FIX

jandro996 · jandro996 · commit b15b7af0f3f8 · 2025-11-05T17:54:15.000+01:00
diff --git a/dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/AppSecRequestContext.java b/dd-java-agent/appsec/src/main/java/com/datadog/appsec/gateway/AppSecRequestContext.java
@@ -646,9 +646,15 @@ public void close() {
         closeWafContext();
       }
       collectedCookies = null;
-      requestHeaders.clear();
-      responseHeaders.clear();
-      persistentData.clear();
+      if (requestHeaders != null) {
+        requestHeaders.clear();
+      }
+      if (responseHeaders != null) {
+        responseHeaders.clear();
+      }
+      if (persistentData != null) {
+        persistentData.clear();
+      }
       if (derivatives != null) {
         derivatives.clear();
         derivatives = null;
diff --git a/dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/gateway/AppSecRequestContextSpecification.groovy b/dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/gateway/AppSecRequestContextSpecification.groovy
@@ -451,4 +451,44 @@ class AppSecRequestContextSpecification extends DDSpecification {
       assert context.isHttpClientRequestSampled(requestId) == sampled
     }
   }
+
+  void 'close is idempotent and can be called multiple times'() {
+    given:
+    def ctx = new AppSecRequestContext()
+    ctx.addRequestHeader('test', 'value')
+    ctx.addResponseHeader('content-type', 'text/plain')
+
+    when:
+    ctx.close()
+    ctx.close()
+    ctx.close()
+
+    then:
+    notThrown(Exception)
+  }
+
+  void 'close handles null internal fields gracefully'() {
+    given:
+    def ctx = new AppSecRequestContext()
+
+    // Use reflection to simulate the scenario where fields might be null
+    // (e.g., due to bytecode instrumentation or unusual initialization)
+    def requestHeadersField = AppSecRequestContext.getDeclaredField('requestHeaders')
+    requestHeadersField.setAccessible(true)
+    requestHeadersField.set(ctx, null)
+
+    def responseHeadersField = AppSecRequestContext.getDeclaredField('responseHeaders')
+    responseHeadersField.setAccessible(true)
+    responseHeadersField.set(ctx, null)
+
+    def persistentDataField = AppSecRequestContext.getDeclaredField('persistentData')
+    persistentDataField.setAccessible(true)
+    persistentDataField.set(ctx, null)
+
+    when:
+    ctx.close()
+
+    then:
+    notThrown(Exception)
+  }
 }
