Don't expect ____int3rpr3t3r____ and don't use arrays in ReverseFilter

and add method and return type validator to test classes

Author: jasmith-hs

src/main/java/com/hubspot/jinjava/el/ext/AllowlistGroup.java

@@ -100,6 +100,7 @@ String[] allowedDeclaredMethodsFromClasses() {
       AbstractCollection.class.getCanonicalName(),
       LinkedHashMap.class.getCanonicalName(),
       "%s.Entry".formatted(LinkedHashMap.class.getCanonicalName()),
+      "%s.LinkedValues".formatted(LinkedHashMap.class.getCanonicalName()),
     };
 
     @Override
@@ -146,6 +147,11 @@ String[] allowedReturnTypeCanonicalClassPrefixes() {
     String[] allowedDeclaredMethodsFromCanonicalClassPrefixes() {
       return ARRAY;
     }
+
+    @Override
+    String[] allowedReturnTypeCanonicalClassPrefixes() {
+      return ARRAY;
+    }
   };
 
   Method[] allowMethods() {

src/main/java/com/hubspot/jinjava/el/ext/AllowlistReturnTypeValidator.java

@@ -39,6 +39,9 @@ public Object validateReturnType(Object o) {
       return null;
     }
     Class<?> clazz = o.getClass();
+    while (clazz.isArray()) {
+      clazz = clazz.getComponentType();
+    }
     String canonicalClassName = clazz.getCanonicalName();
     boolean isAllowedClassName = allowedReturnTypesCache.computeIfAbsent(
       canonicalClassName,

src/main/java/com/hubspot/jinjava/lib/filter/RenderFilter.java

@@ -1,6 +1,5 @@
 package com.hubspot.jinjava.lib.filter;
 
-import com.hubspot.jinjava.JinjavaConfig;
 import com.hubspot.jinjava.doc.annotations.JinjavaDoc;
 import com.hubspot.jinjava.doc.annotations.JinjavaParam;
 import com.hubspot.jinjava.doc.annotations.JinjavaSnippet;
@@ -30,10 +29,7 @@ public Object filter(Object var, JinjavaInterpreter interpreter, String... args)
       String firstArg = args[0];
       return interpreter.renderFlat(
         Objects.toString(var),
-        NumberUtils.toLong(
-          firstArg,
-          JinjavaConfig.newBuilder().build().getMaxOutputSize()
-        )
+        NumberUtils.toLong(firstArg, interpreter.getConfig().getMaxOutputSize())
       );
     }
     return interpreter.renderFlat(Objects.toString(var));

src/main/java/com/hubspot/jinjava/lib/filter/ReverseFilter.java

@@ -19,8 +19,9 @@
 import com.hubspot.jinjava.doc.annotations.JinjavaParam;
 import com.hubspot.jinjava.doc.annotations.JinjavaSnippet;
 import com.hubspot.jinjava.interpret.JinjavaInterpreter;
-import java.lang.reflect.Array;
 import java.util.Collection;
+import java.util.Iterator;
+import java.util.NoSuchElementException;
 
 @JinjavaDoc(
   value = "Reverse the object or return an iterator the iterates over it the other way round.",
@@ -48,24 +49,11 @@ public Object filter(Object object, JinjavaInterpreter interpreter, String... ar
     }
     // collection
     if (object instanceof Collection) {
-      Object[] origin = ((Collection<?>) object).toArray();
-      int length = origin.length;
-      Object[] res = new Object[length];
-      length--;
-      for (int i = 0; i <= length; i++) {
-        res[i] = origin[length - i];
-      }
-      return res;
+      return ReverseArrayIterator.create(((Collection<?>) object).toArray());
     }
     // array
     if (object.getClass().isArray()) {
-      int length = Array.getLength(object);
-      Object[] res = new Object[length];
-      length--;
-      for (int i = 0; i <= length; i++) {
-        res[i] = Array.get(object, length - i);
-      }
-      return res;
+      return ReverseArrayIterator.create((Object[]) object);
     }
     // string
     if (object instanceof String) {
@@ -86,4 +74,32 @@ public Object filter(Object object, JinjavaInterpreter interpreter, String... ar
   public String getName() {
     return "reverse";
   }
+
+  static class ReverseArrayIterator<T> implements Iterator<T> {
+
+    private final T[] array;
+    private int index;
+
+    static <T> ReverseArrayIterator<T> create(T[] array) {
+      return new ReverseArrayIterator<>(array);
+    }
+
+    private ReverseArrayIterator(T[] array) {
+      this.array = array;
+      index = array.length - 1;
+    }
+
+    @Override
+    public T next() {
+      if (index < 0) {
+        throw new NoSuchElementException();
+      }
+      return array[index--];
+    }
+
+    @Override
+    public boolean hasNext() {
+      return index >= 0;
+    }
+  }
 }

src/main/java/com/hubspot/jinjava/lib/tag/eager/EagerCycleTag.java

@@ -2,7 +2,6 @@
 
 import com.google.common.annotations.Beta;
 import com.google.common.collect.ImmutableMap;
-import com.hubspot.jinjava.el.ext.ExtendedParser;
 import com.hubspot.jinjava.interpret.JinjavaInterpreter;
 import com.hubspot.jinjava.interpret.TemplateSyntaxException;
 import com.hubspot.jinjava.lib.tag.CycleTag;
@@ -239,19 +238,17 @@ private static String getIsIterable(String var, int forIndex, TagToken tagToken)
     String tokenEnd = tagToken.getSymbols().getExpressionEndWithTag();
     return (
       String.format(
-        "%s if exptest:iterable.evaluate(%s, %s) %s",
+        "%s if exptest:iterable.evaluate(%s, null) %s",
         tokenStart,
         var,
-        ExtendedParser.INTERPRETER,
         tokenEnd
       ) +
       // modulo indexing
       String.format(
-        "{{ %s[%d %% filter:length.filter(%s, %s)] }}",
+        "{{ %s[%d %% filter:length.filter(%s, null)] }}",
         var,
         forIndex,
-        var,
-        ExtendedParser.INTERPRETER
+        var
       ) +
       String.format("%s else %s", tokenStart, tokenEnd) +
       String.format("{{ %s }}", var) +

src/test/java/com/hubspot/jinjava/BaseJinjavaTest.java

@@ -1,13 +1,42 @@
 package com.hubspot.jinjava;
 
+import com.hubspot.jinjava.el.ext.AllowlistMethodValidator;
+import com.hubspot.jinjava.el.ext.AllowlistReturnTypeValidator;
+import com.hubspot.jinjava.el.ext.MethodValidatorConfig;
+import com.hubspot.jinjava.el.ext.ReturnTypeValidatorConfig;
 import org.junit.Before;
 
 public abstract class BaseJinjavaTest {
 
+  public static final AllowlistMethodValidator METHOD_VALIDATOR =
+    AllowlistMethodValidator.create(
+      MethodValidatorConfig
+        .builder()
+        .addDefaultAllowlistGroups()
+        .addAllowedDeclaredMethodsFromCanonicalClassPrefixes(
+          "com.hubspot.jinjava.testobjects"
+        )
+        .build()
+    );
+  public static final AllowlistReturnTypeValidator RETURN_TYPE_VALIDATOR =
+    AllowlistReturnTypeValidator.create(
+      ReturnTypeValidatorConfig
+        .builder()
+        .addDefaultAllowlistGroups()
+        .addAllowedCanonicalClassPrefixes("com.hubspot.jinjava.testobjects")
+        .build()
+    );
   public Jinjava jinjava;
 
   @Before
   public void baseSetup() {
-    jinjava = new Jinjava();
+    jinjava =
+      new Jinjava(
+        JinjavaConfig
+          .newBuilder()
+          .withMethodValidator(METHOD_VALIDATOR)
+          .withReturnTypeValidator(RETURN_TYPE_VALIDATOR)
+          .build()
+      );
   }
 }

src/test/java/com/hubspot/jinjava/EagerTest.java

@@ -74,6 +74,8 @@ public Optional<LocationResolver> getLocationResolver() {
     );
     JinjavaConfig config = JinjavaConfig
       .newBuilder()
+      .withMethodValidator(BaseJinjavaTest.METHOD_VALIDATOR)
+      .withReturnTypeValidator(BaseJinjavaTest.RETURN_TYPE_VALIDATOR)
       .withRandomNumberGeneratorStrategy(RandomNumberGeneratorStrategy.DEFERRED)
       .withExecutionMode(executionMode)
       .withNestedInterpretationEnabled(true)
@@ -216,7 +218,7 @@ public void itPreserveDeferredVariableResolvingEqualToInOrCondition() {
 
     assertThat(output)
       .isEqualTo(
-        "{% if false || exptest:equalto.evaluate('a', ____int3rpr3t3r____, deferred) %}preserved{% endif %}"
+        "{% if false || exptest:equalto.evaluate('a', null, deferred) %}preserved{% endif %}"
       );
     assertThat(interpreter.getErrors()).isEmpty();
     localContext.put("deferred", "a");
@@ -307,8 +309,7 @@ public void itPreservesForTag() {
   @Test
   public void itPreservesFilters() {
     String output = interpreter.render("{{ deferred|capitalize }}");
-    assertThat(output)
-      .isEqualTo("{{ filter:capitalize.filter(deferred, ____int3rpr3t3r____) }}");
+    assertThat(output).isEqualTo("{{ filter:capitalize.filter(deferred, null) }}");
     assertThat(interpreter.getErrors()).isEmpty();
     localContext.put("deferred", "foo");
     assertThat(interpreter.render(output)).isEqualTo("Foo");
@@ -318,17 +319,14 @@ public void itPreservesFilters() {
   public void itPreservesFunctions() {
     String output = interpreter.render("{{ deferred|datetimeformat('%B %e, %Y') }}");
     assertThat(output)
-      .isEqualTo(
-        "{{ filter:datetimeformat.filter(deferred, ____int3rpr3t3r____, '%B %e, %Y') }}"
-      );
+      .isEqualTo("{{ filter:datetimeformat.filter(deferred, null, '%B %e, %Y') }}");
     assertThat(interpreter.getErrors()).isEmpty();
   }
 
   @Test
   public void itPreservesRandomness() {
     String output = interpreter.render("{{ [1, 2, 3]|shuffle }}");
-    assertThat(output)
-      .isEqualTo("{{ filter:shuffle.filter([1, 2, 3], ____int3rpr3t3r____) }}");
+    assertThat(output).isEqualTo("{{ filter:shuffle.filter([1, 2, 3], null) }}");
     assertThat(interpreter.getErrors()).isEmpty();
   }
 
@@ -779,6 +777,8 @@ public void itHandlesAutoEscape() {
   public void itWrapsCertainOutputInRaw() {
     JinjavaConfig config = JinjavaConfig
       .newBuilder()
+      .withMethodValidator(BaseJinjavaTest.METHOD_VALIDATOR)
+      .withReturnTypeValidator(BaseJinjavaTest.RETURN_TYPE_VALIDATOR)
       .withRandomNumberGeneratorStrategy(RandomNumberGeneratorStrategy.DEFERRED)
       .withExecutionMode(EagerExecutionMode.instance())
       .withNestedInterpretationEnabled(false)
@@ -865,13 +865,20 @@ public void itHandlesUnknownFunctionErrors() {
     JinjavaInterpreter eagerInterpreter = new JinjavaInterpreter(
       jinjava,
       jinjava.getGlobalContextCopy(),
-      JinjavaConfig.newBuilder().withExecutionMode(EagerExecutionMode.instance()).build()
+      JinjavaConfig
+        .newBuilder()
+        .withMethodValidator(BaseJinjavaTest.METHOD_VALIDATOR)
+        .withReturnTypeValidator(BaseJinjavaTest.RETURN_TYPE_VALIDATOR)
+        .withExecutionMode(EagerExecutionMode.instance())
+        .build()
     );
     JinjavaInterpreter defaultInterpreter = new JinjavaInterpreter(
       jinjava,
       jinjava.getGlobalContextCopy(),
       JinjavaConfig
         .newBuilder()
+        .withMethodValidator(BaseJinjavaTest.METHOD_VALIDATOR)
+        .withReturnTypeValidator(BaseJinjavaTest.RETURN_TYPE_VALIDATOR)
         .withExecutionMode(DefaultExecutionMode.instance())
         .build()
     );

src/test/java/com/hubspot/jinjava/ExpectedTemplateInterpreter.java

@@ -78,6 +78,8 @@ public String assertExpectedNonEagerOutput(String name) {
         jinjava.getGlobalContextCopy(),
         JinjavaConfig
           .newBuilder()
+          .withMethodValidator(BaseJinjavaTest.METHOD_VALIDATOR)
+          .withReturnTypeValidator(BaseJinjavaTest.RETURN_TYPE_VALIDATOR)
           .withExecutionMode(DefaultExecutionMode.instance())
           .withNestedInterpretationEnabled(true)
           .withLegacyOverrides(
@@ -109,6 +111,8 @@ public String assertExpectedNonEagerOutput(String name) {
           jinjava.getGlobalContextCopy(),
           JinjavaConfig
             .newBuilder()
+            .withMethodValidator(BaseJinjavaTest.METHOD_VALIDATOR)
+            .withReturnTypeValidator(BaseJinjavaTest.RETURN_TYPE_VALIDATOR)
             .withExecutionMode(DefaultExecutionMode.instance())
             .withNestedInterpretationEnabled(true)
             .withLegacyOverrides(

src/test/java/com/hubspot/jinjava/FullSnippetsTest.java

@@ -52,6 +52,8 @@ public Optional<LocationResolver> getLocationResolver() {
     );
     JinjavaConfig config = JinjavaConfig
       .newBuilder()
+      .withMethodValidator(BaseJinjavaTest.METHOD_VALIDATOR)
+      .withReturnTypeValidator(BaseJinjavaTest.RETURN_TYPE_VALIDATOR)
       .withNestedInterpretationEnabled(true)
       .withLegacyOverrides(
         LegacyOverrides.newBuilder().withUsePyishObjectMapper(true).build()

src/test/java/com/hubspot/jinjava/el/ExpressionResolverTest.java

@@ -8,6 +8,7 @@
 import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.Lists;
 import com.google.common.collect.Maps;
+import com.hubspot.jinjava.BaseJinjavaTest;
 import com.hubspot.jinjava.Jinjava;
 import com.hubspot.jinjava.JinjavaConfig;
 import com.hubspot.jinjava.interpret.Context;
@@ -481,6 +482,8 @@ public void itBlocksDisabledFunctions() {
 
     final JinjavaConfig config = JinjavaConfig
       .newBuilder()
+      .withMethodValidator(BaseJinjavaTest.METHOD_VALIDATOR)
+      .withReturnTypeValidator(BaseJinjavaTest.RETURN_TYPE_VALIDATOR)
       .withDisabled(disabled)
       .build();
 
@@ -514,7 +517,11 @@ public void itBlocksDisabledExpTests() {
   @Test
   public void itStoresResolvedFunctions() {
     context.put("datetime", 12345);
-    final JinjavaConfig config = JinjavaConfig.newBuilder().build();
+    final JinjavaConfig config = JinjavaConfig
+      .newBuilder()
+      .withMethodValidator(BaseJinjavaTest.METHOD_VALIDATOR)
+      .withReturnTypeValidator(BaseJinjavaTest.RETURN_TYPE_VALIDATOR)
+      .build();
     String template =
       "{% for i in range(1, 5) %}{{i}} {% endfor %}\n{{ unixtimestamp(datetime) }}";
     final RenderResult renderResult = jinjava.renderForResult(template, context, config);
@@ -618,46 +625,36 @@ public void itResolvesAlternateExpTestSyntax() {
     assertThat(interpreter.render("{% if 2 is even %}yes{% endif %}")).isEqualTo("yes");
 
     assertThat(
-      interpreter.render(
-        "{% if exptest:even.evaluate(2, ____int3rpr3t3r____) %}yes{% endif %}"
-      )
+      interpreter.render("{% if exptest:even.evaluate(2, null) %}yes{% endif %}")
     )
       .isEqualTo("yes");
     assertThat(
-      interpreter.render(
-        "{% if exptest:false.evaluate(false, ____int3rpr3t3r____) %}yes{% endif %}"
-      )
+      interpreter.render("{% if exptest:false.evaluate(false, null) %}yes{% endif %}")
     )
       .isEqualTo("yes");
   }
 
   @Test
   public void itResolvesAlternateExpTestSyntaxForTrueAndFalseExpTests() {
     assertThat(
-      interpreter.render(
-        "{% if exptest:false.evaluate(false, ____int3rpr3t3r____) %}yes{% endif %}"
-      )
+      interpreter.render("{% if exptest:false.evaluate(false, null) %}yes{% endif %}")
     )
       .isEqualTo("yes");
     assertThat(
-      interpreter.render(
-        "{% if exptest:true.evaluate(true, ____int3rpr3t3r____) %}yes{% endif %}"
-      )
+      interpreter.render("{% if exptest:true.evaluate(true, null) %}yes{% endif %}")
     )
       .isEqualTo("yes");
   }
 
   @Test
   public void itResolvesAlternateExpTestSyntaxForInExpTests() {
     assertThat(
-      interpreter.render(
-        "{% if exptest:in.evaluate(1, ____int3rpr3t3r____, [1]) %}yes{% endif %}"
-      )
+      interpreter.render("{% if exptest:in.evaluate(1, null, [1]) %}yes{% endif %}")
     )
       .isEqualTo("yes");
     assertThat(
       interpreter.render(
-        "{% if exptest:in.evaluate(2, ____int3rpr3t3r____, [1]) %}yes{% else %}no{% endif %}"
+        "{% if exptest:in.evaluate(2, null, [1]) %}yes{% else %}no{% endif %}"
       )
     )
       .isEqualTo("no");