Skip to content

Commit

Permalink
Merge pull request #230 from HubSpot/do-not-allow-calling-getClass
Browse files Browse the repository at this point in the history 
do not allow calling getClass
  • Loading branch information
@boulter
boulter authored Aug 29, 2018
2 parents e0b1016 + 4f28830 commit c13927d
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 2 deletions.
1 change: 1 addition & 0 deletions src/main/java/com/hubspot/jinjava/el/ext/JinjavaBeanELResolver.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ public class JinjavaBeanELResolver extends BeanELResolver {
private static final Set<String> RESTRICTED_METHODS = ImmutableSet.<String> builder()
.add("clone")
.add("hashCode")
.add("getClass")
.add("notify")
.add("notifyAll")
.add("wait")
Expand Down
4 changes: 2 additions & 2 deletions src/test/java/com/hubspot/jinjava/el/ExpressionResolverTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -333,11 +333,11 @@ public void blackListedProperties() {
@Test
public void blackListedMethods() {
context.put("myobj", new MyClass(new Date(0)));
interpreter.resolveELExpression("myobj.wait()", -1);
interpreter.resolveELExpression("myobj.getClass()", -1);

assertThat(interpreter.getErrorsCopy()).isNotEmpty();
TemplateError e = interpreter.getErrorsCopy().get(0);
assertThat(e.getMessage()).contains("Cannot find method 'wait'");
assertThat(e.getMessage()).contains("Cannot find method 'getClass'");
}

@Test
Expand Down

1 comment on commit c13927d

@ThaVosMan
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This update broke our entire site.
We were calling simple functions to help with on page calculations. Can you please add the ability to call the POW (Power of function) back as this has caused one of your biggest customers entire website to be rendered useless. @boulter

Please sign in to comment.