[AppSec] Skip converting Strongly Encapsulated Internals for WAF #3501
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What Does This Do
Prevents decomposition of object that are belongs to Strongly Encapsulated Java Internals, in order to avoid throwing InaccessibleObjectException in Java 9+. Represents such objects as strings instead.
Motivation
Customer reported AppSec false positive issue, when request body contains:
<error: Unable to make field private final int java.time.LocalDate.year accessible: module java.base does not "opens java.time" to unnamed module @34f15e65>
and
<error: unable to make field private final int java.lang.string java.lang.enum.name accessible: module java.base does not "opes java.time" to unnamed module @34f15e65>
Additionally customer emphasized, they are using Dropwizard running on Java 17.
Additional Notes
If the request body contains a complex object, AppSec converts it in java standard datatypes with strings for WAF analysis. In order data converted (into map of strings, array of string, etc.) can be properly consumed by WAF.
Decomposition of complex object is done with Java Reflection. Starting from the Java 9, there were introduced Strongly Encapsulated Internals (see: JEP-260, JEP-396, JEP-403), which made some of standard java classes inaccessible for Reflection. As the result, decomposition throws InaccessibleObjectException for classes like LocalDate or Enum when running on Java 16+.