Correct JacksonEvent.merge() null-key handling and close InputSt… (opensearch-project#6775)

Davidding4718 · web-flow · commit 569ae3a839b5 · 2026-04-23T12:43:20.000-07:00
Fix JacksonEvent.merge() null-key bug and InputStream leak

Harden XML parser in LastReleasedVersionProvider against XXE attacks.

Signed-off-by: Siqi Ding &lt;dingdd@amazon.com&gt;
diff --git a/buildSrc/src/main/java/org/opensearch/dataprepper/gradle/compatibility/LastReleasedVersionProvider.java b/buildSrc/src/main/java/org/opensearch/dataprepper/gradle/compatibility/LastReleasedVersionProvider.java
@@ -32,16 +32,20 @@ public static String getLastReleasedMajorVersion(final Project project) {
         final String groupPath = group.replace('.', '/');
         final String metadataUrl = String.format("https://repo1.maven.org/maven2/%s/%s/maven-metadata.xml", groupPath, artifactId);
         
-        try {
-            return getLastReleasedMajorVersion(new URL(metadataUrl).openStream(), currentVersion);
+        try (InputStream stream = new URL(metadataUrl).openStream()) {
+            return getLastReleasedMajorVersion(stream, currentVersion);
         } catch (final Exception e) {
             return null;
         }
     }
 
     static String getLastReleasedMajorVersion(final InputStream metadataStream, final String currentVersion) throws Exception {
         final String majorVersion = currentVersion.split("\\.")[0];
-        final Document doc = DocumentBuilderFactory.newInstance()
+        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+        dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+        dbf.setXIncludeAware(false);
+        dbf.setExpandEntityReferences(false);
+        final Document doc = dbf
             .newDocumentBuilder()
             .parse(metadataStream);
         
diff --git a/data-prepper-api/src/main/java/org/opensearch/dataprepper/model/event/JacksonEvent.java b/data-prepper-api/src/main/java/org/opensearch/dataprepper/model/event/JacksonEvent.java
@@ -481,9 +481,8 @@ public void merge(final Event other, final Collection<String> keys) {
         }
 
         for (final String key : keys) {
-            final Object value = other.get(key, Object.class);
-            if (value != null) {
-                put(key, value);
+            if (other.containsKey(key)) {
+                put(key, other.get(key, Object.class));
             }
         }
     }
diff --git a/data-prepper-api/src/test/java/org/opensearch/dataprepper/model/event/JacksonEventTest.java b/data-prepper-api/src/test/java/org/opensearch/dataprepper/model/event/JacksonEventTest.java
@@ -717,6 +717,17 @@ void merge_with_keys_overwrites_existing_values() {
         assertThat(event.containsKey("b"), equalTo(false));
     }
 
+    @Test
+    void merge_with_keys_overwrites_existing_value_with_null() {
+        event.put("a", "original");
+        final String jsonString = "{\"a\": null}";
+        Event otherEvent = JacksonEvent.builder().withEventType(EventType.DOCUMENT.toString()).withData(jsonString).build();
+        event.merge(otherEvent, List.of("a"));
+
+        assertThat(event.containsKey("a"), equalTo(true));
+        assertThat(event.get("a", Object.class), equalTo(null));
+    }
+
     @Test
     void merge_with_keys_skips_missing_keys_in_other() {
         event.put("existing", "value");

Original file line number	Diff line number	Diff line change
`@@ -481,9 +481,8 @@ public void merge(final Event other, final Collection<String> keys) {`
`481`	`481`	`}`
`482`	`482`
`483`	`483`	`for (final String key : keys) {`
`484`		`- final Object value = other.get(key, Object.class);`
`485`		`- if (value != null) {`
`486`		`- put(key, value);`
	`484`	`+ if (other.containsKey(key)) {`
	`485`	`+ put(key, other.get(key, Object.class));`
`487`	`486`	`}`
`488`	`487`	`}`
`489`	`488`	`}`