chore(crashtracking): More string redaction

bric3 · bric3 · commit f3b04477b753 · 2026-04-01T18:52:53.000+02:00
diff --git a/dd-java-agent/agent-crashtracking/src/main/java/datadog/crashtracking/parsers/RedactUtils.java b/dd-java-agent/agent-crashtracking/src/main/java/datadog/crashtracking/parsers/RedactUtils.java
@@ -72,26 +72,57 @@ private RedactUtils() {}
   public static String redactRegisterToMemoryMapping(String value) {
     if (value == null || value.isEmpty()) return value;
     String[] lines = value.split("\n", -1);
+    // java.lang.Class oop dumps: String fields hold class names, not arbitrary data.
+    // All other oop types: String fields are application data and must be fully redacted.
+    boolean isClassOop = isJavaLangClassOop(lines[0]);
     StringBuilder sb = new StringBuilder();
     for (int i = 0; i < lines.length; i++) {
       if (i > 0) sb.append('\n');
-      sb.append(redactLine(lines[i]));
+      sb.append(redactLine(lines[i], isClassOop));
     }
     return sb.toString();
   }
 
-  private static String redactLine(String line) {
+  /**
+   * Returns true if the first line of a register-to-memory mapping value indicates a {@code
+   * java.lang.Class} oop (not a subclass or other type).
+   */
+  private static boolean isJavaLangClassOop(String firstLine) {
+    int idx = firstLine.indexOf("is an oop: java.lang.Class");
+    if (idx < 0) return false;
+    // Ensure the class name ends here — not a prefix of e.g. java.lang.ClassLoader
+    int end = idx + "is an oop: java.lang.Class".length();
+    return end >= firstLine.length() || firstLine.charAt(end) == ' ';
+  }
+
+  private static String redactLine(String line, boolean isClassOop) {
     line = redactStringTypeValue(line);
     line = redactTypeDescriptors(line);
     line = redactKlassReference(line);
     line = redactMethodClass(line);
     line = redactLibraryPath(line);
-    line = redactDottedClassOopRef(line);
+    line = redactStringOopRef(line, isClassOop);
     line = redactOopClassName(line);
     line = redactReadableMemoryHexDump(line);
     return line;
   }
 
+  /**
+   * Redacts {@code "value"\{0x...\}} OOP references in oop dump field lines. When {@code
+   * isClassOop} is true (inside a {@code java.lang.Class} oop dump) the value is treated as a class
+   * name and its package is redacted. Otherwise — any other oop type — the value is always fully
+   * redacted to {@code "REDACTED"} since it may be arbitrary application data.
+   */
+  private static String redactStringOopRef(String line, boolean isClassOop) {
+    return replaceAll(
+        DOTTED_CLASS_OOP_REF,
+        line,
+        m ->
+            isClassOop
+                ? "\"" + redactDottedClassName(m.group(1)) + "\"" + m.group(2)
+                : "\"" + REDACTED_STRING + "\"" + m.group(2));
+  }
+
   /**
    * Redacts string content in String oop dump lines: <code> - string: "Some string"</code> to
    * <code> - string: "REDACTED"</code>
@@ -127,23 +158,23 @@ static String redactMethodClass(String line) {
   }
 
   /**
-   * Redacts all but the parent directory and filename from a library path. Handles both
-   * <code>&lt;offset 0x...&gt; in /path/to/dir/lib.so</code> and <code>symbol+0 in
+   * Redacts all but the parent directory and filename from a library path. Handles both <code>
+   * &lt;offset 0x...&gt; in /path/to/dir/lib.so</code> and <code>symbol+0 in
    * /path/to/dir/lib.so</code> to <code>... in /redacted/redacted/dir/lib.so</code>
    */
   static String redactLibraryPath(String line) {
     return replaceAll(LIBRARY_PATH, line, m -> m.group(1) + redactPath(m.group(2)));
   }
 
   /**
-   * Redacts dotted class names that appear as inline field values followed by an OOP reference:
-   * <code>"com.company.SomeType"{0x...}</code> to <code>"redacted.redacted.SomeType"{0x...}</code>
+   * Redacts any {@code "value"\{0x...\}} OOP reference to {@code "REDACTED"\{0x...\}}. This is the
+   * safe default for lines that are not part of a {@code java.lang.Class} oop dump, where the
+   * String value may be arbitrary application data. For class-name-aware redaction (inside a {@code
+   * java.lang.Class} oop) use {@link #redactRegisterToMemoryMapping} which detects the oop type
+   * automatically.
    */
   static String redactDottedClassOopRef(String line) {
-    return replaceAll(
-        DOTTED_CLASS_OOP_REF,
-        line,
-        m -> "\"" + redactDottedClassName(m.group(1)) + "\"" + m.group(2));
+    return redactStringOopRef(line, false);
   }
 
   /**
diff --git a/dd-java-agent/agent-crashtracking/src/test/java/datadog/crashtracking/parsers/HotspotCrashLogParserTest.java b/dd-java-agent/agent-crashtracking/src/test/java/datadog/crashtracking/parsers/HotspotCrashLogParserTest.java
@@ -84,9 +84,9 @@ public void testRegisterParsingMacosAarch64() throws Exception {
   }
 
   /**
-   * Verifies the register-to-memory mapping section for the macOS aarch64 sample:
-   * representative values, library path redaction, and that "Top of Stack:" / "Instructions:"
-   * subsections are not absorbed into register values.
+   * Verifies the register-to-memory mapping section for the macOS aarch64 sample: representative
+   * values, library path redaction, and that "Top of Stack:" / "Instructions:" subsections are not
+   * absorbed into register values.
    */
   @Test
   public void testRegisterToMemoryMappingMacosAarch64() throws Exception {
@@ -109,7 +109,8 @@ public void testRegisterToMemoryMappingMacosAarch64() throws Exception {
         .extractingByKey("x16", STRING)
         .isEqualTo(
             "0x0000000182d709d0: pthread_jit_write_protect_np+0 in /redacted/redacted/system/libsystem_pthread.dylib at 0x0000000182d69000");
-    // /Users/USER/.local/share/mise/installs/java/25.0.2/lib/server/libjvm.dylib → 9 redacted + "server/libjvm.dylib"
+    // /Users/USER/.local/share/mise/installs/java/25.0.2/lib/server/libjvm.dylib → 9 redacted +
+    // "server/libjvm.dylib"
     assertThat(mapping)
         .extractingByKey("x21", STRING)
         .isEqualTo(
@@ -124,8 +125,7 @@ public void testRegisterToMemoryMappingMacosAarch64() throws Exception {
     // "Top of Stack: (sp=0x...)" and "Instructions: (pc=0x...)" must not leak into register values
     assertThat(mapping).doesNotContainKey("Top of Stack");
     assertThat(mapping)
-        .allSatisfy(
-            (k, v) -> assertThat(v).doesNotContain("Top of Stack:", "Instructions:"));
+        .allSatisfy((k, v) -> assertThat(v).doesNotContain("Top of Stack:", "Instructions:"));
 
     // sp is the last register before "Top of Stack:" — its value must be clean
     assertThat(mapping)
diff --git a/dd-java-agent/agent-crashtracking/src/test/java/datadog/crashtracking/parsers/RedactUtilsTest.java b/dd-java-agent/agent-crashtracking/src/test/java/datadog/crashtracking/parsers/RedactUtilsTest.java
@@ -168,21 +168,26 @@ void testRedactLibraryPath_leavesUnrelatedLinesUnchanged() {
   }
 
   @Test
-  void testRedactDottedClassOopRef_redactsUnknownPackage() {
+  void testRedactDottedClassOopRef_redactsAnyStringOopRef() {
+    // Without oop-type context, all "value"{0x...} OOP refs are treated as arbitrary application
+    // data and fully redacted — even if the value looks like a class name
     assertThat(
             RedactUtils.redactDottedClassOopRef(
                 " - private transient 'name' 'Ljava/lang/String;' @44  \"com.company.SomeType\"{0x00000007142f7200} (0xe285ee40)"))
         .isEqualTo(
-            " - private transient 'name' 'Ljava/lang/String;' @44  \"redacted.redacted.SomeType\"{0x00000007142f7200} (0xe285ee40)");
-  }
-
-  @Test
-  void testRedactDottedClassOopRef_keepsKnownPackage() {
+            " - private transient 'name' 'Ljava/lang/String;' @44  \"REDACTED\"{0x00000007142f7200} (0xe285ee40)");
+    // Dotted names with known packages are also fully redacted — any string can be a secret
     assertThat(
             RedactUtils.redactDottedClassOopRef(
                 " - private transient 'name' 'Ljava/lang/String;' @44  \"jdk.internal.misc.Unsafe\"{0x00000007142f7200} (0xe285ee40)"))
         .isEqualTo(
-            " - private transient 'name' 'Ljava/lang/String;' @44  \"jdk.internal.misc.Unsafe\"{0x00000007142f7200} (0xe285ee40)");
+            " - private transient 'name' 'Ljava/lang/String;' @44  \"REDACTED\"{0x00000007142f7200} (0xe285ee40)");
+    // Plain single-word strings (no dots) are also redacted
+    assertThat(
+            RedactUtils.redactDottedClassOopRef(
+                " - final 'value' 'Ljava/lang/String;' @40  \"SourceFile\"{0x00000007ffe7a6a0} (0xfffcf4d4)"))
+        .isEqualTo(
+            " - final 'value' 'Ljava/lang/String;' @40  \"REDACTED\"{0x00000007ffe7a6a0} (0xfffcf4d4)");
   }
 
   @Test
@@ -209,25 +214,48 @@ void testRedactRegisterToMemoryMapping_methodDescriptor() {
 
   @Test
   void testRedactRegisterToMemoryMapping_multilineOopDump() {
-    // Mirrors the java.lang.Class oop dump format: the 'name' field holds a dotted class name
-    // as an inline string value followed by an OOP ref, and 'loader' holds a typed object ref.
+    // Non-java.lang.Class oop: ALL "value"{0x...} OOP refs are fully redacted to "REDACTED"
+    // regardless of their shape — any string value may be a secret.
     String value =
-        "0x00000007ffe85850 is an oop: com.company.Config \n"
-            + "{0x00000007ffe85850} - klass: 'com/company/Config'\n"
-            + " - ---- fields (total size 3 words):\n"
-            + " - private transient 'name' 'Ljava/lang/String;' @12  \"com.company.Config\"{0x00000007aabbccdd} (0x12345678)\n"
-            + " - private 'owner' 'Lcom/company/User;' @16  null (0x00000000)\n"
+        "0x00000007142f8848 is an oop: com.company.SymbolEntry \n"
+            + "{0x00000007142f8848} - klass: 'com/company/SymbolEntry'\n"
+            + " - ---- fields (total size 9 words):\n"
+            + " - final 'tag' 'Ljava/lang/String;' @12  \"SourceFile\"{0x00000007ffe7a6a0} (0xfffcf4d4)\n"
+            + " - final 'value' 'Ljava/lang/String;' @16  \"com.company.Config\"{0x00000007aabbccdd} (0x12345678)\n"
+            + " - final 'hint' 'Ljava/lang/String;' @20  \"java.vendor.url.bug\"{0x00000007aabbccee} (0x12345679)\n"
+            + " - final 'owner' 'Ljava/lang/String;' @24  null (0x00000000)\n"
             + " - string: \"some sensitive value\"";
     assertThat(RedactUtils.redactRegisterToMemoryMapping(value))
         .isEqualTo(
-            "0x00000007ffe85850 is an oop: redacted.redacted.Config \n"
-                + "{0x00000007ffe85850} - klass: 'redacted/redacted/Config'\n"
-                + " - ---- fields (total size 3 words):\n"
-                + " - private transient 'name' 'Ljava/lang/String;' @12  \"redacted.redacted.Config\"{0x00000007aabbccdd} (0x12345678)\n"
-                + " - private 'owner' 'Lredacted/redacted/User;' @16  null (0x00000000)\n"
+            "0x00000007142f8848 is an oop: redacted.redacted.SymbolEntry \n"
+                + "{0x00000007142f8848} - klass: 'redacted/redacted/SymbolEntry'\n"
+                + " - ---- fields (total size 9 words):\n"
+                + " - final 'tag' 'Ljava/lang/String;' @12  \"REDACTED\"{0x00000007ffe7a6a0} (0xfffcf4d4)\n"
+                + " - final 'value' 'Ljava/lang/String;' @16  \"REDACTED\"{0x00000007aabbccdd} (0x12345678)\n"
+                + " - final 'hint' 'Ljava/lang/String;' @20  \"REDACTED\"{0x00000007aabbccee} (0x12345679)\n"
+                + " - final 'owner' 'Ljava/lang/String;' @24  null (0x00000000)\n"
                 + " - string: \"REDACTED\"");
   }
 
+  @Test
+  void testRedactRegisterToMemoryMapping_javaLangClassOopPreservesClassName() {
+    // java.lang.Class oop: String OOP refs in field values are treated as class names and
+    // get package redaction (not full redaction), since that is what java.lang.Class stores.
+    String value =
+        "0x00000007ffe85850 is an oop: java.lang.Class \n"
+            + "{0x00000007ffe85850} - klass: 'java/lang/Class'\n"
+            + " - ---- fields (total size 25 words):\n"
+            + " - private transient 'name' 'Ljava/lang/String;' @44  \"com.company.Config\"{0x00000007aabbccdd} (0x12345678)\n"
+            + " - private transient 'name' 'Ljava/lang/String;' @44  \"jdk.internal.misc.Unsafe\"{0x00000007142f7200} (0xe285ee40)";
+    assertThat(RedactUtils.redactRegisterToMemoryMapping(value))
+        .isEqualTo(
+            "0x00000007ffe85850 is an oop: java.lang.Class \n"
+                + "{0x00000007ffe85850} - klass: 'java/lang/Class'\n"
+                + " - ---- fields (total size 25 words):\n"
+                + " - private transient 'name' 'Ljava/lang/String;' @44  \"redacted.redacted.Config\"{0x00000007aabbccdd} (0x12345678)\n"
+                + " - private transient 'name' 'Ljava/lang/String;' @44  \"jdk.internal.misc.Unsafe\"{0x00000007142f7200} (0xe285ee40)");
+  }
+
   @Test
   void testRedactRegisterToMemoryMapping_libraryPath() {
     assertThat(
