Increase IAST propagation to StringBuffer setLength (#8128)

Author: Mariovido

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/propagation/StringModuleImpl.java

@@ -852,6 +852,8 @@ public void onStringBuilderSetLength(@Nonnull CharSequence self, int length) {
     Range[] newRanges = Ranges.forSubstring(0, length, rangesSelf);
     if (newRanges != null && newRanges.length > 0) {
       selfTainted.setRanges(newRanges);
+    } else {
+      selfTainted.clear();
     }
   }
 

dd-java-agent/agent-iast/src/test/groovy/com/datadog/iast/propagation/StringModuleTest.groovy

@@ -1448,9 +1448,11 @@ class StringModuleTest extends IastModuleImplTestBase {
     0 * _
 
     where:
-    self      | length | mockCalls
-    sb("123") | 2      | 0
-    sb()      | 0      | 1
+    self       | length | mockCalls
+    sb("123")  | 2      | 0
+    sb()       | 0      | 1
+    sbf("123") | 2      | 0
+    sbf()      | 0      | 1
   }
 
   void 'onStringBuilderSetLength (#input, #length)'() {
@@ -1472,10 +1474,38 @@ class StringModuleTest extends IastModuleImplTestBase {
     taintFormat(result, taintedObject.getRanges()) == expected
 
     where:
-    input                         | length | expected
-    sb("==>0123<==")              | 3      | "==>012<=="
-    sb("0123==>456<==78")         | 5      | "0123==>4<=="
-    sb("01==>234<==5==>678<==90") | 8      | "01==>234<==5==>67<=="
+    input                          | length | expected
+    sb("==>0123<==")               | 3      | "==>012<=="
+    sb("0123==>456<==78")          | 5      | "0123==>4<=="
+    sb("01==>234<==5==>678<==90")  | 8      | "01==>234<==5==>67<=="
+    sbf("==>0123<==")              | 3      | "==>012<=="
+    sbf("0123==>456<==78")         | 5      | "0123==>4<=="
+    sbf("01==>234<==5==>678<==90") | 8      | "01==>234<==5==>67<=="
+  }
+
+  void 'onStringBuilderSetLength untainting after setLength (#input, #length)'() {
+    final taintedObjects = ctx.getTaintedObjects()
+    def self = addFromTaintFormat(taintedObjects, input)
+    if (self instanceof StringBuilder) {
+      ((StringBuilder) self).setLength(length)
+    } else if (self instanceof StringBuffer) {
+      ((StringBuffer) self).setLength(length)
+    }
+
+    when:
+    module.onStringBuilderSetLength(self, length)
+    def taintedObject = taintedObjects.get(self)
+
+    then:
+    1 * tracer.activeSpan() >> span
+    taintedObject == null
+
+    where:
+    input                  | length
+    sb("==>0123<==")       | 0
+    sb("0123==>456<==78")  | 3
+    sbf("==>0123<==")      | 0
+    sbf("0123==>456<==78") | 3
   }
 
   private static Date date(final String pattern, final String value) {

dd-java-agent/instrumentation/java-lang/src/main/java/datadog/trace/instrumentation/java/lang/StringBuilderCallSite.java

@@ -183,6 +183,7 @@ public static CharSequence afterSubSequence(
   }
 
   @CallSite.After("void java.lang.StringBuilder.setLength(int)")
+  @CallSite.After("void java.lang.StringBuffer.setLength(int)")
   public static void afterSetLength(
       @CallSite.This final CharSequence self, @CallSite.Argument final int length) {
     final StringModule module = InstrumentationBridge.STRING;

dd-java-agent/instrumentation/java-lang/src/test/groovy/datadog/trace/instrumentation/java/lang/StringBuilderCallSiteTest.groovy

@@ -266,6 +266,7 @@ class StringBuilderCallSiteTest extends AgentTestRunner {
     where:
     type      | suite                        | param         | length | expected
     "builder" | new TestStringBuilderSuite() | sb('012345')  | 5      | '01234'
+    "buffer"  | new TestStringBufferSuite()  | sbf('012345') | 5      | '01234'
   }
 
   private static class BrokenToString {