Explicitly ban evaluating ObjectMapper within jinjava for

defense-in-depth

Author: jasmith-hs

src/main/java/com/hubspot/jinjava/el/ext/JinjavaBeanELResolver.java

@@ -1,5 +1,6 @@
 package com.hubspot.jinjava.el.ext;
 
+import com.fasterxml.jackson.databind.ObjectMapper;
 import com.google.common.base.CaseFormat;
 import com.google.common.collect.ImmutableSet;
 import com.hubspot.jinjava.interpret.DeferredValueException;
@@ -36,6 +37,7 @@ public class JinjavaBeanELResolver extends BeanELResolver {
     .add("notify")
     .add("notifyAll")
     .add("wait")
+    .add("readValueAs")
     .build();
 
   private static final Set<String> DEFERRED_EXECUTION_RESTRICTED_METHODS = ImmutableSet
@@ -59,6 +61,10 @@ public class JinjavaBeanELResolver extends BeanELResolver {
     .add("set")
     .add("merge")
     .build();
+  private static final String JAVA_LANG_REFLECT_PACKAGE =
+    Method.class.getPackage().getName(); // java.lang.reflect
+  private static final String JACKSON_DATABIND_PACKAGE =
+    ObjectMapper.class.getPackage().getName(); // com.fasterxml.jackson.databind
 
   /**
    * Creates a new read/write {@link JinjavaBeanELResolver}.
@@ -251,9 +257,11 @@ protected boolean isRestrictedClass(Object o) {
       return false;
     }
 
+    Package oPackage = o.getClass().getPackage();
     return (
-      (o.getClass().getPackage() != null &&
-        o.getClass().getPackage().getName().startsWith("java.lang.reflect")) ||
+      (oPackage != null &&
+        (oPackage.getName().startsWith(JAVA_LANG_REFLECT_PACKAGE) ||
+          oPackage.getName().startsWith(JACKSON_DATABIND_PACKAGE))) ||
       o instanceof Class ||
       o instanceof ClassLoader ||
       o instanceof Thread ||

src/test/java/com/hubspot/jinjava/el/ext/JinjavaBeanELResolverTest.java

@@ -5,10 +5,12 @@
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 
+import com.fasterxml.jackson.databind.ObjectMapper;
 import com.google.common.collect.ImmutableSet;
 import com.hubspot.jinjava.JinjavaConfig;
 import com.hubspot.jinjava.el.JinjavaELContext;
 import com.hubspot.jinjava.interpret.JinjavaInterpreter;
+import java.util.List;
 import javax.el.ELContext;
 import javax.el.MethodNotFoundException;
 import javax.el.PropertyNotFoundException;
@@ -184,4 +186,60 @@ public void itDoesNotAllowAccessingPropertiesOfInterpreter() {
       JinjavaInterpreter.popCurrent();
     }
   }
+
+  @Test
+  public void itDoesNotGettingFromObjectMapper() {
+    try (
+      AutoCloseableSupplier.AutoCloseableImpl<JinjavaInterpreter> c = JinjavaInterpreter
+        .closeablePushCurrent(interpreter)
+        .get()
+    ) {
+      assertThat(
+        jinjavaBeanELResolver.getValue(elContext, new ObjectMapper(), "dateFormat")
+      )
+        .isNull();
+    }
+  }
+
+  @Test
+  public void itDoesNotAllowInvokingFromObjectMapper() throws NoSuchMethodException {
+    try (
+      AutoCloseableSupplier.AutoCloseableImpl<JinjavaInterpreter> c = JinjavaInterpreter
+        .closeablePushCurrent(interpreter)
+        .get()
+    ) {
+      ObjectMapper objectMapper = new ObjectMapper();
+      assertThatThrownBy(() ->
+          jinjavaBeanELResolver.invoke(
+            elContext,
+            objectMapper,
+            "getDateFormat",
+            new Class[] {},
+            new Object[] {}
+          )
+        )
+        .isInstanceOf(MethodNotFoundException.class);
+    }
+  }
+
+  @Test
+  public void itDoesNotAllowInvokingFromMethod() throws NoSuchMethodException {
+    try (
+      AutoCloseableSupplier.AutoCloseableImpl<JinjavaInterpreter> c = JinjavaInterpreter
+        .closeablePushCurrent(interpreter)
+        .get()
+    ) {
+      List<String> list = List.of("foo");
+      assertThatThrownBy(() ->
+          jinjavaBeanELResolver.invoke(
+            elContext,
+            list.getClass().getMethod("get", int.class),
+            "invoke",
+            new Class[] { Object.class, Object[].class },
+            new Object[] { list, 0 }
+          )
+        )
+        .isInstanceOf(MethodNotFoundException.class);
+    }
+  }
 }