Fix stack trace inconsistency between excluded frames in vulnerability location and metastruct stack trace (#7865)

jandro996 · web-flow · commit 15e5861d70ab · 2024-11-07T11:05:35.000+01:00
What Does This Do
Parametrize StackUtils#generateUserCodeStackTrace with a predicate
Add AbstractStackWalker#isNotDatadogTraceStackElement as default filter
Update isNotDatadogTraceStackElement to also filter com.datadog.appsec

Motivation
We are filtering different stack frames according to their class to calculate the vulnerability location and the vulnerability stack trace that is reported via meta struct
diff --git a/internal-api/src/main/java/datadog/trace/util/stacktrace/AbstractStackWalker.java b/internal-api/src/main/java/datadog/trace/util/stacktrace/AbstractStackWalker.java
@@ -18,6 +18,8 @@ final Stream<StackTraceElement> doFilterStack(Stream<StackTraceElement> stream)
 
   static boolean isNotDatadogTraceStackElement(final StackTraceElement el) {
     final String clazz = el.getClassName();
-    return !clazz.startsWith("datadog.trace.") && !clazz.startsWith("com.datadog.iast.");
+    return !clazz.startsWith("datadog.trace.")
+        && !clazz.startsWith("com.datadog.iast.")
+        && !clazz.startsWith("com.datadog.appsec.");
   }
 }
diff --git a/internal-api/src/main/java/datadog/trace/util/stacktrace/StackUtils.java b/internal-api/src/main/java/datadog/trace/util/stacktrace/StackUtils.java
@@ -60,19 +60,18 @@ public static <E extends Throwable> E filterUntil(
         });
   }
 
-  /** Function generates stack trace of the user code (excluding datadog classes) */
   public static List<StackTraceFrame> generateUserCodeStackTrace() {
+    return generateUserCodeStackTrace(AbstractStackWalker::isNotDatadogTraceStackElement);
+  }
+
+  /** Function generates stack trace of the user code (excluding datadog classes) */
+  public static List<StackTraceFrame> generateUserCodeStackTrace(
+      final Predicate<StackTraceElement> filterPredicate) {
     int stackCapacity = Config.get().getAppSecMaxStackTraceDepth();
     List<StackTraceElement> elements =
         StackWalkerFactory.INSTANCE.walk(
             stream ->
-                stream
-                    .filter(
-                        elem ->
-                            !elem.getClassName().startsWith("com.datadog")
-                                && !elem.getClassName().startsWith("datadog.trace"))
-                    .limit(stackCapacity)
-                    .collect(Collectors.toList()));
+                stream.filter(filterPredicate).limit(stackCapacity).collect(Collectors.toList()));
     return IntStream.range(0, elements.size())
         .mapToObj(idx -> new StackTraceFrame(idx, elements.get(idx)))
         .collect(Collectors.toList());
diff --git a/internal-api/src/test/java/datadog/trace/util/stacktrace/StackUtilsTest.java b/internal-api/src/test/java/datadog/trace/util/stacktrace/StackUtilsTest.java
@@ -14,7 +14,12 @@
 import java.util.List;
 import java.util.Map;
 import java.util.function.Function;
+import java.util.function.Predicate;
+import java.util.stream.Stream;
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.Arguments;
+import org.junit.jupiter.params.provider.MethodSource;
 
 public class StackUtilsTest {
 
@@ -92,13 +97,30 @@ public void test_filter_until() {
     assertThat(noRemoval.getStackTrace()).isEqualTo(stack);
   }
 
-  @Test
-  public void test_generateUserCodeStackTrace() {
-    List<StackTraceFrame> userCodeStack = StackUtils.generateUserCodeStackTrace();
+  private static Stream<Arguments> test_generateUserCodeStackTrace_Params() {
+    return Stream.of(
+        Arguments.of((Predicate<StackTraceElement>) stack -> true, false),
+        Arguments.of(
+            (Predicate<StackTraceElement>) stack -> !stack.getClassName().startsWith("org.junit"),
+            true));
+  }
+
+  @ParameterizedTest
+  @MethodSource("test_generateUserCodeStackTrace_Params")
+  public void test_generateUserCodeStackTrace(
+      final Predicate<StackTraceElement> filter, final boolean expected) {
+    List<StackTraceFrame> userCodeStack = StackUtils.generateUserCodeStackTrace(filter);
     assertThat(userCodeStack).isNotNull();
+    int junitFramesCounter = 0;
     for (StackTraceFrame frame : userCodeStack) {
-      assertThat(frame.getClass_name()).doesNotContain("com.datadog");
-      assertThat(frame.getClass_name()).doesNotContain("datadog.trace");
+      if (frame.getClass_name() != null && frame.getClass_name().startsWith("org.junit")) {
+        junitFramesCounter++;
+      }
+    }
+    if (expected) {
+      assertThat(junitFramesCounter).isEqualTo(0);
+    } else {
+      assertThat(junitFramesCounter).isGreaterThan(0);
     }
   }
 

Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,8 @@ final Stream<StackTraceElement> doFilterStack(Stream<StackTraceElement> stream)`
`18`	`18`
`19`	`19`	`static boolean isNotDatadogTraceStackElement(final StackTraceElement el) {`
`20`	`20`	`final String clazz = el.getClassName();`
`21`		`- return !clazz.startsWith("datadog.trace.") && !clazz.startsWith("com.datadog.iast.");`
	`21`	`+ return !clazz.startsWith("datadog.trace.")`
	`22`	`+ && !clazz.startsWith("com.datadog.iast.")`
	`23`	`+ && !clazz.startsWith("com.datadog.appsec.");`
`22`	`24`	`}`
`23`	`25`	`}`