Fix NPE in AppSecConfigServiceImpl

manuel-alvarez-alvarez · manuel-alvarez-alvarez · commit 06844589429d · 2025-07-12T01:52:19.000+02:00
diff --git a/dd-java-agent/appsec/src/main/java/com/datadog/appsec/config/AppSecConfigServiceImpl.java b/dd-java-agent/appsec/src/main/java/com/datadog/appsec/config/AppSecConfigServiceImpl.java
@@ -75,8 +75,8 @@ public class AppSecConfigServiceImpl implements AppSecConfigService {
   private final ConfigurationPoller configurationPoller;
   private WafBuilder wafBuilder;
 
-  private MergedAsmFeatures mergedAsmFeatures;
-  private volatile boolean initialized;
+  private final MergedAsmFeatures mergedAsmFeatures = new MergedAsmFeatures();
+  private volatile State state = State.UNINITIALIZED;
 
   private final ConcurrentHashMap<String, SubconfigListener> subconfigListeners =
       new ConcurrentHashMap<>();
@@ -95,8 +95,6 @@ public class AppSecConfigServiceImpl implements AppSecConfigService {
           .build()
           .adapter(Types.newParameterizedType(Map.class, String.class, Object.class));
 
-  private boolean hasUserWafConfig;
-  private boolean defaultConfigActivated;
   private final Set<String> usedDDWafConfigKeys = new HashSet<>();
   private final String DEFAULT_WAF_CONFIG_RULE = "DEFAULT_WAF_CONFIG";
   private String currentRuleVersion;
@@ -119,7 +117,7 @@ private void subscribeConfigurationPoller() {
     // see also close() method
     subscribeAsmFeatures();
 
-    if (!hasUserWafConfig) {
+    if (state != State.USER_CONFIG) {
       subscribeRulesAndData();
     } else {
       log.debug("Will not subscribe to ASM, ASM_DD and ASM_DATA (AppSec custom rules in use)");
@@ -173,10 +171,7 @@ private class AppSecConfigChangesListener implements ProductListener {
     @Override
     public void accept(ConfigKey configKey, byte[] content, PollingRateHinter pollingRateHinter)
         throws IOException {
-      if (!initialized) {
-        throw new IllegalStateException();
-      }
-
+      maybeInit();
       if (content == null) {
         try {
           wafBuilder.removeConfig(configKey.toString());
@@ -210,15 +205,15 @@ private class AppSecConfigChangesDDListener extends AppSecConfigChangesListener
     @Override
     public void accept(ConfigKey configKey, byte[] content, PollingRateHinter pollingRateHinter)
         throws IOException {
-      if (defaultConfigActivated) { // if we get any config, remove the default one
+      if (state == State.DEFAULT_CONFIG) { // if we get any config, remove the default one
         log.debug("Removing default config");
         try {
           wafBuilder.removeConfig(DEFAULT_WAF_CONFIG_RULE);
         } catch (UnclassifiedWafException e) {
           throw new RuntimeException(e);
         }
-        defaultConfigActivated = false;
       }
+      state = State.REMOTE_CONFIG;
       super.accept(configKey, content, pollingRateHinter);
       usedDDWafConfigKeys.add(configKey.toString());
     }
@@ -228,6 +223,9 @@ public void remove(ConfigKey configKey, PollingRateHinter pollingRateHinter)
         throws IOException {
       super.remove(configKey, pollingRateHinter);
       usedDDWafConfigKeys.remove(configKey.toString());
+      if (usedDDWafConfigKeys.isEmpty()) {
+        init(); // initialize again the default config
+      }
     }
   }
 
@@ -252,7 +250,7 @@ private void handleWafUpdateResultReport(String configKey, Map<String, Object> r
       if (wafDiagnostics.rulesetVersion != null
           && !wafDiagnostics.rulesetVersion.isEmpty()
           && !wafDiagnostics.rules.getLoaded().isEmpty()
-          && (!defaultConfigActivated || currentRuleVersion == null)) {
+          && (state != State.DEFAULT_CONFIG || currentRuleVersion == null)) {
         currentRuleVersion = wafDiagnostics.rulesetVersion;
         statsReporter.setRulesVersion(currentRuleVersion);
         if (modulesToUpdateVersionIn != null) {
@@ -282,13 +280,7 @@ private void subscribeAsmFeatures() {
         Product.ASM_FEATURES,
         AppSecFeaturesDeserializer.INSTANCE,
         (configKey, newConfig, hinter) -> {
-          if (!hasUserWafConfig && !defaultConfigActivated) {
-            // features activated in runtime
-            init();
-          }
-          if (!initialized) {
-            throw new IllegalStateException();
-          }
+          maybeInit();
           if (newConfig == null) {
             mergedAsmFeatures.removeConfig(configKey);
           } else {
@@ -305,10 +297,6 @@ private void subscribeAsmFeatures() {
 
   private void distributeSubConfigurations(
       String key, AppSecModuleConfigurer.Reconfiguration reconfiguration) {
-    if (usedDDWafConfigKeys.isEmpty() && !defaultConfigActivated && !hasUserWafConfig) {
-      // no config left in the WAF builder, add the default config
-      init();
-    }
     for (Map.Entry<String, SubconfigListener> entry : subconfigListeners.entrySet()) {
       SubconfigListener listener = entry.getValue();
       try {
@@ -320,29 +308,33 @@ private void distributeSubConfigurations(
     }
   }
 
+  private void maybeInit() {
+    if (state == State.UNINITIALIZED) {
+      init();
+    }
+  }
+
   @Override
   public void init() {
     Map<String, Object> wafConfig;
-    hasUserWafConfig = false;
     try {
       wafConfig = loadUserWafConfig(tracerConfig);
+      state = State.USER_CONFIG;
     } catch (Exception e) {
       log.error("Error loading user-provided config", e);
       throw new AbortStartupException("Error loading user-provided config", e);
     }
     if (wafConfig == null) {
       try {
         wafConfig = loadDefaultWafConfig();
-        defaultConfigActivated = true;
+        state = State.DEFAULT_CONFIG;
       } catch (IOException e) {
         log.error("Error loading default config", e);
         throw new AbortStartupException("Error loading default config", e);
       }
-    } else {
-      hasUserWafConfig = true;
     }
-    this.mergedAsmFeatures = new MergedAsmFeatures();
-    this.initialized = true;
+    mergedAsmFeatures.clear();
+    usedDDWafConfigKeys.clear();
 
     if (wafConfig.isEmpty()) {
       throw new IllegalStateException("Expected default waf config to be available");
@@ -356,7 +348,7 @@ public void init() {
 
   public void maybeSubscribeConfigPolling() {
     if (this.configurationPoller != null) {
-      if (hasUserWafConfig
+      if (state == State.USER_CONFIG
           && tracerConfig.getAppSecActivation() == ProductActivation.FULLY_ENABLED) {
         log.info(
             "AppSec will not use remote config because "
@@ -467,6 +459,7 @@ private static int countRules(Map<String, Object> config) {
 
   @Override
   public void close() {
+    state = State.UNINITIALIZED;
     if (this.configurationPoller == null) {
       return;
     }
@@ -558,4 +551,11 @@ private static WafConfig createWafConfig(Config config) {
     }
     return wafConfig;
   }
+
+  private enum State {
+    UNINITIALIZED,
+    DEFAULT_CONFIG,
+    USER_CONFIG,
+    REMOTE_CONFIG
+  }
 }
diff --git a/dd-java-agent/appsec/src/main/java/com/datadog/appsec/config/MergedAsmFeatures.java b/dd-java-agent/appsec/src/main/java/com/datadog/appsec/config/MergedAsmFeatures.java
@@ -49,4 +49,9 @@ private void mergeAutoUserInstrum(
     }
     target.autoUserInstrum = newValue;
   }
+
+  public void clear() {
+    mergedData = null;
+    configs.clear();
+  }
 }
diff --git a/dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/config/AppSecConfigServiceImplSpecification.groovy b/dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/config/AppSecConfigServiceImplSpecification.groovy
@@ -20,6 +20,7 @@ import java.nio.file.Files
 import java.nio.file.Path
 import java.nio.file.Paths
 
+
 import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_ACTIVATION
 import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_AUTO_USER_INSTRUM_MODE
 import static datadog.remoteconfig.Capabilities.CAPABILITY_ASM_CUSTOM_BLOCKING_RESPONSE
@@ -130,7 +131,6 @@ class AppSecConfigServiceImplSpecification extends DDSpecification {
     appSecConfigService.maybeSubscribeConfigPolling()
 
     then:
-    2 * config.getAppSecActivation() >> ProductActivation.ENABLED_INACTIVE
     1 * poller.addListener(Product.ASM_FEATURES, _, _)
     1 * poller.addConfigurationEndListener(_)
     0 * poller.addListener(*_)
@@ -759,6 +759,68 @@ class AppSecConfigServiceImplSpecification extends DDSpecification {
     p.toFile().delete()
   }
 
+  // https://github.com/DataDog/dd-trace-java/issues/9159
+  void 'test initialization issues while applying remote config'() {
+    setup:
+    final key = new ParsedConfigKey('Test', '1234', 1, 'ASM_DD', 'ID')
+    final service = new AppSecConfigServiceImpl(config, poller, reconf)
+    config.getAppSecActivation() >> ProductActivation.ENABLED_INACTIVE
+
+    when:
+    service.maybeSubscribeConfigPolling()
+
+    then:
+    1 * poller.addListener(Product.ASM_DD, _) >> {
+      listeners.savedWafDataChangesListener = it[1]
+    }
+
+    when:
+    listeners.savedWafDataChangesListener.accept(key, '''{"rules_override": [{"rules_target": [{"rule_id": "foo"}], "enabled": false}]}'''.getBytes(), NOOP)
+
+    then:
+    noExceptionThrown()
+  }
+
+  void 'test default config is applied when RC removes all ASM_DD configs'() {
+    setup:
+    final key = new ParsedConfigKey('Test', '1234', 1, 'ASM_DD', 'ID')
+    final service = new AppSecConfigServiceImpl(config, poller, reconf)
+    config.getAppSecActivation() >> ProductActivation.ENABLED_INACTIVE
+
+    when: 'start with the system not yet initialized'
+    service.maybeSubscribeConfigPolling()
+
+    then: 'state is UNINITIALIZED'
+    1 * poller.addListener(Product.ASM_DD, _) >> {
+      listeners.savedWafDataChangesListener = it[1]
+    }
+    1 * poller.addListener(Product.ASM_FEATURES, _, _) >> {
+      listeners.savedFeaturesDeserializer = it[1]
+      listeners.savedFeaturesListener = it[2]
+    }
+    service.state == AppSecConfigServiceImpl.State.UNINITIALIZED
+
+    when: 'ASM is enabled via RC'
+    listeners.savedFeaturesListener.accept('asm_features conf',
+      listeners.savedFeaturesDeserializer.deserialize('{"asm":{"enabled": true}}'.bytes),
+      NOOP)
+
+    then: 'state is DEFAULT_CONFIG'
+    service.state == AppSecConfigServiceImpl.State.DEFAULT_CONFIG
+
+    when: 'Received a new config via RC'
+    listeners.savedWafDataChangesListener.accept(key, '''{"rules_override": [{"rules_target": [{"rule_id": "foo"}], "enabled": false}]}'''.getBytes(), NOOP)
+
+    then: 'state is REMOTE_CONFIG'
+    service.state == AppSecConfigServiceImpl.State.REMOTE_CONFIG
+
+    when: 'Remove all configs via RC'
+    listeners.savedWafDataChangesListener.remove(key, NOOP)
+
+    then: 'state is back to DEFAULT_CONFIG'
+    service.state == AppSecConfigServiceImpl.State.DEFAULT_CONFIG
+  }
+
   private static AppSecFeatures autoUserInstrum(String mode) {
     return new AppSecFeatures().tap { features ->
       features.autoUserInstrum = new AppSecFeatures.AutoUserInstrum().tap { instrum ->

Original file line number	Diff line number	Diff line change
`@@ -49,4 +49,9 @@ private void mergeAutoUserInstrum(`
`49`	`49`	`}`
`50`	`50`	`target.autoUserInstrum = newValue;`
`51`	`51`	`}`
	`52`	`+`
	`53`	`+ public void clear() {`
	`54`	`+ mergedData = null;`
	`55`	`+ configs.clear();`
	`56`	`+ }`
`52`	`57`	`}`