From 9ae368faea54c1472a0b012428ac3b2d55666da9 Mon Sep 17 00:00:00 2001 From: "Santiago M. Mola" Date: Thu, 26 Oct 2023 09:58:24 +0200 Subject: [PATCH] Handle serialization exceptions in IAST (#6102) --- .../model/json/VulnerabilityEncoding.java | 16 ++++++++++++---- .../json/VulnerabilityEncodingTest.groovy | 19 +++++++++++++++++++ 2 files changed, 31 insertions(+), 4 deletions(-) diff --git a/dd-java-agent/agent-iast/src/main/java/com/datadog/iast/model/json/VulnerabilityEncoding.java b/dd-java-agent/agent-iast/src/main/java/com/datadog/iast/model/json/VulnerabilityEncoding.java index 455e1334b70..59c6c1c5b62 100644 --- a/dd-java-agent/agent-iast/src/main/java/com/datadog/iast/model/json/VulnerabilityEncoding.java +++ b/dd-java-agent/agent-iast/src/main/java/com/datadog/iast/model/json/VulnerabilityEncoding.java @@ -3,9 +3,12 @@ import com.datadog.iast.model.VulnerabilityBatch; import com.squareup.moshi.JsonAdapter; import com.squareup.moshi.Moshi; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; public class VulnerabilityEncoding { + private static final Logger log = LoggerFactory.getLogger(VulnerabilityEncoding.class); private static final int MAX_SPAN_TAG_SIZE = 25000; static final Moshi MOSHI = @@ -18,10 +21,15 @@ public class VulnerabilityEncoding { MOSHI.adapter(TruncatedVulnerabilities.class); public static String toJson(final VulnerabilityBatch value) { - String json = BATCH_ADAPTER.toJson(value); - return json.getBytes().length > MAX_SPAN_TAG_SIZE - ? getExceededTagSizeJson(new TruncatedVulnerabilities(value.getVulnerabilities())) - : json; + try { + String json = BATCH_ADAPTER.toJson(value); + return json.getBytes().length > MAX_SPAN_TAG_SIZE + ? getExceededTagSizeJson(new TruncatedVulnerabilities(value.getVulnerabilities())) + : json; + } catch (Exception ex) { + log.debug("Vulnerability serialization error", ex); + return "{\"vulnerabilities\":[]}"; + } } static String getExceededTagSizeJson(final TruncatedVulnerabilities truncatedVulnerabilities) { diff --git a/dd-java-agent/agent-iast/src/test/groovy/com/datadog/iast/model/json/VulnerabilityEncodingTest.groovy b/dd-java-agent/agent-iast/src/test/groovy/com/datadog/iast/model/json/VulnerabilityEncodingTest.groovy index e56e6afa77b..eaff6eca472 100644 --- a/dd-java-agent/agent-iast/src/test/groovy/com/datadog/iast/model/json/VulnerabilityEncodingTest.groovy +++ b/dd-java-agent/agent-iast/src/test/groovy/com/datadog/iast/model/json/VulnerabilityEncodingTest.groovy @@ -539,6 +539,25 @@ class VulnerabilityEncodingTest extends DDSpecification { } + void 'exception during serialization is caught'() { + given: + final value = new VulnerabilityBatch() + final type = Mock(VulnerabilityType) { + name() >> { throw new RuntimeException("ERROR") } + } + final vuln = new Vulnerability(type, null, null) + value.add(vuln) + + when: + final result = VulnerabilityEncoding.toJson(value) + + then: + JSONAssert.assertEquals('''{ + "vulnerabilities": [ + ] + }''', result, true) + } + private static String generateLargeString(){ int targetSize = 25 * 1024 StringBuilder sb = new StringBuilder()