Skip to content

Commit

Permalink
do not allow calling getClass
Browse files Browse the repository at this point in the history
  • Loading branch information
@jboulter
jboulter committed Aug 29, 2018
1 parent e0b1016 commit 4f28830
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 2 deletions.
1 change: 1 addition & 0 deletions src/main/java/com/hubspot/jinjava/el/ext/JinjavaBeanELResolver.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ public class JinjavaBeanELResolver extends BeanELResolver {
private static final Set<String> RESTRICTED_METHODS = ImmutableSet.<String> builder()
.add("clone")
.add("hashCode")
.add("getClass")
.add("notify")
.add("notifyAll")
.add("wait")
Expand Down
4 changes: 2 additions & 2 deletions src/test/java/com/hubspot/jinjava/el/ExpressionResolverTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -333,11 +333,11 @@ public void blackListedProperties() {
@Test
public void blackListedMethods() {
context.put("myobj", new MyClass(new Date(0)));
interpreter.resolveELExpression("myobj.wait()", -1);
interpreter.resolveELExpression("myobj.getClass()", -1);

assertThat(interpreter.getErrorsCopy()).isNotEmpty();
TemplateError e = interpreter.getErrorsCopy().get(0);
assertThat(e.getMessage()).contains("Cannot find method 'wait'");
assertThat(e.getMessage()).contains("Cannot find method 'getClass'");
}

@Test
Expand Down

0 comments on commit 4f28830

Please sign in to comment.