Unify truncation limits between ObjectIntrospection and WAFModule (#9168)

manuel-alvarez-alvarez · web-flow · commit 795d68ac8c29 · 2025-07-15T10:29:45.000+02:00
diff --git a/dd-java-agent/appsec/src/main/java/com/datadog/appsec/ddwaf/WAFModule.java b/dd-java-agent/appsec/src/main/java/com/datadog/appsec/ddwaf/WAFModule.java
@@ -69,9 +69,9 @@
 public class WAFModule implements AppSecModule {
   private static final Logger log = LoggerFactory.getLogger(WAFModule.class);
 
-  private static final int MAX_DEPTH = 10;
-  private static final int MAX_ELEMENTS = 150;
-  private static final int MAX_STRING_SIZE = 4096;
+  public static final int MAX_DEPTH = 20;
+  public static final int MAX_ELEMENTS = 256;
+  public static final int MAX_STRING_SIZE = 4096;
   private static volatile Waf.Limits LIMITS;
   private static final Class<?> PROXY_CLASS =
       Proxy.getProxyClass(WAFModule.class.getClassLoader(), Set.class);
diff --git a/dd-java-agent/appsec/src/main/java/com/datadog/appsec/event/data/ObjectIntrospection.java b/dd-java-agent/appsec/src/main/java/com/datadog/appsec/event/data/ObjectIntrospection.java
@@ -1,5 +1,9 @@
 package com.datadog.appsec.event.data;
 
+import static com.datadog.appsec.ddwaf.WAFModule.MAX_DEPTH;
+import static com.datadog.appsec.ddwaf.WAFModule.MAX_ELEMENTS;
+import static com.datadog.appsec.ddwaf.WAFModule.MAX_STRING_SIZE;
+
 import com.datadog.appsec.gateway.AppSecRequestContext;
 import datadog.environment.JavaVirtualMachine;
 import datadog.trace.api.telemetry.WafMetricCollector;
@@ -20,9 +24,7 @@
 import org.slf4j.LoggerFactory;
 
 public final class ObjectIntrospection {
-  private static final int MAX_DEPTH = 20;
-  private static final int MAX_ELEMENTS = 256;
-  private static final int MAX_STRING_LENGTH = 4096;
+
   private static final Logger log = LoggerFactory.getLogger(ObjectIntrospection.class);
 
   private static final Method trySetAccessible;
@@ -337,9 +339,9 @@ private static boolean setAccessible(Field field) {
   }
 
   private static String checkStringLength(final String str, final State state) {
-    if (str.length() > MAX_STRING_LENGTH) {
+    if (str.length() > MAX_STRING_SIZE) {
       state.stringTooLong = true;
-      return str.substring(0, MAX_STRING_LENGTH);
+      return str.substring(0, MAX_STRING_SIZE);
     }
     return str;
   }
diff --git a/dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/event/data/ObjectIntrospectionSpecification.groovy b/dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/event/data/ObjectIntrospectionSpecification.groovy
@@ -10,6 +10,9 @@ import spock.lang.Shared
 
 import java.nio.CharBuffer
 
+import static com.datadog.appsec.ddwaf.WAFModule.MAX_DEPTH
+import static com.datadog.appsec.ddwaf.WAFModule.MAX_ELEMENTS
+import static com.datadog.appsec.ddwaf.WAFModule.MAX_STRING_SIZE
 import static com.datadog.appsec.event.data.ObjectIntrospection.convert
 
 class ObjectIntrospectionSpecification extends DDSpecification {
@@ -381,7 +384,7 @@ class ObjectIntrospectionSpecification extends DDSpecification {
 
   void 'jackson string truncation'() {
     setup:
-    final longString = 'A' * (ObjectIntrospection.MAX_STRING_LENGTH + 1)
+    final longString = 'A' * (MAX_STRING_SIZE + 1)
     final jsonInput = '{"long": "' + longString + '"}'
 
     when:
@@ -390,14 +393,14 @@ class ObjectIntrospectionSpecification extends DDSpecification {
     then:
     1 * ctx.setWafTruncated()
     1 * wafMetricCollector.wafInputTruncated(true, false, false)
-    result["long"].length() <= ObjectIntrospection.MAX_STRING_LENGTH
+    result["long"].length() <= MAX_STRING_SIZE
   }
 
   void 'jackson with deep nesting triggers depth limit'() {
     setup:
     // Create deeply nested JSON
     final json = JsonOutput.toJson(
-    (1..(ObjectIntrospection.MAX_DEPTH + 1)).inject([:], { result, i -> [("child_$i".toString()) : result] })
+    (1..(MAX_DEPTH + 1)).inject([:], { result, i -> [("child_$i".toString()) : result] })
     )
 
     when:
@@ -407,13 +410,13 @@ class ObjectIntrospectionSpecification extends DDSpecification {
     // Should truncate at max depth and set truncation flag
     1 * ctx.setWafTruncated()
     1 * wafMetricCollector.wafInputTruncated(false, false, true)
-    countNesting(result as Map, 0) <= ObjectIntrospection.MAX_DEPTH
+    countNesting(result as Map, 0) <= MAX_DEPTH
   }
 
   void 'jackson with large arrays triggers element limit'() {
     setup:
     // Create large array
-    final largeArray = (1..(ObjectIntrospection.MAX_ELEMENTS + 1)).toList()
+    final largeArray = (1..(MAX_ELEMENTS + 1)).toList()
     final json = new JsonBuilder(largeArray).toString()
 
     when:
@@ -423,7 +426,7 @@ class ObjectIntrospectionSpecification extends DDSpecification {
     // Should truncate and set truncation flag
     1 * ctx.setWafTruncated()
     1 * wafMetricCollector.wafInputTruncated(false, true, false)
-    result.size() <= ObjectIntrospection.MAX_ELEMENTS
+    result.size() <= MAX_ELEMENTS
   }
 
   void 'jackson number type variations'() {
