Fix NullPointerException in ObjectIntrospection (#9878)

What Does This Do
Added a null guard in ObjectIntrospection.checkStringLength so Jackson string values that resolve to null no longer trigger a NullPointerException during AppSec object conversion

Author: jandro996

dd-java-agent/appsec/src/main/java/com/datadog/appsec/event/data/ObjectIntrospection.java

@@ -345,6 +345,9 @@ private static boolean setAccessible(Field field) {
   }
 
   private static String checkStringLength(final String str, final State state) {
+    if (str == null) {
+      return null;
+    }
     if (str.length() > MAX_STRING_SIZE) {
       state.stringTooLong = true;
       return str.substring(0, MAX_STRING_SIZE);

dd-java-agent/appsec/src/test/groovy/com/datadog/appsec/event/data/ObjectIntrospectionSpecification.groovy

@@ -2,6 +2,7 @@ package com.datadog.appsec.event.data
 
 import com.datadog.appsec.gateway.AppSecRequestContext
 import com.fasterxml.jackson.databind.ObjectMapper
+import com.fasterxml.jackson.databind.node.NullTextJsonNode
 import datadog.trace.api.telemetry.WafMetricCollector
 import datadog.trace.test.util.DDSpecification
 import groovy.json.JsonBuilder
@@ -354,6 +355,14 @@ class ObjectIntrospectionSpecification extends DDSpecification {
     MAPPER.readTree('{"key": "value"}')            || [key: 'value']
   }
 
+  void 'jackson text nodes with null textual value are handled gracefully'() {
+    given:
+    def node = new NullTextJsonNode()
+
+    expect:
+    convert(node, ctx) == null
+  }
+
   void 'jackson nested structures'() {
     when:
     final result = convert(input, ctx)

dd-java-agent/appsec/src/test/groovy/com/fasterxml/jackson/databind/node/NullTextJsonNode.groovy

@@ -0,0 +1,104 @@
+package com.fasterxml.jackson.databind.node
+
+import com.fasterxml.jackson.core.JsonGenerator
+import com.fasterxml.jackson.core.JsonPointer
+import com.fasterxml.jackson.core.JsonToken
+import com.fasterxml.jackson.databind.JsonNode
+import com.fasterxml.jackson.databind.SerializerProvider
+import com.fasterxml.jackson.databind.jsontype.TypeSerializer
+
+class NullTextJsonNode extends BaseJsonNode {
+  @Override
+  JsonNodeType getNodeType() {
+    return JsonNodeType.STRING
+  }
+
+  @Override
+  String textValue() {
+    return null
+  }
+
+  @Override
+  JsonToken asToken() {
+    return JsonToken.VALUE_STRING
+  }
+
+  @Override
+  void serialize(JsonGenerator gen, SerializerProvider serializers) throws IOException {
+    gen.writeNull()
+  }
+
+  @Override
+  JsonNode deepCopy() {
+    return this
+  }
+
+  @Override
+  String asText() {
+    return null
+  }
+
+  @Override
+  boolean equals(Object o) {
+    if (this.is(o)) {
+      return true
+    }
+    return o != null && getClass() == o.class
+  }
+
+  @Override
+  int hashCode() {
+    return getClass().hashCode()
+  }
+
+  @Override
+  void serializeWithType(JsonGenerator gen, SerializerProvider serializers, TypeSerializer typeSer) throws IOException {
+    gen.writeNull()
+  }
+
+  @Override
+  JsonNode get(int index) {
+    return null
+  }
+
+  @Override
+  JsonNode path(String fieldName) {
+    return MissingNode.getInstance()
+  }
+
+  @Override
+  JsonNode path(int index) {
+    return MissingNode.getInstance()
+  }
+
+  @Override
+  @SuppressWarnings('MethodName') // Inherited from Jackson's BaseJsonNode
+  protected JsonNode _at(JsonPointer ptr) {
+    return MissingNode.getInstance()
+  }
+
+  @Override
+  JsonNode findValue(String fieldName) {
+    return null
+  }
+
+  @Override
+  JsonNode findParent(String fieldName) {
+    return null
+  }
+
+  @Override
+  List<JsonNode> findValues(String fieldName, List<JsonNode> foundSoFar) {
+    return foundSoFar != null ? foundSoFar : new ArrayList<JsonNode>()
+  }
+
+  @Override
+  List<String> findValuesAsText(String fieldName, List<String> foundSoFar) {
+    return foundSoFar != null ? foundSoFar : new ArrayList<String>()
+  }
+
+  @Override
+  List<JsonNode> findParents(String fieldName, List<JsonNode> foundSoFar) {
+    return foundSoFar != null ? foundSoFar : new ArrayList<JsonNode>()
+  }
+}