Use string-based config. Make the allowlists easier to work with

Author: jasmith-hs

src/main/java/com/hubspot/jinjava/JinjavaConfig.java

@@ -53,7 +53,7 @@
 import org.immutables.value.Value;
 
 @Value.Immutable(singleton = true)
-@JinjavaImmutableStyle
+@JinjavaImmutableStyle.WithStyle
 public interface JinjavaConfig {
   @Value.Default
   default Charset getCharset() {
@@ -164,7 +164,9 @@ default TokenScannerSymbols getTokenScannerSymbols() {
 
   @Value.Default
   default MethodValidator getMethodValidator() {
-    return MethodValidator.create(MethodValidatorConfig.of());
+    return MethodValidator.create(
+      MethodValidatorConfig.builder().addDefaultAllowlistGroups().build()
+    );
   }
 
   @Value.Default

src/main/java/com/hubspot/jinjava/JinjavaImmutableStyle.java

@@ -6,11 +6,20 @@
 import org.immutables.value.Value;
 
 @Value.Style(
-  init = "with*",
+  init = "set*",
   get = { "is*", "get*" } // Detect 'get' and 'is' prefixes in accessor methods
 )
 @ImmutableSetEncodingEnabled
 @ImmutableListEncodingEnabled
 @ImmutableMapEncodingEnabled
 public @interface JinjavaImmutableStyle {
+  @Value.Style(
+    init = "with*",
+    get = { "is*", "get*" } // Detect 'get' and 'is' prefixes in accessor methods
+  )
+  @ImmutableSetEncodingEnabled
+  @ImmutableListEncodingEnabled
+  @ImmutableMapEncodingEnabled
+  @interface WithStyle {
+  }
 }

src/main/java/com/hubspot/jinjava/el/ext/JinjavaBeanELResolver.java

@@ -45,6 +45,10 @@ public JinjavaBeanELResolver() {
     this(true, MethodValidator.create(MethodValidatorConfig.builder().build()));
   }
 
+  public JinjavaBeanELResolver(MethodValidator methodValidator) {
+    this(true, methodValidator);
+  }
+
   /**
    * Creates a new read/write {@link JinjavaBeanELResolver}.
    */

src/main/java/com/hubspot/jinjava/el/ext/MethodAllowlists.java

@@ -6,45 +6,65 @@
 public final class MethodValidator {
 
   private final ImmutableSet<Method> allowedMethods;
-  private final ImmutableSet<Class<?>> allowedDeclaredMethodsFromClasses;
-  private final ImmutableSet<String> allowedDeclaredMethodsFromPackages;
-  private final ImmutableSet<Class<?>> allowedResultClasses;
-  private final ImmutableSet<String> allowedResultPackages;
+  private final ImmutableSet<String> allowedDeclaredMethodsFromCanonicalClassPrefixes;
+  private final ImmutableSet<String> allowedDeclaredMethodsFromCanonicalClassNames;
+  private final ImmutableSet<String> allowedResultCanonicalClassPrefixes;
+  private final ImmutableSet<String> allowedResultCanonicalClassNames;
 
   public static MethodValidator create(MethodValidatorConfig methodValidatorConfig) {
     return new MethodValidator(methodValidatorConfig);
   }
 
   private MethodValidator(MethodValidatorConfig methodValidatorConfig) {
     this.allowedMethods = methodValidatorConfig.allowedMethods();
-    this.allowedDeclaredMethodsFromClasses =
-      methodValidatorConfig.allowedDeclaredMethodsFromClasses();
-    this.allowedDeclaredMethodsFromPackages =
-      methodValidatorConfig.allowedDeclaredMethodsFromPackages();
-    this.allowedResultClasses = methodValidatorConfig.allowedResultClasses();
-    this.allowedResultPackages = methodValidatorConfig.allowedResultPackages();
+    this.allowedDeclaredMethodsFromCanonicalClassPrefixes =
+      methodValidatorConfig.allowedDeclaredMethodsFromCanonicalClassPrefixes();
+    this.allowedDeclaredMethodsFromCanonicalClassNames =
+      methodValidatorConfig.allowedDeclaredMethodsFromCanonicalClassNames();
+    this.allowedResultCanonicalClassPrefixes =
+      ImmutableSet
+        .<String>builder()
+        .addAll(methodValidatorConfig.allowedResultCanonicalClassPrefixes())
+        .addAll(methodValidatorConfig.allowedDeclaredMethodsFromCanonicalClassPrefixes())
+        .build();
+    this.allowedResultCanonicalClassNames =
+      ImmutableSet
+        .<String>builder()
+        .addAll(methodValidatorConfig.allowedResultCanonicalClassNames())
+        .addAll(methodValidatorConfig.allowedDeclaredMethodsFromCanonicalClassNames())
+        .build();
   }
 
   public Method validateMethod(Method m) {
+    if (m == null) {
+      return null;
+    }
+    String canonicalDeclaringClassName = m.getDeclaringClass().getCanonicalName();
     return (
-        m == null ||
         allowedMethods.contains(m) ||
-        allowedDeclaredMethodsFromClasses.contains(m.getDeclaringClass()) ||
-        allowedDeclaredMethodsFromPackages
+        allowedDeclaredMethodsFromCanonicalClassNames.contains(
+          canonicalDeclaringClassName
+        ) ||
+        allowedDeclaredMethodsFromCanonicalClassPrefixes
           .stream()
-          .anyMatch(p -> m.getDeclaringClass().getPackageName().startsWith(p))
+          .anyMatch(canonicalDeclaringClassName::startsWith)
       )
       ? m
       : null;
   }
 
   public Object validateResult(Object o) {
+    if (o == null) {
+      return null;
+    }
+    String canonicalClassName = o.getClass().getCanonicalName();
     return (
-      o == null ||
-      allowedResultClasses.contains(o.getClass()) ||
-      allowedResultPackages
-        .stream()
-        .anyMatch(p -> o.getClass().getPackageName().startsWith(p))
-    );
+        allowedResultCanonicalClassNames.contains(canonicalClassName) ||
+        allowedResultCanonicalClassPrefixes
+          .stream()
+          .anyMatch(canonicalClassName::startsWith)
+      )
+      ? o
+      : null;
   }
 }