Merge commit from fork

Prevent JinjavaBeanELResolver restriction bypassing through ForTag's loopVars for 2.7.x version

Author: jasmith-hs

CHANGES.md

@@ -1,4 +1,9 @@
 # Jinjava Releases #
+### 2025-01-30 Version 2.7.6 ([Maven Central](https://search.maven.org/artifact/com.hubspot.jinjava/jinjava/2.7.6/jar)) ###
+* Disallow accessing properties on restricted classes while rendering through ForTag
+* Upgrade jackson to version 2.20
+### 2025-09-30 Version 2.7.5 ([Maven Central](https://search.maven.org/artifact/com.hubspot.jinjava/jinjava/2.7.5/jar)) ###
+* Disallow accessing properties on restricted classes while rendering
 ### 2024-12-06 Verision 2.7.4 ([Maven Central](https://search.maven.org/artifact/com.hubspot.jinjava/jinjava/2.7.4/jar)) ###
 * [Implement jinja2.ext.loopcontrols extensions (break and continue)](https://github.com/HubSpot/jinjava/pull/1219)
 * [Apply whitespace rules for LStrip and Trim to comment blocks](https://github.com/HubSpot/jinjava/pull/1217)

src/main/java/com/hubspot/jinjava/el/ext/JinjavaBeanELResolver.java

@@ -1,5 +1,6 @@
 package com.hubspot.jinjava.el.ext;
 
+import com.fasterxml.jackson.databind.ObjectMapper;
 import com.google.common.base.CaseFormat;
 import com.google.common.collect.ImmutableSet;
 import com.hubspot.jinjava.interpret.DeferredValueException;
@@ -36,6 +37,7 @@ public class JinjavaBeanELResolver extends BeanELResolver {
     .add("notify")
     .add("notifyAll")
     .add("wait")
+    .add("readValueAs")
     .build();
 
   private static final Set<String> DEFERRED_EXECUTION_RESTRICTED_METHODS = ImmutableSet
@@ -59,6 +61,10 @@ public class JinjavaBeanELResolver extends BeanELResolver {
     .add("set")
     .add("merge")
     .build();
+  private static final String JAVA_LANG_REFLECT_PACKAGE =
+    Method.class.getPackage().getName(); // java.lang.reflect
+  private static final String JACKSON_DATABIND_PACKAGE =
+    ObjectMapper.class.getPackage().getName(); // com.fasterxml.jackson.databind
 
   /**
    * Creates a new read/write {@link JinjavaBeanELResolver}.
@@ -251,9 +257,11 @@ protected boolean isRestrictedClass(Object o) {
       return false;
     }
 
+    Package oPackage = o.getClass().getPackage();
     return (
-      (o.getClass().getPackage() != null &&
-        o.getClass().getPackage().getName().startsWith("java.lang.reflect")) ||
+      (oPackage != null &&
+        (oPackage.getName().startsWith(JAVA_LANG_REFLECT_PACKAGE) ||
+          oPackage.getName().startsWith(JACKSON_DATABIND_PACKAGE))) ||
       o instanceof Class ||
       o instanceof ClassLoader ||
       o instanceof Thread ||

src/main/java/com/hubspot/jinjava/lib/tag/ForTag.java

@@ -248,7 +248,7 @@ public String renderForCollection(
                   if (loopVar.equals(valProp.getName())) {
                     interpreter
                       .getContext()
-                      .put(loopVar, valProp.getReadMethod().invoke(val));
+                      .put(loopVar, interpreter.resolveProperty(val, valProp.getName()));
                     break;
                   }
                 }

src/test/java/com/hubspot/jinjava/el/ext/JinjavaBeanELResolverTest.java

@@ -5,10 +5,12 @@
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 
+import com.fasterxml.jackson.databind.ObjectMapper;
 import com.google.common.collect.ImmutableSet;
 import com.hubspot.jinjava.JinjavaConfig;
 import com.hubspot.jinjava.el.JinjavaELContext;
 import com.hubspot.jinjava.interpret.JinjavaInterpreter;
+import java.util.List;
 import javax.el.ELContext;
 import javax.el.MethodNotFoundException;
 import javax.el.PropertyNotFoundException;
@@ -184,4 +186,60 @@ public void itDoesNotAllowAccessingPropertiesOfInterpreter() {
       JinjavaInterpreter.popCurrent();
     }
   }
+
+  @Test
+  public void itDoesNotGettingFromObjectMapper() {
+    try (
+      AutoCloseableSupplier.AutoCloseableImpl<JinjavaInterpreter> c = JinjavaInterpreter
+        .closeablePushCurrent(interpreter)
+        .get()
+    ) {
+      assertThat(
+        jinjavaBeanELResolver.getValue(elContext, new ObjectMapper(), "dateFormat")
+      )
+        .isNull();
+    }
+  }
+
+  @Test
+  public void itDoesNotAllowInvokingFromObjectMapper() throws NoSuchMethodException {
+    try (
+      AutoCloseableSupplier.AutoCloseableImpl<JinjavaInterpreter> c = JinjavaInterpreter
+        .closeablePushCurrent(interpreter)
+        .get()
+    ) {
+      ObjectMapper objectMapper = new ObjectMapper();
+      assertThatThrownBy(() ->
+          jinjavaBeanELResolver.invoke(
+            elContext,
+            objectMapper,
+            "getDateFormat",
+            new Class[] {},
+            new Object[] {}
+          )
+        )
+        .isInstanceOf(MethodNotFoundException.class);
+    }
+  }
+
+  @Test
+  public void itDoesNotAllowInvokingFromMethod() throws NoSuchMethodException {
+    try (
+      AutoCloseableSupplier.AutoCloseableImpl<JinjavaInterpreter> c = JinjavaInterpreter
+        .closeablePushCurrent(interpreter)
+        .get()
+    ) {
+      List<String> list = List.of("foo");
+      assertThatThrownBy(() ->
+          jinjavaBeanELResolver.invoke(
+            elContext,
+            list.getClass().getMethod("get", int.class),
+            "invoke",
+            new Class[] { Object.class, Object[].class },
+            new Object[] { list, 0 }
+          )
+        )
+        .isInstanceOf(MethodNotFoundException.class);
+    }
+  }
 }

src/test/java/com/hubspot/jinjava/lib/tag/ForTagTest.java

@@ -406,6 +406,15 @@ public void forLoopTupleWithNullValues() {
     assertThat(result).isEqualTo(" -1  -1  null  null  null ");
   }
 
+  @Test
+  public void itUsesJinjavaRestrictedResolverOnReadingLoopVars() {
+    String template =
+      """
+      {% for _, config, class in ____int3rpr3t3r____ %}{{ class }}{% endfor %}""";
+    String result = interpreter.render(template);
+    assertThat(result).isEqualTo("");
+  }
+
   public static boolean inForLoop() {
     JinjavaInterpreter interpreter = JinjavaInterpreter.getCurrent();
     return interpreter.getContext().isInForLoop();