You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/event/data/ObjectIntrospectionSpecification.groovy
+9-6Lines changed: 9 additions & 6 deletions
Original file line number
Diff line number
Diff line change
@@ -507,13 +507,16 @@ class ObjectIntrospectionSpecification extends DDSpecification {
507
507
def result = convert(input, ctx) asMap
508
508
509
509
then:
510
-
// The accessible field 'name' must be preserved
510
+
// The accessible field 'name' must be preserved regardless of JVM version
511
511
result['name'] =='test'
512
-
// The inaccessible-field object must NOT expose toString() — it should be an empty Map
513
-
// (all fields of java.lang.ref.SoftReference/Reference are inaccessible without --add-opens)
514
-
// Before fix: result['ref'] == "java.lang.ref.SoftReference@..." (false WAF positive)
515
-
// After fix: result['ref'] == [:] (empty map — object present, no accessible fields)
516
-
result['ref'] == [:]
512
+
// The inaccessible-field object must NOT expose toString() to the WAF.
513
+
// On JDK 8 and JDK 9-15 (--illegal-access=permit default), java.lang.ref fields are
514
+
// accessible so result['ref'] is a non-empty Map. On JDK 16+ strict module enforcement,
515
+
// result['ref'] is an empty Map [:] since all Reference fields are inaccessible.
516
+
// Before fix (any version where fields are inaccessible): result['ref'] is a String
517
+
// e.g. "java.lang.ref.SoftReference@..." — a false WAF positive.
518
+
// After fix: result['ref'] is always a Map, never a String.
0 commit comments