Merge commit from fork

jasmith-hs · web-flow · commit 66df351e7e8a · 2025-09-16T09:12:25.000-04:00
Restrict property accessing to disallow fetching properties from restricted bases
diff --git a/src/main/java/com/hubspot/jinjava/el/ext/JinjavaBeanELResolver.java b/src/main/java/com/hubspot/jinjava/el/ext/JinjavaBeanELResolver.java
@@ -79,6 +79,9 @@ public Class<?> getType(ELContext context, Object base, Object property) {
 
   @Override
   public Object getValue(ELContext context, Object base, Object property) {
+    if (isRestrictedClass(base)) {
+      return null;
+    }
     Object result = super.getValue(context, base, validatePropertyName(property));
     return result instanceof Class ? null : result;
   }
diff --git a/src/test/java/com/hubspot/jinjava/el/ext/JinjavaBeanELResolverTest.java b/src/test/java/com/hubspot/jinjava/el/ext/JinjavaBeanELResolverTest.java
@@ -8,6 +8,7 @@
 import com.google.common.collect.ImmutableSet;
 import com.hubspot.jinjava.JinjavaConfig;
 import com.hubspot.jinjava.el.JinjavaELContext;
+import com.hubspot.jinjava.interpret.AutoCloseableSupplier;
 import com.hubspot.jinjava.interpret.JinjavaInterpreter;
 import javax.el.ELContext;
 import javax.el.MethodNotFoundException;
@@ -173,4 +174,16 @@ public void itThrowsExceptionWhenPropertyIsRestrictedFromConfig() {
       .hasMessageStartingWith("Could not find property");
     JinjavaInterpreter.popCurrent();
   }
+
+  @Test
+  public void itDoesNotAllowAccessingPropertiesOfInterpreter() {
+    try (
+      AutoCloseableSupplier.AutoCloseableImpl<JinjavaInterpreter> c = JinjavaInterpreter
+        .closeablePushCurrent(interpreter)
+        .get()
+    ) {
+      assertThat(jinjavaBeanELResolver.getValue(elContext, interpreter, "config"))
+        .isNull();
+    }
+  }
 }
diff --git a/src/test/java/com/hubspot/jinjava/interpret/JinjavaInterpreterTest.java b/src/test/java/com/hubspot/jinjava/interpret/JinjavaInterpreterTest.java
@@ -600,4 +600,10 @@ public void itOutputsUndefinedVariableError() {
     assertThat(outputtingErrorInterpreters.getErrors().get(0).getCategoryErrors())
       .isEqualTo(ImmutableMap.of("variable", "bar"));
   }
+
+  @Test
+  public void itDoesNotAllowAccessingPropertiesOfInterpreter() {
+    assertThat(jinjava.render("{{ ____int3rpr3t3r____.config }}", new HashMap<>()))
+      .isEqualTo("");
+  }
 }

Original file line number	Diff line number	Diff line change
`@@ -79,6 +79,9 @@ public Class<?> getType(ELContext context, Object base, Object property) {`
`79`	`79`
`80`	`80`	`@Override`
`81`	`81`	`public Object getValue(ELContext context, Object base, Object property) {`
	`82`	`+ if (isRestrictedClass(base)) {`
	`83`	`+ return null;`
	`84`	`+ }`
`82`	`85`	`Object result = super.getValue(context, base, validatePropertyName(property));`
`83`	`86`	`return result instanceof Class ? null : result;`
`84`	`87`	`}`
Original file line number	Diff line number	Diff line change
`@@ -600,4 +600,10 @@ public void itOutputsUndefinedVariableError() {`
`600`	`600`	`assertThat(outputtingErrorInterpreters.getErrors().get(0).getCategoryErrors())`
`601`	`601`	`.isEqualTo(ImmutableMap.of("variable", "bar"));`
`602`	`602`	`}`
	`603`	`+`
	`604`	`+ @Test`
	`605`	`+ public void itDoesNotAllowAccessingPropertiesOfInterpreter() {`
	`606`	`+ assertThat(jinjava.render("{{ ____int3rpr3t3r____.config }}", new HashMap<>()))`
	`607`	`+ .isEqualTo("");`
	`608`	`+ }`
`603`	`609`	`}`