Merge commit from fork

jasmith-hs · web-flow · commit 3d02e504d8bb · 2026-02-02T15:38:22.000-05:00
Prevent JinjavaBeanELResolver restriction bypassing through ForTag's loopVars
diff --git a/CHANGES.md b/CHANGES.md
@@ -1,9 +1,23 @@
 # Jinjava Releases #
+### 2025-01-30 Version 2.8.3 ([Maven Central](https://search.maven.org/artifact/com.hubspot.jinjava/jinjava/2.8.3/jar)) ###
+* Disallow accessing properties on restricted classes while rendering through ForTag
+* Upgrade jackson to version 2.20
+* [Add performance optimization to chained filters](https://github.com/HubSpot/jinjava/pull/1274)
+
+### 2025-01-30 Version 2.7.6 ([Maven Central](https://search.maven.org/artifact/com.hubspot.jinjava/jinjava/2.7.6/jar)) ###
+* Disallow accessing properties on restricted classes while rendering through ForTag
+* Upgrade jackson to version 2.20
+
 ### 2025-10-22 Version 2.8.2 ([Maven Central](https://search.maven.org/artifact/com.hubspot.jinjava/jinjava/2.8.2/jar)) ###
 * [Fix helper token escape handling and unescaping when unquoting strings](https://github.com/HubSpot/jinjava/pull/1263)
+
+### 2025-09-30 Version 2.7.5 ([Maven Central](https://search.maven.org/artifact/com.hubspot.jinjava/jinjava/2.7.5/jar)) ###
+* Disallow accessing properties on restricted classes while rendering
+
 ### 2025-09-16 Version 2.8.1 ([Maven Central](https://search.maven.org/artifact/com.hubspot.jinjava/jinjava/2.8.1/jar)) ###
 * Disallow accessing properties on restricted classes while rendering
 * [Make stack operations use AutoCloseable for safer usage with try-with-resources](https://github.com/HubSpot/jinjava/pull/1250)
+
 ### 2025-05-05 Version 2.8.0 ([Maven Central](https://search.maven.org/artifact/com.hubspot.jinjava/jinjava/2.8.0/jar)) ###
 * [Target Java 17](https://github.com/HubSpot/jinjava/pull/1238)
 * [Implement PyMap#get with optional default](https://github.com/HubSpot/jinjava/pull/1233)
diff --git a/src/main/java/com/hubspot/jinjava/el/ext/JinjavaBeanELResolver.java b/src/main/java/com/hubspot/jinjava/el/ext/JinjavaBeanELResolver.java
@@ -1,5 +1,6 @@
 package com.hubspot.jinjava.el.ext;
 
+import com.fasterxml.jackson.databind.ObjectMapper;
 import com.google.common.base.CaseFormat;
 import com.google.common.collect.ImmutableSet;
 import com.hubspot.jinjava.interpret.DeferredValueException;
@@ -36,6 +37,7 @@ public class JinjavaBeanELResolver extends BeanELResolver {
     .add("notify")
     .add("notifyAll")
     .add("wait")
+    .add("readValueAs")
     .build();
 
   private static final Set<String> DEFERRED_EXECUTION_RESTRICTED_METHODS = ImmutableSet
@@ -59,6 +61,10 @@ public class JinjavaBeanELResolver extends BeanELResolver {
     .add("set")
     .add("merge")
     .build();
+  private static final String JAVA_LANG_REFLECT_PACKAGE =
+    Method.class.getPackage().getName(); // java.lang.reflect
+  private static final String JACKSON_DATABIND_PACKAGE =
+    ObjectMapper.class.getPackage().getName(); // com.fasterxml.jackson.databind
 
   /**
    * Creates a new read/write {@link JinjavaBeanELResolver}.
@@ -251,9 +257,11 @@ protected boolean isRestrictedClass(Object o) {
       return false;
     }
 
+    Package oPackage = o.getClass().getPackage();
     return (
-      (o.getClass().getPackage() != null &&
-        o.getClass().getPackage().getName().startsWith("java.lang.reflect")) ||
+      (oPackage != null &&
+        (oPackage.getName().startsWith(JAVA_LANG_REFLECT_PACKAGE) ||
+          oPackage.getName().startsWith(JACKSON_DATABIND_PACKAGE))) ||
       o instanceof Class ||
       o instanceof ClassLoader ||
       o instanceof Thread ||
diff --git a/src/main/java/com/hubspot/jinjava/lib/tag/ForTag.java b/src/main/java/com/hubspot/jinjava/lib/tag/ForTag.java
@@ -247,7 +247,7 @@ public String renderForCollection(
                   if (loopVar.equals(valProp.getName())) {
                     interpreter
                       .getContext()
-                      .put(loopVar, valProp.getReadMethod().invoke(val));
+                      .put(loopVar, interpreter.resolveProperty(val, valProp.getName()));
                     break;
                   }
                 }
diff --git a/src/test/java/com/hubspot/jinjava/el/ext/JinjavaBeanELResolverTest.java b/src/test/java/com/hubspot/jinjava/el/ext/JinjavaBeanELResolverTest.java
@@ -5,11 +5,13 @@
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 
+import com.fasterxml.jackson.databind.ObjectMapper;
 import com.google.common.collect.ImmutableSet;
 import com.hubspot.jinjava.JinjavaConfig;
 import com.hubspot.jinjava.el.JinjavaELContext;
 import com.hubspot.jinjava.interpret.AutoCloseableSupplier;
 import com.hubspot.jinjava.interpret.JinjavaInterpreter;
+import java.util.List;
 import javax.el.ELContext;
 import javax.el.MethodNotFoundException;
 import javax.el.PropertyNotFoundException;
@@ -186,4 +188,60 @@ public void itDoesNotAllowAccessingPropertiesOfInterpreter() {
         .isNull();
     }
   }
+
+  @Test
+  public void itDoesNotGettingFromObjectMapper() {
+    try (
+      AutoCloseableSupplier.AutoCloseableImpl<JinjavaInterpreter> c = JinjavaInterpreter
+        .closeablePushCurrent(interpreter)
+        .get()
+    ) {
+      assertThat(
+        jinjavaBeanELResolver.getValue(elContext, new ObjectMapper(), "dateFormat")
+      )
+        .isNull();
+    }
+  }
+
+  @Test
+  public void itDoesNotAllowInvokingFromObjectMapper() throws NoSuchMethodException {
+    try (
+      AutoCloseableSupplier.AutoCloseableImpl<JinjavaInterpreter> c = JinjavaInterpreter
+        .closeablePushCurrent(interpreter)
+        .get()
+    ) {
+      ObjectMapper objectMapper = new ObjectMapper();
+      assertThatThrownBy(() ->
+          jinjavaBeanELResolver.invoke(
+            elContext,
+            objectMapper,
+            "getDateFormat",
+            new Class[] {},
+            new Object[] {}
+          )
+        )
+        .isInstanceOf(MethodNotFoundException.class);
+    }
+  }
+
+  @Test
+  public void itDoesNotAllowInvokingFromMethod() throws NoSuchMethodException {
+    try (
+      AutoCloseableSupplier.AutoCloseableImpl<JinjavaInterpreter> c = JinjavaInterpreter
+        .closeablePushCurrent(interpreter)
+        .get()
+    ) {
+      List<String> list = List.of("foo");
+      assertThatThrownBy(() ->
+          jinjavaBeanELResolver.invoke(
+            elContext,
+            list.getClass().getMethod("get", int.class),
+            "invoke",
+            new Class[] { Object.class, Object[].class },
+            new Object[] { list, 0 }
+          )
+        )
+        .isInstanceOf(MethodNotFoundException.class);
+    }
+  }
 }
diff --git a/src/test/java/com/hubspot/jinjava/lib/tag/ForTagTest.java b/src/test/java/com/hubspot/jinjava/lib/tag/ForTagTest.java
@@ -406,6 +406,15 @@ public void forLoopTupleWithNullValues() {
     assertThat(result).isEqualTo(" -1  -1  null  null  null ");
   }
 
+  @Test
+  public void itUsesJinjavaRestrictedResolverOnReadingLoopVars() {
+    String template =
+      """
+      {% for _, config, class in ____int3rpr3t3r____ %}{{ class }}{% endfor %}""";
+    String result = interpreter.render(template);
+    assertThat(result).isEqualTo("");
+  }
+
   public static boolean inForLoop() {
     JinjavaInterpreter interpreter = JinjavaInterpreter.getCurrent();
     return interpreter.getContext().isInForLoop();

Original file line number	Diff line number	Diff line change
`@@ -247,7 +247,7 @@ public String renderForCollection(`
`247`	`247`	`if (loopVar.equals(valProp.getName())) {`
`248`	`248`	`interpreter`
`249`	`249`	`.getContext()`
`250`		`- .put(loopVar, valProp.getReadMethod().invoke(val));`
	`250`	`+ .put(loopVar, interpreter.resolveProperty(val, valProp.getName()));`
`251`	`251`	`break;`
`252`	`252`	`}`
`253`	`253`	`}`