Fix NullPointerException in ApplicationModuleImpl (#9879)

jandro996 · web-flow · commit 74cc32f5ddbb · 2025-10-30T14:31:29.000+01:00
What Does This Do
Added a guard in InsecureJspFolderVisitor.preVisitDirectory to keep walking when a directory lacks a name, preventing the previous NullPointerException.

Introduced a regression test that instantiates the visitor and verifies it safely handles the filesystem root path.
diff --git a/dd-java-agent/agent-iast/src/main/java/com/datadog/iast/sink/ApplicationModuleImpl.java b/dd-java-agent/agent-iast/src/main/java/com/datadog/iast/sink/ApplicationModuleImpl.java
@@ -416,7 +416,11 @@ private static class InsecureJspFolderVisitor implements FileVisitor<Path> {
 
     @Override
     public FileVisitResult preVisitDirectory(final Path dir, final BasicFileAttributes attrs) {
-      final String folder = dir.getFileName().toString();
+      final Path fileName = dir.getFileName();
+      if (fileName == null) {
+        return FileVisitResult.CONTINUE;
+      }
+      final String folder = fileName.toString();
       if (endsWithIgnoreCase(folder, WEB_INF)) {
         return FileVisitResult.SKIP_SUBTREE;
       }
diff --git a/dd-java-agent/agent-iast/src/test/groovy/com/datadog/iast/sink/ApplicationModuleTest.groovy b/dd-java-agent/agent-iast/src/test/groovy/com/datadog/iast/sink/ApplicationModuleTest.groovy
@@ -6,6 +6,8 @@ import com.datadog.iast.model.Vulnerability
 import com.datadog.iast.model.VulnerabilityType
 import datadog.trace.api.iast.InstrumentationBridge
 import datadog.trace.api.iast.sink.ApplicationModule
+import java.nio.file.FileVisitResult
+import java.nio.file.Paths
 
 import static com.datadog.iast.model.VulnerabilityType.ADMIN_CONSOLE_ACTIVE
 import static com.datadog.iast.model.VulnerabilityType.DEFAULT_HTML_ESCAPE_INVALID
@@ -138,4 +140,18 @@ class ApplicationModuleTest extends IastModuleImplTestBase {
     }
     assert vuln.location.line == line
   }
+
+  void 'insecure jsp visitor handles root directory without name'() {
+    given:
+    def visitorClass = ApplicationModuleImpl.declaredClasses.find { it.simpleName == 'InsecureJspFolderVisitor' }
+    def constructor = visitorClass.getDeclaredConstructor()
+    constructor.accessible = true
+    def visitor = constructor.newInstance()
+
+    when:
+    def result = visitor.preVisitDirectory(Paths.get(File.separator), null)
+
+    then:
+    result == FileVisitResult.CONTINUE
+  }
 }
