ISSUE-264: disallow methods on java.lang.Object, even if overridden

spullara · May 11, 2021 · 7efecb8 · 7efecb8
1 parent 7d9c237
commit 7efecb8
Showing 1 changed file with 17 additions and 0 deletions.
diff --git a/compiler/src/main/java/com/github/mustachejava/SafeMustacheFactory.java b/compiler/src/main/java/com/github/mustachejava/SafeMustacheFactory.java
@@ -10,16 +10,33 @@
 import java.lang.reflect.Field;
 import java.lang.reflect.Method;
 import java.lang.reflect.Modifier;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashSet;
 import java.util.Set;
 
 import static com.github.mustachejava.util.HtmlEscaper.escape;
 
 public class SafeMustacheFactory extends DefaultMustacheFactory {
 
+    private final static Set<String> disallowedMethods = new HashSet<>(Arrays.asList(
+            "getClass",
+            "hashCode",
+            "clone",
+            "toString",
+            "notify",
+            "notifyAll",
+            "finalize",
+            "wait"
+    ));
+
     // Only allow public access
     public static final SimpleObjectHandler OBJECT_HANDLER = new SimpleObjectHandler() {
         @Override
         protected void checkMethod(Method member) throws NoSuchMethodException {
+            if (disallowedMethods.contains(member.getName())) {
+                throw new MustacheException("Disallowed: method " + member.getName() + " cannot be accessed");
+            }
             if ((member.getModifiers() & Modifier.PUBLIC) != Modifier.PUBLIC) {
                 throw new NoSuchMethodException("Only public members allowed");
             }