Safely handle Files.exist on discovery and config when a Security Manager is present (#10009)

* Safely handle Files.exist on discovery adn config

* Add filesystem-utils only to shared

Author: amarziali

communication/build.gradle.kts

@@ -13,6 +13,7 @@ dependencies {
   implementation(project(":remote-config:remote-config-core"))
   implementation(project(":internal-api"))
   implementation(project(":utils:container-utils"))
+  implementation(project(":utils:filesystem-utils"))
   implementation(project(":utils:socket-utils"))
   implementation(project(":utils:version-utils"))
 

communication/src/main/java/datadog/communication/monitor/DDAgentStatsDConnection.java

@@ -8,6 +8,7 @@
 import com.timgroup.statsd.NoOpDirectStatsDClient;
 import com.timgroup.statsd.NonBlockingStatsDClientBuilder;
 import com.timgroup.statsd.StatsDClientErrorHandler;
+import datadog.common.filesystem.Files;
 import datadog.environment.OperatingSystem;
 import datadog.trace.api.Config;
 import datadog.trace.relocate.api.IOLogger;
@@ -186,7 +187,7 @@ private void discoverConnectionSettings() {
     }
 
     if (null == host) {
-      if (!OperatingSystem.isWindows() && new File(DEFAULT_DOGSTATSD_SOCKET_PATH).exists()) {
+      if (!OperatingSystem.isWindows() && Files.exists(new File(DEFAULT_DOGSTATSD_SOCKET_PATH))) {
         log.info("Detected {}. Using it to send StatsD data.", DEFAULT_DOGSTATSD_SOCKET_PATH);
         host = DEFAULT_DOGSTATSD_SOCKET_PATH;
         port = 0; // tells dogstatsd client to treat host as a socket path

gradle/dependencies.gradle

@@ -26,6 +26,7 @@ final class CachedData {
       exclude(project(':telemetry'))
       exclude(project(':utils:config-utils'))
       exclude(project(':utils:container-utils'))
+      exclude(project(':utils:filesystem-utils'))
       exclude(project(':utils:socket-utils'))
       exclude(project(':utils:time-utils'))
       exclude(project(':utils:version-utils'))

settings.gradle.kts

@@ -155,6 +155,7 @@ include(
   ":dd-java-agent:testing",
   ":utils:config-utils",
   ":utils:container-utils",
+  ":utils:filesystem-utils",
   ":utils:flare-utils",
   ":utils:socket-utils",
   ":utils:test-agent-utils:decoder",

utils/config-utils/build.gradle.kts

@@ -57,6 +57,7 @@ dependencies {
   implementation(project(":components:environment"))
   implementation(project(":components:yaml"))
   implementation(project(":dd-trace-api"))
+  implementation(project(":utils:filesystem-utils"))
   implementation(libs.slf4j)
 
   testImplementation(project(":utils:test-utils"))

utils/config-utils/src/main/java/datadog/trace/bootstrap/config/provider/StableConfigSource.java

@@ -2,6 +2,7 @@
 
 import static datadog.trace.util.ConfigStrings.propertyNameToEnvironmentVariableName;
 
+import datadog.common.filesystem.Files;
 import datadog.trace.api.ConfigOrigin;
 import datadog.trace.bootstrap.config.provider.stableconfig.StableConfigMappingException;
 import java.io.File;
@@ -33,7 +34,7 @@ public final class StableConfigSource extends ConfigProvider.Source {
     try {
       File file = new File(filePath);
       log.debug("Stable configuration file found at path: {}", file);
-      if (file.exists()) {
+      if (Files.exists(file)) {
         cfg = StableConfigParser.parse(filePath);
       }
     } catch (Throwable e) {

utils/filesystem-utils/build.gradle.kts

@@ -0,0 +1,9 @@
+plugins {
+  `java-library`
+}
+
+apply(from = "$rootDir/gradle/java.gradle")
+
+dependencies {
+  testImplementation(project(":utils:test-utils"))
+}

utils/filesystem-utils/src/main/java/datadog/common/filesystem/Files.java

@@ -0,0 +1,30 @@
+package datadog.common.filesystem;
+
+import java.io.File;
+import javax.annotation.Nonnull;
+
+/** Utility methods related to file operations. */
+public final class Files {
+
+  private Files() {
+    // Prevent instantiation
+  }
+
+  /**
+   * Determines whether the given file exists on the filesystem.
+   *
+   * <p>This method wraps {@link File#exists()} and safely handles {@link SecurityException}s that
+   * may occur if the caller does not have the required permissions to examine the file. In such
+   * cases, this method returns {@code false}.
+   *
+   * @param file the file to check for existence; must not be {@code null}
+   * @return {@code true} if the file exists and can be queried, {@code false} otherwise
+   */
+  public static boolean exists(@Nonnull File file) {
+    try {
+      return file.exists();
+    } catch (SecurityException ignored) {
+      return false;
+    }
+  }
+}

utils/filesystem-utils/src/test/java/datadog/common/filesystem/FilesTest.java

@@ -0,0 +1,75 @@
+package datadog.common.filesystem;
+
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+import datadog.environment.JavaVirtualMachine;
+import java.io.File;
+import java.io.IOException;
+import java.security.Permission;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.condition.DisabledIf;
+
+public class FilesTest {
+
+  private SecurityManager originalSM;
+
+  @Test
+  void existsReturnsTrueWhenFileExistsAndIsAccessible() throws IOException {
+    File file = File.createTempFile("test", "txt");
+    file.deleteOnExit();
+
+    assertTrue(Files.exists(file));
+  }
+
+  @Test
+  void existsReturnsFalseWhenFileDoesNotExist() throws IOException {
+    File file = File.createTempFile("missing", "txt");
+    assertTrue(file.delete()); // ensure it does not exist
+
+    assertFalse(Files.exists(file));
+  }
+
+  @Test
+  @DisabledIf("isJava18OrLater")
+  void existsReturnsFalseWhenSecurityManagerForbidsFileAccess() throws IOException {
+    File file = File.createTempFile("test", "txt");
+    file.deleteOnExit();
+
+    // --- install restrictive SecurityManager only in this test ---
+    SecurityManager originalSM = System.getSecurityManager();
+
+    System.setSecurityManager(
+        new SecurityManager() {
+          @Override
+          public void checkRead(String filePath) {
+            // Deny only THIS file so classloading still works
+            if (filePath.equals(file.getAbsolutePath())) {
+              throw new SecurityException("Access denied");
+            }
+          }
+
+          @Override
+          public void checkPermission(Permission perm) {
+            // allow everything else
+          }
+
+          @Override
+          public void checkPermission(Permission perm, Object context) {
+            // allow everything else
+          }
+        });
+
+    try {
+      boolean result = Files.exists(file);
+      assertFalse(result);
+    } finally {
+      // --- restore original security manager ---
+      System.setSecurityManager(originalSM);
+    }
+  }
+
+  static boolean isJava18OrLater() {
+    return JavaVirtualMachine.isJavaVersionAtLeast(18);
+  }
+}

utils/socket-utils/build.gradle.kts

@@ -16,6 +16,7 @@ extensions.getByName("tracerJava").withGroovyBuilder {
 dependencies {
   implementation(libs.slf4j)
   implementation(project(":internal-api"))
+  implementation(project(":utils:filesystem-utils"))
   implementation(libs.jnr.unixsocket)
   testImplementation(files(sourceSets["main_java17"].output))
 }