new approach test

jandro996 · jandro996 · commit 9e2878f42a0f · 2026-03-17T10:29:50.000+01:00
diff --git a/dd-java-agent/appsec/src/main/java/com/datadog/appsec/event/data/ObjectIntrospection.java b/dd-java-agent/appsec/src/main/java/com/datadog/appsec/event/data/ObjectIntrospection.java
@@ -16,18 +16,40 @@
 import java.lang.reflect.Modifier;
 import java.util.ArrayList;
 import java.util.Collection;
+import java.util.Collections;
 import java.util.Date;
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 public final class ObjectIntrospection {
 
   private static final Logger log = LoggerFactory.getLogger(ObjectIntrospection.class);
 
+  /**
+   * Field types excluded from object introspection. Covers Groovy meta-fields and logging framework
+   * loggers — both introduce deep, cyclic, or sensitive object graphs that are irrelevant for WAF
+   * inspection and can trigger false positives (e.g. crs-944-130).
+   */
+  private static final Set<String> EXCLUDED_FIELD_TYPES;
+
+  static {
+    final Set<String> types = new HashSet<>();
+    types.add("groovy.lang.MetaClass");
+    types.add("org.slf4j.Logger");
+    types.add("org.apache.logging.log4j.Logger");
+    types.add("org.apache.logging.log4j.core.Logger");
+    types.add("java.util.logging.Logger");
+    types.add("org.apache.commons.logging.Log");
+    types.add("ch.qos.logback.classic.Logger");
+    EXCLUDED_FIELD_TYPES = Collections.unmodifiableSet(types);
+  }
+
   private static final Method trySetAccessible;
 
   static {
@@ -287,10 +309,7 @@ private static Object doConversion(Object obj, int depth, State state) {
         if (Modifier.isStatic(f.getModifiers())) {
           continue;
         }
-        if (f.getType().getName().equals("groovy.lang.MetaClass")) {
-          continue;
-        }
-        if (isLoggingType(f.getType())) {
+        if (EXCLUDED_FIELD_TYPES.contains(f.getType().getName())) {
           continue;
         }
         String name = f.getName();
@@ -318,20 +337,6 @@ private static Object doConversion(Object obj, int depth, State state) {
     return newMap;
   }
 
-  private static boolean isLoggingType(final Class<?> type) {
-    switch (type.getName()) {
-      case "org.slf4j.Logger":
-      case "org.apache.logging.log4j.Logger":
-      case "org.apache.logging.log4j.core.Logger":
-      case "java.util.logging.Logger":
-      case "org.apache.commons.logging.Log":
-      case "ch.qos.logback.classic.Logger":
-        return true;
-      default:
-        return false;
-    }
-  }
-
   private static boolean ignoredFieldName(final String name) {
     switch (name) {
       case "this$0":
diff --git a/dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/event/data/ObjectIntrospectionSpecification.groovy b/dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/event/data/ObjectIntrospectionSpecification.groovy
@@ -583,40 +583,4 @@ class ObjectIntrospectionSpecification extends DDSpecification {
       return map.entrySet().iterator()
     }
   }
-
-  static class DtoWithLogger {
-    String userId = 'user123'
-    java.util.logging.Logger logger = java.util.logging.Logger.getLogger('test')
-    String payload = 'data'
-  }
-
-  void 'logging framework fields are excluded from introspection'() {
-    given:
-    def input = new DtoWithLogger()
-
-    when:
-    def result = convert(input, ctx) as Map
-
-    then:
-    result['userId'] == 'user123'
-    result['payload'] == 'data'
-    !result.containsKey('logger')
-  }
-
-  static class WrapperWithSoftRef {
-    String name = 'test'
-    java.lang.ref.SoftReference<String> ref = new java.lang.ref.SoftReference<>('test')
-  }
-
-  void 'objects with inaccessible JDK fields skip those fields rather than expose toString()'() {
-    given:
-    def input = new WrapperWithSoftRef()
-
-    when:
-    def result = convert(input, ctx) as Map
-
-    then:
-    result['name'] == 'test'
-    result['ref'] instanceof Map
-  }
 }
