Address Sidekick review feedback

- Remove stale commented-out line in ExpressionResolver
- Remove @Value.Check from static utility method in BannedAllowlistOptions
- Make BeanMethod.method volatile for safe publication across threads
- Guard against getBeanMethods returning null for unknown method names
- Guard against getCanonicalName returning null for anonymous/local classes in AllowlistReturnTypeValidator and AllowlistMethodValidator

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: jasmith-hs

src/main/java/com/hubspot/jinjava/el/ExpressionResolver.java

@@ -352,7 +352,6 @@ public Object wrap(Object object) {
 
   public String getAsString(Object object) {
     if (interpreter.getConfig().getLegacyOverrides().isUsePyishObjectMapper()) {
-      //      resolver.
       return PyishObjectMapper.getAsUnquotedPyishString(object);
     }
     return Objects.toString(object, "");

src/main/java/com/hubspot/jinjava/el/ext/AllowlistMethodValidator.java

@@ -51,6 +51,9 @@ public Method validateMethod(Method m) {
       m1 -> {
         Class<?> clazz = m1.getDeclaringClass();
         String canonicalClassName = clazz.getCanonicalName();
+        if (canonicalClassName == null) {
+          return false;
+        }
         return (
           allowedMethods.contains(m1) ||
           allowedDeclaredMethodsFromCanonicalClassNames.contains(canonicalClassName) ||

src/main/java/com/hubspot/jinjava/el/ext/AllowlistReturnTypeValidator.java

@@ -52,6 +52,10 @@ public Object validateReturnType(Object o) {
       return o;
     }
     String canonicalClassName = clazz.getCanonicalName();
+    if (canonicalClassName == null) {
+      onRejectedClass.accept(clazz);
+      return null;
+    }
     boolean isAllowedClassName = allowedReturnTypesCache.computeIfAbsent(
       canonicalClassName,
       c ->

src/main/java/com/hubspot/jinjava/el/ext/BannedAllowlistOptions.java

@@ -7,8 +7,6 @@
 import java.util.List;
 import java.util.Set;
 import java.util.stream.Stream;
-import org.immutables.value.Value;
-
 public class BannedAllowlistOptions {
 
   // These aren't required, but they prevent someone from misconfiguring Jinjava to allow sandbox bypass unintentionally
@@ -42,7 +40,6 @@ public class BannedAllowlistOptions {
     )
     .collect(ImmutableSet.toImmutableSet());
 
-  @Value.Check
   public static List<String> findBannedPrefixes(Stream<String> prefixes) {
     return prefixes
       .filter(prefixOrName ->

src/main/java/com/hubspot/jinjava/el/ext/JinjavaBeanELResolver.java

@@ -84,7 +84,7 @@ protected static final class BeanMethod {
 
       private final MethodDescriptor descriptor;
 
-      private Method method;
+      private volatile Method method;
 
       public BeanMethod(MethodDescriptor descriptor) {
         this.descriptor = descriptor;
@@ -200,7 +200,11 @@ protected Method findMethod(
 
       List<Method> potentialMethods = new LinkedList<>();
 
-      for (BeanMethods.BeanMethod bm : beanMethods.getBeanMethods(name)) {
+      List<BeanMethods.BeanMethod> methodsForName = beanMethods.getBeanMethods(name);
+      if (methodsForName == null) {
+        methodsForName = List.of();
+      }
+      for (BeanMethods.BeanMethod bm : methodsForName) {
         Method m = bm.getMethod();
         int formalParamCount = m.getParameterTypes().length;
         if (m.isVarArgs() && paramCount >= formalParamCount - 1) {