fix test

dd-java-agent/agent-iast/build.gradle

@@ -50,7 +50,7 @@ dependencies {
   implementation project(':internal-api')
   implementation project(':internal-api:internal-api-9')
   implementation libs.moshi
-  implementation("org.ow2.asm:asm:9.7")
+  implementation libs.bundles.asm
 
   testFixturesApi project(':dd-java-agent:testing')
   testFixturesApi project(':utils:test-utils')

internal-api/src/main/java/datadog/trace/api/iast/securitycontrol/SecurityControlFormatter.java

@@ -39,9 +39,13 @@ public static List<SecurityControl> format(final @Nonnull String securityControl
     List<SecurityControl> securityControls = new ArrayList<>(list.length);
 
     for (String s : list) {
-      SecurityControl securityControl = getSecurityControl(s);
-      if (securityControl != null) {
-        securityControls.add(securityControl);
+      try {
+        SecurityControl securityControl = getSecurityControl(s);
+        if (securityControl != null) {
+          securityControls.add(securityControl);
+        }
+      } catch (Exception e) {
+        log.warn("Security control configuration is invalid: {}", s);
       }
     }
     return securityControls.isEmpty() ? null : securityControls;
@@ -73,6 +77,10 @@ private static SecurityControl getSecurityControl(@Nonnull final String config)
       String[] elements = split[4].split(SECURITY_CONTROL_ELEMENT_DELIMITER);
       if (elements.length > 0) {
         if (isNumeric(elements[0])) {
+          if (split.length != 6) {
+            log.warn("Security control configuration is invalid: {}", config);
+            return null;
+          }
           parametersToMark = getParametersToMark(elements);
         } else {
           parameterTypes = elements;

internal-api/src/test/groovy/datadog/trace/api/iast/securitycontrol/SecurityControlFormatterTest.groovy

@@ -5,7 +5,7 @@ import datadog.trace.test.util.DDSpecification
 
 class SecurityControlFormatterTest extends DDSpecification{
 
-  void 'test happy path Input validator'() {
+  void 'test simple Input validator'() {
     setup:
     final formatter = new SecurityControlFormatter()
     final config = 'INPUT_VALIDATOR:COMMAND_INJECTION:bar.foo.CustomInputValidator:validate'
@@ -22,7 +22,7 @@ class SecurityControlFormatterTest extends DDSpecification{
     securityControl.getParametersToMark() == null
   }
 
-  void 'test happy path sanitizer'() {
+  void 'test simple sanitizer'() {
     setup:
     final formatter = new SecurityControlFormatter()
     final config = 'SANITIZER:COMMAND_INJECTION:bar.foo.CustomSanitizer:sanitize'
@@ -80,4 +80,88 @@ class SecurityControlFormatterTest extends DDSpecification{
     securityControl.getParameterTypes() == null
     securityControl.getParametersToMark() == null
   }
+
+  void 'test overcharged methods'() {
+    setup:
+    final formatter = new SecurityControlFormatter()
+    final config = 'INPUT_VALIDATOR:COMMAND_INJECTION:bar.foo.CustomInputValidator:validate:java.lang.Object,java.lang.String,java.lang.String'
+    final result = formatter.format(config)
+
+    expect:
+    result.size() == 1
+    def securityControl = result.get(0)
+    securityControl.getType() == SecurityControlType.INPUT_VALIDATOR
+    securityControl.getMarks() == VulnerabilityMarks.COMMAND_INJECTION_MARK
+    securityControl.getClassName() == "bar/foo/CustomInputValidator"
+    securityControl.getMethod() == "validate"
+    securityControl.getParameterTypes() == ["java.lang.Object", "java.lang.String", "java.lang.String"]
+    securityControl.getParametersToMark() == null
+  }
+
+  void 'test parameters to mark'() {
+    setup:
+    final formatter = new SecurityControlFormatter()
+    final config = 'INPUT_VALIDATOR:COMMAND_INJECTION:bar.foo.CustomInputValidator:validate:1,2'
+    final result = formatter.format(config)
+
+    expect:
+    result.size() == 1
+    def securityControl = result.get(0)
+    securityControl.getType() == SecurityControlType.INPUT_VALIDATOR
+    securityControl.getMarks() == VulnerabilityMarks.COMMAND_INJECTION_MARK
+    securityControl.getClassName() == "bar/foo/CustomInputValidator"
+    securityControl.getMethod() == "validate"
+    securityControl.getParameterTypes() == null
+    securityControl.getParametersToMark().size() == 2
+    securityControl.getParametersToMark().contains(1)
+    securityControl.getParametersToMark().contains(2)
+  }
+
+  void 'test overcharged methods with parameters to mark'() {
+    setup:
+    final formatter = new SecurityControlFormatter()
+    final config = 'INPUT_VALIDATOR:COMMAND_INJECTION:bar.foo.CustomInputValidator:validate:java.lang.Object,java.lang.String,java.lang.String:1,2'
+    final result = formatter.format(config)
+
+    expect:
+    result.size() == 1
+    def securityControl = result.get(0)
+    securityControl.getType() == SecurityControlType.INPUT_VALIDATOR
+    securityControl.getMarks() == VulnerabilityMarks.COMMAND_INJECTION_MARK
+    securityControl.getClassName() == "bar/foo/CustomInputValidator"
+    securityControl.getMethod() == "validate"
+    securityControl.getParameterTypes() == ["java.lang.Object", "java.lang.String", "java.lang.String"]
+    securityControl.getParametersToMark().size() == 2
+    securityControl.getParametersToMark().contains(1)
+    securityControl.getParametersToMark().contains(2)
+  }
+
+  void 'test error control'() {
+    setup:
+    final formatter = new SecurityControlFormatter()
+    Throwable thrown = null
+
+    when:
+    try {
+      final result = formatter.format(config)
+    } catch (Throwable t) {
+      thrown = t
+    }
+
+    then:
+    thrown == null
+    final result = formatter.format(config)
+    result == null
+
+    where:
+    config << [
+      '',
+      'This is not a valid configuration',
+      'INPUT_VALIDATOR',
+      'INPUT_VALIDATOR:COMMAND_INJECTION',
+      'INPUT_VALIDATOR:COMMAND_INJECTION:bar.foo.CustomInputValidator',
+      'INPUT_VALIDATOR:COMMAND_INJECTION:bar.foo.CustomInputValidator:validate:1,2',
+      'INPUT_VALIDATOR:COMMAND_INJECTION:bar.foo.CustomInputValidator:validate:1,2:java.lang.Object,java.lang.String,java.lang.String'
+    ]
+  }
 }