Don't allow jinjava constructs outside of the AllowlistGroup classes

from being allowlisted

Author: jasmith-hs

pom.xml

@@ -189,6 +189,7 @@
     <dependency>
       <groupId>com.google.errorprone</groupId>
       <artifactId>error_prone_annotations</artifactId>
+      <scope>runtime</scope>
     </dependency>
 
     <dependency>

src/main/java/com/hubspot/jinjava/JinjavaConfig.java

@@ -48,7 +48,6 @@
 import java.time.ZoneOffset;
 import java.util.Locale;
 import java.util.function.BiConsumer;
-import javax.annotation.Nullable;
 import javax.el.ELResolver;
 import org.immutables.value.Value;
 
@@ -204,17 +203,11 @@ default boolean isEnableFilterChainOptimization() {
     return false;
   }
 
-  @Nullable
-  ObjectMapper getObjectMapperOrNull();
-
-  @Value.Derived
+  @Value.Default
   default ObjectMapper getObjectMapper() {
-    ObjectMapper objectMapper = getObjectMapperOrNull();
-    if (objectMapper == null) {
-      objectMapper = new ObjectMapper().registerModule(new Jdk8Module());
-      if (getLegacyOverrides().isUseSnakeCasePropertyNaming()) {
-        objectMapper.setPropertyNamingStrategy(PropertyNamingStrategies.SNAKE_CASE);
-      }
+    ObjectMapper objectMapper = new ObjectMapper().registerModule(new Jdk8Module());
+    if (getLegacyOverrides().isUseSnakeCasePropertyNaming()) {
+      objectMapper.setPropertyNamingStrategy(PropertyNamingStrategies.SNAKE_CASE);
     }
     return objectMapper;
   }

src/main/java/com/hubspot/jinjava/JinjavaImmutableStyle.java

@@ -1,16 +1,25 @@
 package com.hubspot.jinjava;
 
+import com.hubspot.immutable.collection.encoding.ImmutableListEncodingEnabled;
+import com.hubspot.immutable.collection.encoding.ImmutableMapEncodingEnabled;
+import com.hubspot.immutable.collection.encoding.ImmutableSetEncodingEnabled;
 import org.immutables.value.Value;
 
 @Value.Style(
   init = "set*",
   get = { "is*", "get*" } // Detect 'get' and 'is' prefixes in accessor methods
 )
+@ImmutableSetEncodingEnabled
+@ImmutableListEncodingEnabled
+@ImmutableMapEncodingEnabled
 public @interface JinjavaImmutableStyle {
   @Value.Style(
     init = "with*",
     get = { "is*", "get*" } // Detect 'get' and 'is' prefixes in accessor methods
   )
+  @ImmutableSetEncodingEnabled
+  @ImmutableListEncodingEnabled
+  @ImmutableMapEncodingEnabled
   @interface WithStyle {
   }
 }

src/main/java/com/hubspot/jinjava/LegacyOverrides.java

@@ -1,15 +1,9 @@
 package com.hubspot.jinjava;
 
-import com.hubspot.immutable.collection.encoding.ImmutableListEncodingEnabled;
-import com.hubspot.immutable.collection.encoding.ImmutableMapEncodingEnabled;
-import com.hubspot.immutable.collection.encoding.ImmutableSetEncodingEnabled;
 import org.immutables.value.Value;
 
 @Value.Immutable(singleton = true)
-@Value.Style(init = "with*", get = { "is*", "get*" })
-@ImmutableSetEncodingEnabled
-@ImmutableListEncodingEnabled
-@ImmutableMapEncodingEnabled
+@JinjavaImmutableStyle.WithStyle
 public interface LegacyOverrides extends WithLegacyOverrides {
   LegacyOverrides NONE = new Builder().build();
   LegacyOverrides THREE_POINT_0 = new Builder()

src/main/java/com/hubspot/jinjava/el/ext/AllowlistGroup.java

@@ -24,6 +24,7 @@
 import com.hubspot.jinjava.util.ForLoop;
 import java.lang.reflect.Method;
 import java.math.BigDecimal;
+import java.time.ZonedDateTime;
 import java.util.ArrayList;
 import java.util.LinkedHashMap;
 import java.util.Map;
@@ -150,7 +151,19 @@ String[] allowedReturnTypeCanonicalClassPrefixes() {
       return ARRAY;
     }
   },
-  JinjavaFunctions,
+  JinjavaFunctions {
+    private static final String[] ARRAY = { ZonedDateTime.class.getCanonicalName() };
+
+    @Override
+    String[] allowedDeclaredMethodsFromClasses() {
+      return ARRAY;
+    }
+
+    @Override
+    String[] allowedReturnTypeClasses() {
+      return ARRAY;
+    }
+  },
   JinjavaExpTests {
     private static final String[] ARRAY = { ExpTest.class.getPackageName() };
 

src/main/java/com/hubspot/jinjava/el/ext/AllowlistMethodValidator.java

@@ -4,6 +4,7 @@
 import com.google.common.collect.ImmutableSet;
 import java.lang.reflect.Method;
 import java.util.concurrent.ConcurrentHashMap;
+import java.util.function.Consumer;
 
 public final class AllowlistMethodValidator {
 
@@ -14,6 +15,7 @@ public final class AllowlistMethodValidator {
   private final ImmutableSet<Method> allowedMethods;
   private final ImmutableSet<String> allowedDeclaredMethodsFromCanonicalClassPrefixes;
   private final ImmutableSet<String> allowedDeclaredMethodsFromCanonicalClassNames;
+  private final Consumer<Method> onRejectedMethod;
   private final ImmutableList<MethodValidator> additionalValidators;
 
   public static AllowlistMethodValidator create(
@@ -35,6 +37,7 @@ private AllowlistMethodValidator(
       methodValidatorConfig.allowedDeclaredMethodsFromCanonicalClassPrefixes();
     this.allowedDeclaredMethodsFromCanonicalClassNames =
       methodValidatorConfig.allowedDeclaredMethodsFromCanonicalClassNames();
+    this.onRejectedMethod = methodValidatorConfig.onRejectedMethod();
     this.additionalValidators = additionalValidators;
     this.allowedMethodsCache = new ConcurrentHashMap<>();
   }
@@ -58,11 +61,12 @@ public Method validateMethod(Method m) {
       }
     );
     if (!isAllowedMethod) {
+      onRejectedMethod.accept(m);
       return null;
     }
     for (MethodValidator v : additionalValidators) {
-      m = v.validateMethod(m);
-      if (m == null) {
+      if (v.validateMethod(m) == null) {
+        onRejectedMethod.accept(m);
         return null;
       }
     }

src/main/java/com/hubspot/jinjava/el/ext/AllowlistReturnTypeValidator.java

@@ -3,6 +3,7 @@
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableSet;
 import java.util.concurrent.ConcurrentHashMap;
+import java.util.function.Consumer;
 
 public final class AllowlistReturnTypeValidator {
 
@@ -15,6 +16,7 @@ public final class AllowlistReturnTypeValidator {
   private final ImmutableSet<String> allowedCanonicalClassPrefixes;
   private final ImmutableSet<String> allowedCanonicalClassNames;
   private final boolean allowArrays;
+  private final Consumer<Class<?>> onRejectedClass;
   private final ImmutableList<ReturnTypeValidator> additionalValidators;
 
   public static AllowlistReturnTypeValidator create(
@@ -36,6 +38,7 @@ private AllowlistReturnTypeValidator(
     this.allowedCanonicalClassNames =
       returnTypeValidatorConfig.allowedCanonicalClassNames();
     this.allowArrays = returnTypeValidatorConfig.allowArrays();
+    this.onRejectedClass = returnTypeValidatorConfig.onRejectedClass();
     this.additionalValidators = additionalValidators;
     this.allowedReturnTypesCache = new ConcurrentHashMap<>();
   }
@@ -56,11 +59,12 @@ public Object validateReturnType(Object o) {
         allowedCanonicalClassPrefixes.stream().anyMatch(canonicalClassName::startsWith)
     );
     if (!isAllowedClassName) {
+      onRejectedClass.accept(clazz);
       return null;
     }
     for (ReturnTypeValidator v : additionalValidators) {
-      o = v.validateReturnType(o);
-      if (o == null) {
+      if (v.validateReturnType(o) == null) {
+        onRejectedClass.accept(clazz);
         return null;
       }
     }
@@ -79,10 +83,12 @@ public boolean allowReturnTypeClass(Class<?> clazz) {
         allowedCanonicalClassPrefixes.stream().anyMatch(canonicalClassName::startsWith)
     );
     if (!isAllowedReturnType) {
+      onRejectedClass.accept(clazz);
       return false;
     }
     for (ReturnTypeValidator v : additionalValidators) {
       if (!v.allowReturnTypeClass(clazz)) {
+        onRejectedClass.accept(clazz);
         return false;
       }
     }

src/main/java/com/hubspot/jinjava/el/ext/BannedAllowlistOptions.java

@@ -0,0 +1,66 @@
+package com.hubspot.jinjava.el.ext;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.google.common.collect.ImmutableSet;
+import java.lang.reflect.Method;
+import java.util.Arrays;
+import java.util.List;
+import java.util.Set;
+import java.util.stream.Stream;
+import org.immutables.value.Value;
+
+public class BannedAllowlistOptions {
+
+  // These aren't required, but they prevent someone from misconfiguring Jinjava to allow sandbox bypass unintentionally
+  private static final String JAVA_LANG_REFLECT_PACKAGE =
+    Method.class.getPackage().getName(); // java.lang.reflect
+  private static final String JACKSON_DATABIND_PACKAGE =
+    ObjectMapper.class.getPackage().getName(); // com.fasterxml.jackson.databind
+
+  private static final String[] BANNED_PREFIXES = {
+    Class.class.getCanonicalName(),
+    Object.class.getCanonicalName(),
+    JAVA_LANG_REFLECT_PACKAGE,
+    JACKSON_DATABIND_PACKAGE,
+  };
+
+  private static final Set<String> ALLOWED_JINJAVA_PREFIXES = Stream
+    .concat(
+      Stream.of("com.hubspot.jinjava.testobjects"),
+      Arrays
+        .stream(AllowlistGroup.values())
+        .flatMap(g ->
+          Stream
+            .of(
+              g.allowedDeclaredMethodsFromCanonicalClassPrefixes(),
+              g.allowedReturnTypeCanonicalClassPrefixes(),
+              g.allowedDeclaredMethodsFromClasses(),
+              g.allowedReturnTypeClasses()
+            )
+            .flatMap(Arrays::stream)
+        )
+    )
+    .collect(ImmutableSet.toImmutableSet());
+
+  @Value.Check
+  public static List<String> findBannedPrefixes(Stream<String> prefixes) {
+    return prefixes
+      .filter(prefixOrName ->
+        Arrays
+          .stream(BANNED_PREFIXES)
+          .anyMatch(banned ->
+            banned.startsWith(prefixOrName) || prefixOrName.startsWith(banned)
+          ) ||
+        isIllegalJinjavaClass(prefixOrName)
+      )
+      .toList();
+  }
+
+  private static boolean isIllegalJinjavaClass(String prefixOrName) {
+    if (!prefixOrName.startsWith("com.hubspot.jinjava")) {
+      return false;
+    }
+    // e.g. com.hubspot.jinjava.lib.exptest is allowed, but com.hubspot.jinjava.Jinjava will not be
+    return ALLOWED_JINJAVA_PREFIXES.stream().noneMatch(prefixOrName::startsWith);
+  }
+}

src/main/java/com/hubspot/jinjava/el/ext/ExtendedParser.java

@@ -129,7 +129,7 @@ public AstNode createAstNode(AstNode... children) {
   }
 
   protected AstNode interpreter() {
-    return identifier(INTERPRETER);
+    return new AstNull();
   }
 
   @Override

src/main/java/com/hubspot/jinjava/el/ext/MethodValidator.java

@@ -1,7 +1,9 @@
 package com.hubspot.jinjava.el.ext;
 
 import java.lang.reflect.Method;
+import javax.annotation.Nullable;
 
 public interface MethodValidator {
+  @Nullable
   Method validateMethod(Method m);
 }