Fix org.json iast instrumentation test for latest dependency

Author: jandro996

dd-java-agent/instrumentation/org-json/build.gradle

@@ -18,5 +18,5 @@ dependencies {
   testRuntimeOnly project(':dd-java-agent:instrumentation:iast-instrumenter')
 
   //FIXME: ASM
-  latestDepTestImplementation group: 'org.json', name: 'json', version: '20240303'
+  latestDepTestImplementation group: 'org.json', name: 'json', version: '+'
 }

dd-java-agent/instrumentation/org-json/gradle.lockfile

@@ -116,7 +116,7 @@ org.hamcrest:hamcrest-core:1.3=latestDepTestCompileClasspath,latestDepTestRuntim
 org.hamcrest:hamcrest:2.2=latestDepTestCompileClasspath,latestDepTestRuntimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.jctools:jctools-core:3.3.0=instrumentPluginClasspath,latestDepTestRuntimeClasspath,muzzleTooling,runtimeClasspath,testRuntimeClasspath
 org.json:json:20230227=compileClasspath,testCompileClasspath,testRuntimeClasspath
-org.json:json:20240303=latestDepTestCompileClasspath,latestDepTestRuntimeClasspath
+org.json:json:20250107=latestDepTestCompileClasspath,latestDepTestRuntimeClasspath
 org.junit.jupiter:junit-jupiter-api:5.9.2=latestDepTestCompileClasspath,latestDepTestRuntimeClasspath,testCompileClasspath,testRuntimeClasspath
 org.junit.jupiter:junit-jupiter-engine:5.9.2=latestDepTestRuntimeClasspath,testRuntimeClasspath
 org.junit.platform:junit-platform-commons:1.9.2=latestDepTestCompileClasspath,latestDepTestRuntimeClasspath,testCompileClasspath,testRuntimeClasspath

dd-java-agent/instrumentation/org-json/src/main/java/datadog/trace/instrumentation/json/JSONArrayInstrumentation.java

@@ -35,13 +35,6 @@ public void methodAdvice(MethodTransformer transformer) {
     transformer.applyAdvice(
         isConstructor().and(takesArguments(String.class)),
         getClass().getName() + "$ConstructorAdvice");
-    transformer.applyAdvice(
-        isMethod()
-            .and(isPublic())
-            .and(returns(Object.class))
-            .and(named("get"))
-            .and(takesArguments(1)),
-        getClass().getName() + "$GetAdvice");
     transformer.applyAdvice(
         isMethod().and(isPublic()).and(returns(Object.class)).and(named("opt")),
         getClass().getName() + "$OptAdvice");
@@ -58,26 +51,6 @@ public static void afterInit(@Advice.This Object self, @Advice.Argument(0) final
     }
   }
 
-  public static class GetAdvice {
-    @Advice.OnMethodExit(suppress = Throwable.class)
-    @Propagation
-    public static void afterMethod(@Advice.This Object self, @Advice.Return final Object result) {
-      boolean isString = result instanceof String;
-      boolean isJson = !isString && (result instanceof JSONObject || result instanceof JSONArray);
-      if (!isString && !isJson) {
-        return;
-      }
-      final PropagationModule iastModule = InstrumentationBridge.PROPAGATION;
-      if (iastModule != null) {
-        if (isString) {
-          iastModule.taintStringIfTainted((String) result, self);
-        } else {
-          iastModule.taintObjectIfTainted(result, self);
-        }
-      }
-    }
-  }
-
   public static class OptAdvice {
     @Advice.OnMethodExit(suppress = Throwable.class)
     @Propagation

dd-java-agent/instrumentation/org-json/src/main/java/datadog/trace/instrumentation/json/JSONObjectInstrumentation.java

@@ -33,13 +33,6 @@ public String instrumentedType() {
   public void methodAdvice(MethodTransformer transformer) {
     transformer.applyAdvice(
         isConstructor().and(takesArguments(1)), getClass().getName() + "$ConstructorAdvice");
-    transformer.applyAdvice(
-        isMethod()
-            .and(isPublic())
-            .and(returns(Object.class))
-            .and(named("get"))
-            .and(takesArguments(String.class)),
-        getClass().getName() + "$GetAdvice");
     transformer.applyAdvice(
         isMethod()
             .and(isPublic())
@@ -60,26 +53,6 @@ public static void afterInit(@Advice.This Object self, @Advice.Argument(0) final
     }
   }
 
-  public static class GetAdvice {
-    @Advice.OnMethodExit(suppress = Throwable.class)
-    @Propagation
-    public static void afterMethod(@Advice.This Object self, @Advice.Return final Object result) {
-      boolean isString = result instanceof String;
-      boolean isJson = !isString && (result instanceof JSONObject || result instanceof JSONArray);
-      if (!isString && !isJson) {
-        return;
-      }
-      final PropagationModule iastModule = InstrumentationBridge.PROPAGATION;
-      if (iastModule != null) {
-        if (isString) {
-          iastModule.taintStringIfTainted((String) result, self);
-        } else {
-          iastModule.taintObjectIfTainted(result, self);
-        }
-      }
-    }
-  }
-
   public static class OptAdvice {
     @Advice.OnMethodExit(suppress = Throwable.class)
     @Propagation

dd-java-agent/instrumentation/org-json/src/test/groovy/JSONArrayInstrumentationTest.groovy

@@ -7,6 +7,16 @@ import org.json.JSONTokener
 
 class JSONArrayInstrumentationTest extends AgentTestRunner {
 
+  private static json = """{"menu": {
+    "name": "nameTest",
+    "value": "File",
+    "popup": "Popup",
+    "labels": [
+        "File",
+        "Edit"
+      ]
+  }}"""
+
   @Override
   void configurePreAgent() {
     injectSysConfig("dd.iast.enabled", "true")
@@ -16,57 +26,40 @@ class JSONArrayInstrumentationTest extends AgentTestRunner {
     given:
     final module = Mock(PropagationModule)
     InstrumentationBridge.registerIastModule(module)
-    final json = """{"menu": {
-      "name": "nameTest",
-      "value": "File",
-      "popup": "Popup",
-      "labels": [
-          "File",
-          "Edit"
-        ]
-    }}"""
+    final jsonObject = new JSONObject(json)
+    final menuObject = jsonObject.getJSONObject("menu")
 
     when:
-    final jsonObject = new JSONObject(json)
-    final name = jsonObject.getJSONObject("menu").getJSONArray("labels").get(0)
+    final array = menuObject.getJSONArray("labels")
 
     then:
-    name == "File"
-    1 * module.taintObjectIfTainted(_ as JSONObject, json)
-    2 * module.taintObjectIfTainted(_ as JSONObject, _ as JSONTokener)
-    2 * module.taintObjectIfTainted(_ as JSONObject, _ as JSONObject)
-    1 * module.taintObjectIfTainted(_ as JSONTokener, json)
-    2 * module.taintObjectIfTainted(_ as JSONArray, _ as JSONObject)
-    2 * module.taintStringIfTainted("File", _ as JSONArray)
+    array.length() == 2
+    array.get(0) == "File"
+    array.get(1) == "Edit"
+    1 * module.taintObjectIfTainted(_ as JSONArray, _ as JSONObject)
     0 * _
   }
 
   void 'test JSONObject returning an array and calling opt on it'() {
     given:
     final module = Mock(PropagationModule)
     InstrumentationBridge.registerIastModule(module)
-    final json = """{"menu": {
-      "name": "nameTest",
-      "value": "File",
-      "popup": "Popup",
-      "labels": [
-          "File",
-          "Edit"
-        ]
-    }}"""
+    final jsonObject = new JSONObject(json)
+    final jsonArray =jsonObject.getJSONObject("menu").getJSONArray("labels")
 
     when:
-    final jsonObject = new JSONObject(json)
-    final name = jsonObject.getJSONObject("menu").getJSONArray("labels").optString(0, "defaultvalue")
+    final name = jsonArray.optString(0, "defaultvalue")
 
     then:
     name == "File"
-    1 * module.taintObjectIfTainted(_ as JSONObject, json)
-    2 * module.taintObjectIfTainted(_ as JSONObject, _ as JSONTokener)
-    2 * module.taintObjectIfTainted(_ as JSONObject, _ as JSONObject)
-    1 * module.taintObjectIfTainted(_ as JSONTokener, json)
-    2 * module.taintObjectIfTainted(_ as JSONArray, _ as JSONObject)
     1 * module.taintStringIfTainted("File", _ as JSONArray)
     0 * _
+
+    where:
+    method      | arguments
+    "opt"       | [0]
+    "optString" | [0, "defaultvalue"]
+    "get"       | [0]
+    "getString" | [0, "defaultvalue"]
   }
 }

dd-java-agent/instrumentation/org-json/src/test/groovy/JSONObjectInstrumentationTest.groovy

@@ -25,83 +25,66 @@ class JSONObjectInstrumentationTest extends AgentTestRunner {
     }}"""
 
     when:
-    final jsonObject = new JSONObject(json)
-    final name = jsonObject.getJSONObject("menu").get("name")
+    new JSONObject(json)
 
     then:
-    name == "nameTest"
     1 * module.taintObjectIfTainted(_ as JSONObject, json)
-    2 * module.taintObjectIfTainted(_ as JSONObject, _ as JSONTokener)
-    2 * module.taintObjectIfTainted(_ as JSONObject, _ as JSONObject)
     1 * module.taintObjectIfTainted(_ as JSONTokener, json)
-    2 * module.taintStringIfTainted("nameTest", _ as JSONObject)
     0 * _
   }
 
-  void 'test JSONObject opt'() {
+  void 'test JSONObject JSonTokenizer constructor'() {
     given:
     final module = Mock(PropagationModule)
     InstrumentationBridge.registerIastModule(module)
-    final json = """{"menu": {
-      "name": "nameTest",
-      "value": "File",
-      "popup": "Popup",
-          "labels": [
-          "File",
-          "Edit"
-        ]
-    }}"""
+    final json = '{"name": "nameTest", "value" : "valueTest"}'
+    final jsonTokener = new JSONTokener(json)
 
     when:
-    final jsonObject = new JSONObject(json)
-    final name = jsonObject.getJSONObject("menu").optString("name")
+    new JSONObject(jsonTokener)
 
     then:
-    name == "nameTest"
-    1 * module.taintObjectIfTainted(_ as JSONObject, json)
-    2 * module.taintObjectIfTainted(_ as JSONObject, _ as JSONTokener)
-    2 * module.taintObjectIfTainted(_ as JSONObject, _ as JSONObject)
-    1 * module.taintObjectIfTainted(_ as JSONTokener, json)
-    1 * module.taintStringIfTainted("nameTest", _ as JSONObject)
+    1 * module.taintObjectIfTainted(_ as JSONObject, _ as JSONTokener)
     0 * _
   }
 
-
-
-  void 'test JSONObject JSonTokenizer constructor'() {
+  void 'test JSONObject map constructor'(){
     given:
+    final Map<String, String> map = new HashMap<>()
+    map.put("name", "nameTest")
+    map.put("age", "22")
+    map.put("city", "chicago")
     final module = Mock(PropagationModule)
     InstrumentationBridge.registerIastModule(module)
-    final json = '{"name": "nameTest", "value" : "valueTest"}'
 
     when:
-    final jsonObject = new JSONObject(new JSONTokener(json))
-    final name = jsonObject.get("name")
+    new JSONObject(map)
 
     then:
-    name == "nameTest"
-    1 * module.taintObjectIfTainted(_ as JSONObject, _ as JSONTokener)
-    1 * module.taintObjectIfTainted(_ as JSONTokener, json)
-    2 * module.taintStringIfTainted("nameTest", _ as JSONObject)
+    1 * module.taintObjectIfTainted(_ as JSONObject, map)
     0 * _
   }
 
-  void 'test JSONObject map constructor'(){
+
+  void 'test JSONObject #method'() {
     given:
-    final Map<String, String> map = new HashMap<>()
-    map.put("name", "nameTest")
-    map.put("age", "22")
-    map.put("city", "chicago")
     final module = Mock(PropagationModule)
     InstrumentationBridge.registerIastModule(module)
+    final json = """{"menu": {
+      "name": "nameTest"
+    }}"""
+    final jsonObject = new JSONObject(json)
+    final getObject =jsonObject.getJSONObject("menu")
 
     when:
-    final jsonObject = new JSONObject(map)
-    jsonObject.get("name")
+    final name = getObject."$method"('name')
 
     then:
-    1 * module.taintObjectIfTainted(_ as JSONObject, map)
-    2 * module.taintStringIfTainted("nameTest", _ as JSONObject)
+    name == "nameTest"
+    1 * module.taintStringIfTainted("nameTest", _ as JSONObject)
     0 * _
+
+    where:
+    method << ['get', 'getString', 'opt', 'optString']
   }
 }