From c75c17aead06ce81eb08c3c2aeeefc16a785d2cd Mon Sep 17 00:00:00 2001 From: Eric Bussieres Date: Sun, 17 May 2020 11:19:05 -0400 Subject: [PATCH] Remove possibility to turn sandbox off via template --- docs/src/orchid/resources/changelog/v3_1_4.md | 5 +++-- .../mitchellbosecke/pebble/PebbleEngine.java | 6 ++---- .../pebble/template/EvaluationOptions.java | 20 +++++++++---------- 3 files changed, 14 insertions(+), 17 deletions(-) diff --git a/docs/src/orchid/resources/changelog/v3_1_4.md b/docs/src/orchid/resources/changelog/v3_1_4.md index 4249b17ee..fc49e6f67 100644 --- a/docs/src/orchid/resources/changelog/v3_1_4.md +++ b/docs/src/orchid/resources/changelog/v3_1_4.md @@ -5,5 +5,6 @@ version: '3.1.4' - Slice filter: Use collection size when toIndex is greater than collection size (#504) - Adjust spring boot doc (#509) - Build with jdk14 (#508) -- Set proxyBeanMethods to false (#507) -- Add access to Spring Beans/request/session and response when using Pebble with WebFlux (#512) \ No newline at end of file +- Set proxyBeanMethods to false and build with spring boot 2.3 (#507) +- Add access to Spring Beans/request/session and response when using Pebble with WebFlux (#512) +- Remove allowUnsafeMethods property and replace it with methodAccessValidator. Default one is BlacklistMethodAccessValidtor (#511) \ No newline at end of file diff --git a/pebble/src/main/java/com/mitchellbosecke/pebble/PebbleEngine.java b/pebble/src/main/java/com/mitchellbosecke/pebble/PebbleEngine.java index c6ecf0d1f..0393fabec 100644 --- a/pebble/src/main/java/com/mitchellbosecke/pebble/PebbleEngine.java +++ b/pebble/src/main/java/com/mitchellbosecke/pebble/PebbleEngine.java @@ -583,10 +583,8 @@ public PebbleEngine build() { parserOptions.setLiteralDecimalTreatedAsInteger(this.literalDecimalTreatedAsInteger); parserOptions.setLiteralNumbersAsBigDecimals(this.literalNumbersAsBigDecimals); - EvaluationOptions evaluationOptions = new EvaluationOptions(); - evaluationOptions.setMethodAccessValidator(this.methodAccessValidator); - evaluationOptions.setGreedyMatchMethod(this.greedyMatchMethod); - + EvaluationOptions evaluationOptions = new EvaluationOptions(this.greedyMatchMethod, + this.methodAccessValidator); return new PebbleEngine(this.loader, this.syntax, this.strictVariables, this.defaultLocale, this.tagCache, this.templateCache, this.executorService, extensionRegistry, parserOptions, evaluationOptions); diff --git a/pebble/src/main/java/com/mitchellbosecke/pebble/template/EvaluationOptions.java b/pebble/src/main/java/com/mitchellbosecke/pebble/template/EvaluationOptions.java index bc04d5671..c200d318d 100644 --- a/pebble/src/main/java/com/mitchellbosecke/pebble/template/EvaluationOptions.java +++ b/pebble/src/main/java/com/mitchellbosecke/pebble/template/EvaluationOptions.java @@ -8,30 +8,28 @@ * @author yanxiyue */ public class EvaluationOptions { + /** * toggle to enable/disable greedy matching mode for finding java method */ - private boolean greedyMatchMethod; + private final boolean greedyMatchMethod; /** * Validator that can be used to validate object/method access */ - private MethodAccessValidator methodAccessValidator; + private final MethodAccessValidator methodAccessValidator; - public boolean isGreedyMatchMethod() { - return this.greedyMatchMethod; + public EvaluationOptions(boolean greedyMatchMethod, + MethodAccessValidator methodAccessValidator) { + this.greedyMatchMethod = greedyMatchMethod; + this.methodAccessValidator = methodAccessValidator; } - public void setGreedyMatchMethod(boolean greedyMatchMethod) { - this.greedyMatchMethod = greedyMatchMethod; + public boolean isGreedyMatchMethod() { + return this.greedyMatchMethod; } public MethodAccessValidator getMethodAccessValidator() { return this.methodAccessValidator; } - - public void setMethodAccessValidator( - MethodAccessValidator methodAccessValidator) { - this.methodAccessValidator = methodAccessValidator; - } }