Fix ObjectIntrospection exposing JDK internal toString() to the WAF by jandro996 · Pull Request #10820 · DataDog/dd-trace-java

What Does This Do

  • Ensures ObjectIntrospection continues processing remaining accessible fields instead of falling back to obj.toString().
  • Exclude non-relevant field types from WAF inspection

Field types that introduce deep or cyclic object graphs — and are not relevant for WAF inspection — are now excluded before reflection traversal.

Excluded types

  • Logging framework loggers:
    • SLF4J
    • Log4j
    • JUL
    • Logback
    • Commons Logging
  • groovy.lang.MetaClass

Motivation

Avoid false positive security events and unnecessary CPU spikes caused by internal JDK string representations being analyzed by the WAF.
https://datadoghq.atlassian.net/browse/SCRS-2006

Additional Notes

When setAccessible() failed for a field due to Java 9+ module encapsulation, ObjectIntrospection returned obj.toString() for the entire object.

This caused JDK internal string representations such as "class java.lang.Object" to reach the WAF engine, where they could match phrase_match rules (e.g., crs-944-130 java_code_injection) and generate false positive security events on every request, leading to a CPU spike.

Contributor Checklist

Jira ticket: APPSEC-61693

Note: Once your PR is ready to merge, add it to the merge queue by commenting /merge. /merge -c cancels the queue request. /merge -f --reason "reason" skips all merge queue checks; please use this judiciously, as some checks do not run at the PR-level. For more information, see this doc.