Extract separate MethodValidator

Author: jasmith-hs

src/main/java/com/hubspot/jinjava/JinjavaConfig.java

@@ -22,9 +22,6 @@
 import com.fasterxml.jackson.datatype.jdk8.Jdk8Module;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
-import com.hubspot.immutable.collection.encoding.ImmutableListEncodingEnabled;
-import com.hubspot.immutable.collection.encoding.ImmutableMapEncodingEnabled;
-import com.hubspot.immutable.collection.encoding.ImmutableSetEncodingEnabled;
 import com.hubspot.jinjava.el.JinjavaInterpreterResolver;
 import com.hubspot.jinjava.el.JinjavaObjectUnwrapper;
 import com.hubspot.jinjava.el.JinjavaProcessors;
@@ -54,13 +51,7 @@
 import org.immutables.value.Value;
 
 @Value.Immutable(singleton = true)
-@Value.Style(
-  init = "with*",
-  get = { "is*", "get*" } // Detect 'get' and 'is' prefixes in accessor methods
-)
-@ImmutableSetEncodingEnabled
-@ImmutableListEncodingEnabled
-@ImmutableMapEncodingEnabled
+@JinjavaImmutableStyle
 public interface JinjavaConfig {
   @Value.Default
   default Charset getCharset() {

src/main/java/com/hubspot/jinjava/JinjavaImmutableStyle.java

@@ -0,0 +1,16 @@
+package com.hubspot.jinjava;
+
+import com.hubspot.immutable.collection.encoding.ImmutableListEncodingEnabled;
+import com.hubspot.immutable.collection.encoding.ImmutableMapEncodingEnabled;
+import com.hubspot.immutable.collection.encoding.ImmutableSetEncodingEnabled;
+import org.immutables.value.Value;
+
+@Value.Style(
+  init = "with*",
+  get = { "is*", "get*" } // Detect 'get' and 'is' prefixes in accessor methods
+)
+@ImmutableSetEncodingEnabled
+@ImmutableListEncodingEnabled
+@ImmutableMapEncodingEnabled
+public @interface JinjavaImmutableStyle {
+}

src/main/java/com/hubspot/jinjava/el/JinjavaInterpreterResolver.java

@@ -6,7 +6,6 @@
 import com.hubspot.jinjava.el.ext.AbstractCallableMethod;
 import com.hubspot.jinjava.el.ext.DeferredParsingException;
 import com.hubspot.jinjava.el.ext.ExtendedParser;
-import com.hubspot.jinjava.el.ext.ImmutableJinjavaBeanELResolverConfig;
 import com.hubspot.jinjava.el.ext.JinjavaBeanELResolver;
 import com.hubspot.jinjava.el.ext.JinjavaListELResolver;
 import com.hubspot.jinjava.el.ext.NamedParameter;
@@ -57,11 +56,14 @@ public class JinjavaInterpreterResolver extends SimpleResolver {
       add(new JinjavaListELResolver(true));
       add(new TypeConvertingMapELResolver(true));
       add(new ResourceBundleELResolver());
-      add(new JinjavaBeanELResolver(
-        new JinjavaBeanELResolver.JinjavaBeanELResolverConfig.Builder()
-          .readOnly(true)
-          .build()
-      ));
+      add(
+        new JinjavaBeanELResolver(
+          JinjavaBeanELResolver.JinjavaBeanELResolverConfig
+            .builder()
+            .withReadOnly(true)
+            .build()
+        )
+      );
     }
   };
 
@@ -71,11 +73,14 @@ public class JinjavaInterpreterResolver extends SimpleResolver {
       add(new JinjavaListELResolver(false));
       add(new TypeConvertingMapELResolver(false));
       add(new ResourceBundleELResolver());
-      add(new JinjavaBeanELResolver(
-        new JinjavaBeanELResolver.JinjavaBeanELResolverConfig.Builder()
-          .readOnly(false)
-          .build()
-      ));
+      add(
+        new JinjavaBeanELResolver(
+          JinjavaBeanELResolver.JinjavaBeanELResolverConfig
+            .builder()
+            .withReadOnly(false)
+            .build()
+        )
+      );
     }
   };
 

src/main/java/com/hubspot/jinjava/el/ext/JinjavaBeanELResolver.java

@@ -3,6 +3,7 @@
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.google.common.base.CaseFormat;
 import com.google.common.collect.ImmutableSet;
+import com.hubspot.jinjava.JinjavaImmutableStyle;
 import com.hubspot.jinjava.interpret.DeferredValueException;
 import com.hubspot.jinjava.interpret.JinjavaInterpreter;
 import com.hubspot.jinjava.util.EagerReconstructionUtils;
@@ -66,12 +67,12 @@ public class JinjavaBeanELResolver extends BeanELResolver {
     .add("set")
     .add("merge")
     .build();
-  private final JinjavaBeanELResolverConfig jinjavaBeanELResolverConfig;
 
   @Value.Immutable(singleton = true)
+  @JinjavaImmutableStyle
   public interface JinjavaBeanELResolverConfig {
-    ImmutableSet<Method> allowMethods();
-    ImmutableSet<Class<?>> allowDeclaredMethodsFromClasses();
+    ImmutableSet<Method> allowedMethods();
+    ImmutableSet<Class<?>> allowedDeclaredMethodsFromClasses();
 
     @Value.Default
     default boolean readOnly() {
@@ -81,7 +82,7 @@ default boolean readOnly() {
     @Value.Check
     default void banClassesAndMethods() {
       if (
-        allowMethods()
+        allowedMethods()
           .stream()
           .anyMatch(method ->
             Class.class.equals(method.getDeclaringClass()) ||
@@ -95,7 +96,7 @@ default void banClassesAndMethods() {
         );
       }
       if (
-        allowDeclaredMethodsFromClasses()
+        allowedDeclaredMethodsFromClasses()
           .stream()
           .anyMatch(clazz ->
             Class.class.equals(clazz) ||
@@ -114,9 +115,14 @@ static JinjavaBeanELResolverConfig.Builder builder() {
       return new Builder();
     }
 
-    class Builder extends ImmutableJinjavaBeanELResolverConfig.Builder {}
+    class Builder extends ImmutableJinjavaBeanELResolverConfig.Builder {
+
+      Builder() {}
+    }
   }
 
+  private final MethodValidator methodValidator;
+
   public JinjavaBeanELResolver() {
     this(JinjavaBeanELResolverConfig.builder().build());
   }
@@ -125,7 +131,12 @@ public JinjavaBeanELResolver() {
    * Creates a new read/write {@link JinjavaBeanELResolver}.
    */
   public JinjavaBeanELResolver(JinjavaBeanELResolverConfig jinjavaBeanELResolverConfig) {
-    this.jinjavaBeanELResolverConfig = jinjavaBeanELResolverConfig;
+    super(jinjavaBeanELResolverConfig.readOnly());
+    this.methodValidator =
+      new MethodValidator(
+        jinjavaBeanELResolverConfig.allowedMethods(),
+        jinjavaBeanELResolverConfig.allowedDeclaredMethodsFromClasses()
+      );
   }
 
   @Override
@@ -221,10 +232,7 @@ protected Method findMethod(
       List<Method> potentialMethods = new LinkedList<>();
 
       for (Method m : methods) {
-        if (
-          m.getName().equals(name) &&
-          (isDeclaringClassAllowed(m.getDeclaringClass()) || methodAllowed(m))
-        ) {
+        if (m.getName().equals(name)) {
           int formalParamCount = m.getParameterTypes().length;
           if (m.isVarArgs() && paramCount >= formalParamCount - 1) {
             varArgsMethod = m;
@@ -250,17 +258,13 @@ protected Method findMethod(
               )
           );
     }
-    return method;
+    return methodValidator.validateMethod(method);
   }
 
-  private boolean methodAllowed(Method m) {
-    return jinjavaBeanELResolverConfig.allowMethods().contains(m);
-  }
-
-  private boolean isDeclaringClassAllowed(Class<?> declaringClass) {
-    return jinjavaBeanELResolverConfig
-      .allowDeclaredMethodsFromClasses()
-      .contains(declaringClass);
+  @Override
+  protected Method getReadMethod(Object base, Object property) {
+    Method method = super.getReadMethod(base, property);
+    return methodValidator.validateMethod(method);
   }
 
   private static boolean checkAssignableParameterTypes(Object[] params, Method method) {

src/main/java/com/hubspot/jinjava/el/ext/MethodAllowlists.java

@@ -0,0 +1,53 @@
+package com.hubspot.jinjava.el.ext;
+
+import com.google.common.collect.ImmutableSet;
+import com.hubspot.jinjava.JinjavaImmutableStyle;
+import com.hubspot.jinjava.lib.filter.Filter;
+import com.hubspot.jinjava.lib.filter.FilterLibrary;
+import java.lang.reflect.Method;
+import java.util.Arrays;
+import java.util.stream.Stream;
+import org.immutables.value.Value;
+
+public class MethodAllowlists {
+
+  @Value.Immutable
+  @JinjavaImmutableStyle
+  interface MethodAllowlist {
+    ImmutableSet<Method> allowCustomMethods();
+    ImmutableSet<Class<?>> allowCustomDeclaredMethodsFromClasses();
+    ImmutableSet<AllowlistGroup> allowlistGroups();
+  }
+
+  enum AllowlistGroup {
+    JavaString {
+      private static final Class<?>[] ARRAY = { String.class };
+
+      @Override
+      Class<?>[] allowDeclaredMethodsFromClasses() {
+        return ARRAY;
+      }
+    },
+    JinjavaFilters {
+      private static final Class<?>[] ARRAY = Stream
+        .concat(Stream.of(Filter.class), Arrays.stream(FilterLibrary.DEFAULT_FILTERS))
+        .toArray(Class<?>[]::new);
+
+      @Override
+      Class<?>[] allowDeclaredMethodsFromClasses() {
+        return ARRAY;
+      }
+    },
+    ReadOnlyCollectionsg,
+    WritableCollections,
+    JinjavaFunctions;
+
+    Method[] allowMethods() {
+      return new Method[0];
+    }
+
+    Class<?>[] allowDeclaredMethodsFromClasses() {
+      return new Class[0];
+    }
+  }
+}

src/main/java/com/hubspot/jinjava/el/ext/MethodValidator.java

@@ -0,0 +1,27 @@
+package com.hubspot.jinjava.el.ext;
+
+import com.google.common.collect.ImmutableSet;
+import java.lang.reflect.Method;
+
+public class MethodValidator {
+
+  private final ImmutableSet<Method> allowedMethods;
+  private final ImmutableSet<Class<?>> allowedDeclaredMethodsFromClasses;
+
+  public MethodValidator(
+    ImmutableSet<Method> allowedMethods,
+    ImmutableSet<Class<?>> allowedDeclaredMethodsFromClasses
+  ) {
+    this.allowedMethods = allowedMethods;
+    this.allowedDeclaredMethodsFromClasses = allowedDeclaredMethodsFromClasses;
+  }
+
+  public Method validateMethod(Method m) {
+    return (
+        allowedMethods.contains(m) ||
+        allowedDeclaredMethodsFromClasses.contains(m.getDeclaringClass())
+      )
+      ? m
+      : null;
+  }
+}