`	`+ // Redact options after '=' — only the jar path / library name is sent`
	`69`	`+ int eq = arg.indexOf('=', arg.indexOf(':') + 1);`
	`70`	`+ filtered.add(eq >= 0 ? arg.substring(0, eq) + "=REDACTED" : arg);`
	`71`	`+ } else if (arg.startsWith("-X") \|\| isModuleOrNativeAccessOption(arg)) {`
`70`	`72`	`filtered.add(arg);`
`71`	`73`	`}`
`72`	`74`	`}`