Add a dot to the allowed jinjava packages to not allowlist packages with

prefix

Author: jasmith-hs

src/main/java/com/hubspot/jinjava/el/ext/AllowlistGroup.java

@@ -143,7 +143,7 @@ String[] allowedDeclaredMethodsFromClasses() {
     }
   },
   JinjavaFilters {
-    private static final String[] ARRAY = { Filter.class.getPackageName() };
+    private static final String[] ARRAY = { Filter.class.getPackageName() + '.' };
 
     @Override
     String[] allowedDeclaredMethodsFromCanonicalClassPrefixes() {
@@ -169,7 +169,7 @@ String[] allowedReturnTypeClasses() {
     }
   },
   JinjavaExpTests {
-    private static final String[] ARRAY = { ExpTest.class.getPackageName() };
+    private static final String[] ARRAY = { ExpTest.class.getPackageName() + '.' };
 
     @Override
     String[] allowedDeclaredMethodsFromCanonicalClassPrefixes() {

src/main/java/com/hubspot/jinjava/el/ext/BannedAllowlistOptions.java

@@ -25,7 +25,7 @@ public class BannedAllowlistOptions {
 
   private static final Set<String> ALLOWED_JINJAVA_PREFIXES = Stream
     .concat(
-      Stream.of("com.hubspot.jinjava.testobjects"),
+      Stream.of("com.hubspot.jinjava.testobjects."),
       Arrays
         .stream(AllowlistGroup.values())
         .flatMap(g ->

src/test/java/com/hubspot/jinjava/BaseJinjavaTest.java

@@ -14,7 +14,7 @@ public abstract class BaseJinjavaTest {
         .builder()
         .addDefaultAllowlistGroups()
         .addAllowedDeclaredMethodsFromCanonicalClassPrefixes(
-          "com.hubspot.jinjava.testobjects"
+          "com.hubspot.jinjava.testobjects."
         )
         .build()
     );
@@ -23,7 +23,7 @@ public abstract class BaseJinjavaTest {
       ReturnTypeValidatorConfig
         .builder()
         .addDefaultAllowlistGroups()
-        .addAllowedCanonicalClassPrefixes("com.hubspot.jinjava.testobjects")
+        .addAllowedCanonicalClassPrefixes("com.hubspot.jinjava.testobjects.")
         .build()
     );
   public Jinjava jinjava;

src/test/java/com/hubspot/jinjava/el/ext/ValidatorConfigBannedConstructsTest.java

@@ -4,6 +4,8 @@
 
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.hubspot.jinjava.interpret.JinjavaInterpreter;
+import com.hubspot.jinjava.lib.exptest.ExpTest;
+import com.hubspot.jinjava.lib.filter.Filter;
 import java.lang.reflect.Method;
 import org.junit.Test;
 
@@ -119,6 +121,34 @@ public void itRejectsJacksonDatabindPackageInAllowedDeclaredMethodPrefixes() {
       .hasMessageContaining("Banned classes or prefixes");
   }
 
+  @Test
+  public void itRejectsEvilJinjavaFilterPathInAllowedDeclaredMethodPrefixes() {
+    assertThatThrownBy(() ->
+        MethodValidatorConfig
+          .builder()
+          .addAllowedDeclaredMethodsFromCanonicalClassPrefixes(
+            Filter.class.getPackageName() + "_evil"
+          )
+          .build()
+      )
+      .isInstanceOf(IllegalStateException.class)
+      .hasMessageContaining("Banned classes or prefixes");
+  }
+
+  @Test
+  public void itRejectsEvilJinjavaExptestPathInAllowedDeclaredMethodPrefixes() {
+    assertThatThrownBy(() ->
+        MethodValidatorConfig
+          .builder()
+          .addAllowedDeclaredMethodsFromCanonicalClassPrefixes(
+            ExpTest.class.getPackageName() + "_evil"
+          )
+          .build()
+      )
+      .isInstanceOf(IllegalStateException.class)
+      .hasMessageContaining("Banned classes or prefixes");
+  }
+
   // ReturnTypeValidatorConfig: allowedCanonicalClassNames() path
 
   @Test