Add a dot to the allowed jinjava packages to not allowlist packages with

jasmith-hs · jasmith-hs · commit cc852a0d288b · 2026-03-20T11:25:06.000-04:00
prefix
diff --git a/src/main/java/com/hubspot/jinjava/el/ext/AllowlistGroup.java b/src/main/java/com/hubspot/jinjava/el/ext/AllowlistGroup.java
@@ -143,7 +143,7 @@ String[] allowedDeclaredMethodsFromClasses() {
     }
   },
   JinjavaFilters {
-    private static final String[] ARRAY = { Filter.class.getPackageName() };
+    private static final String[] ARRAY = { Filter.class.getPackageName() + '.' };
 
     @Override
     String[] allowedDeclaredMethodsFromCanonicalClassPrefixes() {
@@ -169,7 +169,7 @@ String[] allowedReturnTypeClasses() {
     }
   },
   JinjavaExpTests {
-    private static final String[] ARRAY = { ExpTest.class.getPackageName() };
+    private static final String[] ARRAY = { ExpTest.class.getPackageName() + '.' };
 
     @Override
     String[] allowedDeclaredMethodsFromCanonicalClassPrefixes() {
diff --git a/src/main/java/com/hubspot/jinjava/el/ext/BannedAllowlistOptions.java b/src/main/java/com/hubspot/jinjava/el/ext/BannedAllowlistOptions.java
@@ -25,7 +25,7 @@ public class BannedAllowlistOptions {
 
   private static final Set<String> ALLOWED_JINJAVA_PREFIXES = Stream
     .concat(
-      Stream.of("com.hubspot.jinjava.testobjects"),
+      Stream.of("com.hubspot.jinjava.testobjects."),
       Arrays
         .stream(AllowlistGroup.values())
         .flatMap(g ->
diff --git a/src/test/java/com/hubspot/jinjava/BaseJinjavaTest.java b/src/test/java/com/hubspot/jinjava/BaseJinjavaTest.java
@@ -14,7 +14,7 @@ public abstract class BaseJinjavaTest {
         .builder()
         .addDefaultAllowlistGroups()
         .addAllowedDeclaredMethodsFromCanonicalClassPrefixes(
-          "com.hubspot.jinjava.testobjects"
+          "com.hubspot.jinjava.testobjects."
         )
         .build()
     );
@@ -23,7 +23,7 @@ public abstract class BaseJinjavaTest {
       ReturnTypeValidatorConfig
         .builder()
         .addDefaultAllowlistGroups()
-        .addAllowedCanonicalClassPrefixes("com.hubspot.jinjava.testobjects")
+        .addAllowedCanonicalClassPrefixes("com.hubspot.jinjava.testobjects.")
         .build()
     );
   public Jinjava jinjava;
diff --git a/src/test/java/com/hubspot/jinjava/el/ext/ValidatorConfigBannedConstructsTest.java b/src/test/java/com/hubspot/jinjava/el/ext/ValidatorConfigBannedConstructsTest.java
@@ -4,6 +4,7 @@
 
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.hubspot.jinjava.interpret.JinjavaInterpreter;
+import com.hubspot.jinjava.lib.filter.Filter;
 import java.lang.reflect.Method;
 import org.junit.Test;
 
@@ -119,6 +120,20 @@ public void itRejectsJacksonDatabindPackageInAllowedDeclaredMethodPrefixes() {
       .hasMessageContaining("Banned classes or prefixes");
   }
 
+  @Test
+  public void itRejectsEvilJinjavaFilterPathInAllowedDeclaredMethodPrefixes() {
+    assertThatThrownBy(() ->
+        MethodValidatorConfig
+          .builder()
+          .addAllowedDeclaredMethodsFromCanonicalClassPrefixes(
+            Filter.class.getPackageName() + "_evil"
+          )
+          .build()
+      )
+      .isInstanceOf(IllegalStateException.class)
+      .hasMessageContaining("Banned classes or prefixes");
+  }
+
   // ReturnTypeValidatorConfig: allowedCanonicalClassNames() path
 
   @Test
