What Does This Do

• Ensures ObjectIntrospection continues processing remaining accessible fields instead of falling back to obj.toString().
• Exclude non-relevant field types from WAF inspection

Field types that introduce deep or cyclic object graphs — and are not relevant for WAF inspection — are now excluded before reflection traversal.

Excluded types

• Logging framework loggers:
  • SLF4J
  • Log4j
  • JUL
  • Logback
  • Commons Logging
• groovy.lang.MetaClass

Motivation

Avoid false positive security events and unnecessary CPU spikes caused by internal JDK string representations being analyzed by the WAF.
https://datadoghq.atlassian.net/browse/SCRS-2006

Additional Notes

When setAccessible() failed for a field due to Java 9+ module encapsulation, ObjectIntrospection returned obj.toString() for the entire object.

This caused JDK internal string representations such as "class java.lang.Object" to reach the WAF engine, where they could match phrase_match rules (e.g., crs-944-130 java_code_injection) and generate false positive security events on every request, leading to a CPU spike.

Contributor Checklist

• Format the title according to the contribution guidelines
• Assign the type: and (comp: or inst:) labels in addition to any other useful labels
• Avoid using close, fix, or any linking keywords when referencing an issue
  Use solves instead, and assign the PR milestone to the issue
• Update the CODEOWNERS file on source file addition, migration, or deletion
• Update public documentation with any new configuration flags or behaviors

Jira ticket: APPSEC-61693

Note: Once your PR is ready to merge, add it to the merge queue by commenting /merge. /merge -c cancels the queue request. /merge -f --reason "reason" skips all merge queue checks; please use this judiciously, as some checks do not run at the PR-level. For more information, see this doc.