From b9b32a0de129c5ae99efc8d9e2b5be0c2d54063e Mon Sep 17 00:00:00 2001
From: Santiago Mola <santiago.mola@datadoghq.com>
Date: Wed, 25 Oct 2023 16:07:48 +0200
Subject: [PATCH 1/2] Fix NPE in IAST evidence redaction

When serializing vulnerability evidence, we could trigger an NPE when
the data source has no value (e.g. this happens with request body as
source).
---
 .../iast/model/json/EvidenceAdapter.java      |  3 +-
 .../redaction/evidence-redaction-suite.yml    | 34 +++++++++++++++++++
 2 files changed, 36 insertions(+), 1 deletion(-)

diff --git a/dd-java-agent/agent-iast/src/main/java/com/datadog/iast/model/json/EvidenceAdapter.java b/dd-java-agent/agent-iast/src/main/java/com/datadog/iast/model/json/EvidenceAdapter.java
index f90f7d68a67..019b86864e9 100644
--- a/dd-java-agent/agent-iast/src/main/java/com/datadog/iast/model/json/EvidenceAdapter.java
+++ b/dd-java-agent/agent-iast/src/main/java/com/datadog/iast/model/json/EvidenceAdapter.java
@@ -443,7 +443,8 @@ private void addValuePart(
           valueParts.add(new TaintedValuePart(adapter, source, chunk, false));
         } else {
           final int length = chunk.length();
-          final int matching = source.getValue().indexOf(chunk);
+          final String sourceValue = source.getValue();
+          final int matching = (sourceValue == null) ? 0 : sourceValue.indexOf(chunk);
           final String pattern;
           if (matching >= 0) {
             // if matches append the matching part from the redacted value
diff --git a/dd-java-agent/agent-iast/src/test/resources/redaction/evidence-redaction-suite.yml b/dd-java-agent/agent-iast/src/test/resources/redaction/evidence-redaction-suite.yml
index 485afe29f2c..8934fd60767 100644
--- a/dd-java-agent/agent-iast/src/test/resources/redaction/evidence-redaction-suite.yml
+++ b/dd-java-agent/agent-iast/src/test/resources/redaction/evidence-redaction-suite.yml
@@ -1753,6 +1753,40 @@ suite:
         ]
       } 
 
+
+  - type: 'VULNERABILITIES'
+    description: 'Tainted range based redaction - with null source '
+    input: >
+      [
+        {
+          "type": "XSS",
+          "evidence": {
+            "value": "this could be a super long text, so we need to reduce it before send it to the backend. This redaction strategy applies to XSS vulnerability but can be extended to future ones",
+            "ranges": [
+              { "start" : 123, "length" : 3, "source": { "origin": "http.request.body" } }
+            ]
+          }
+        }
+      ]
+    expected: >
+      {
+        "sources": [
+          { "origin": "http.request.body" }
+        ],
+        "vulnerabilities": [
+          {
+            "type": "XSS",
+            "evidence": {
+              "valueParts": [
+                { "redacted": true },
+                { "source": 0, "value": "XSS" },
+                { "redacted": true }
+              ]
+            }
+          }
+        ]
+      }
+
   - type: 'VULNERABILITIES'
     description: 'Tainted range based redaction - multiple ranges'
     input: >

From 34b7d730ad77dea10ccfe4e7f3a66f4622b2f834 Mon Sep 17 00:00:00 2001
From: Santiago Mola <santiago.mola@datadoghq.com>
Date: Wed, 25 Oct 2023 16:44:32 +0200
Subject: [PATCH 2/2] Fix for SQL Injection case

---
 .../iast/model/json/EvidenceAdapter.java      |  2 +-
 .../redaction/evidence-redaction-suite.yml    | 32 +++++++++++++++++++
 2 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/dd-java-agent/agent-iast/src/main/java/com/datadog/iast/model/json/EvidenceAdapter.java b/dd-java-agent/agent-iast/src/main/java/com/datadog/iast/model/json/EvidenceAdapter.java
index 019b86864e9..d6da0e76561 100644
--- a/dd-java-agent/agent-iast/src/main/java/com/datadog/iast/model/json/EvidenceAdapter.java
+++ b/dd-java-agent/agent-iast/src/main/java/com/datadog/iast/model/json/EvidenceAdapter.java
@@ -444,7 +444,7 @@ private void addValuePart(
         } else {
           final int length = chunk.length();
           final String sourceValue = source.getValue();
-          final int matching = (sourceValue == null) ? 0 : sourceValue.indexOf(chunk);
+          final int matching = (sourceValue == null) ? -1 : sourceValue.indexOf(chunk);
           final String pattern;
           if (matching >= 0) {
             // if matches append the matching part from the redacted value
diff --git a/dd-java-agent/agent-iast/src/test/resources/redaction/evidence-redaction-suite.yml b/dd-java-agent/agent-iast/src/test/resources/redaction/evidence-redaction-suite.yml
index 8934fd60767..cf92538ae54 100644
--- a/dd-java-agent/agent-iast/src/test/resources/redaction/evidence-redaction-suite.yml
+++ b/dd-java-agent/agent-iast/src/test/resources/redaction/evidence-redaction-suite.yml
@@ -247,6 +247,38 @@ suite:
           }
         ]
       }
+  - type: 'VULNERABILITIES'
+    description: 'Query with single quoted string literal and null source'
+    input: >
+      [
+        {
+          "type": "SQL_INJECTION",
+          "evidence": {
+            "value": "select * from users where username = 'user'",
+            "ranges": [
+              { "start" : 38, "length" : 4, "source": { "origin": "http.request.body" } }
+            ]
+          }
+        }
+      ]
+    expected: >
+      {
+        "sources": [
+          { "origin": "http.request.body" }
+        ],
+        "vulnerabilities": [
+          {
+            "type": "SQL_INJECTION",
+            "evidence": {
+              "valueParts": [
+                { "value": "select * from users where username = '" },
+                { "redacted": true, "source": 0, "pattern": "****" },
+                { "value": "'" }
+              ]
+            }
+          }
+        ]
+      }
   - type: 'VULNERABILITIES'
     description: '$1 query with double quoted string literal $2'
     parameters: