public ConstructorFunction(String classname, Environment env, Template template) throws TemplateException { this.env = env; cl = env.getNewBuiltinClassResolver().resolve(classname, env, template); if (!TemplateModel.class.isAssignableFrom(cl)) { throw new _MiscTemplateException(NewBI.this, env, "Class ", cl.getName(), " does not implement freemarker.template.TemplateModel"); } if (BeanModel.class.isAssignableFrom(cl)) { throw new _MiscTemplateException(NewBI.this, env, "Bean Models cannot be instantiated using the ?", key, " built-in"); } if (JYTHON_MODEL_CLASS != null && JYTHON_MODEL_CLASS.isAssignableFrom(cl)) { throw new _MiscTemplateException(NewBI.this, env, "Jython Models cannot be instantiated using the ?", key, " built-in"); } }
/** * Get a Freemarker configuration that is safe against malicious templates * * @return */ public static Configuration getSafeConfiguration() { Configuration config = new Configuration(); config.setNewBuiltinClassResolver( (name, env, template) -> { if (ILLEGAL_FREEMARKER_CLASSES.stream().anyMatch(name::equals)) { throw new TemplateException( String.format( "Class %s is not allowed in Freemarker templates", name), env); } if (LEGAL_FREEMARKER_CLASSES.stream().anyMatch(name::equals)) { try { ClassUtil.forName(name); } catch (ClassNotFoundException e) { throw new TemplateException(e, env); } } return TemplateClassResolver.SAFER_RESOLVER.resolve(name, env, template); }); return config; } }
public Class resolve(String className, Environment env, Template template) throws TemplateException { String templateName = safeGetTemplateName(template); if (templateName != null && (trustedTemplateNames.contains(templateName) || hasMatchingPrefix(templateName))) { return TemplateClassResolver.SAFER_RESOLVER.resolve(className, env, template); } else { if (!allowedClasses.contains(className)) { throw new _MiscTemplateException(env, "Instantiating ", className, " is not allowed in the template for security reasons. (If you " + "run into this problem when using ?new in a template, you may want to check the \"", Configurable.NEW_BUILTIN_CLASS_RESOLVER_KEY, "\" setting in the FreeMarker configuration.)"); } else { try { return ClassUtil.forName(className); } catch (ClassNotFoundException e) { throw new _MiscTemplateException(e, env); } } } }
public ConstructorFunction(String classname, Environment env, Template template) throws TemplateException { this.env = env; cl = env.getNewBuiltinClassResolver().resolve(classname, env, template); if (!TM_CLASS.isAssignableFrom(cl)) { throw new TemplateException("Class " + cl.getName() + " does not implement freemarker.template.TemplateModel", env); } if (BEAN_MODEL_CLASS.isAssignableFrom(cl)) { throw new TemplateException("Bean Models cannot be instantiated using the ?new built-in", env); } if (JYTHON_MODEL_CLASS != null && JYTHON_MODEL_CLASS.isAssignableFrom(cl)) { throw new TemplateException("Jython Models cannot be instantiated using the ?new built-in", env); } }
public ConstructorFunction(String classname, Environment env, Template template) throws TemplateException { this.env = env; cl = env.getNewBuiltinClassResolver().resolve(classname, env, template); if (!TemplateModel.class.isAssignableFrom(cl)) { throw new _MiscTemplateException(NewBI.this, env, "Class ", cl.getName(), " does not implement freemarker.template.TemplateModel"); } if (BeanModel.class.isAssignableFrom(cl)) { throw new _MiscTemplateException(NewBI.this, env, "Bean Models cannot be instantiated using the ?", key, " built-in"); } if (JYTHON_MODEL_CLASS != null && JYTHON_MODEL_CLASS.isAssignableFrom(cl)) { throw new _MiscTemplateException(NewBI.this, env, "Jython Models cannot be instantiated using the ?", key, " built-in"); } }
public ConstructorFunction(String classname, Environment env, Template template) throws TemplateException { this.env = env; cl = env.getNewBuiltinClassResolver().resolve(classname, env, template); if (!TemplateModel.class.isAssignableFrom(cl)) { throw new _MiscTemplateException(NewBI.this, env, "Class ", cl.getName(), " does not implement freemarker.template.TemplateModel"); } if (BeanModel.class.isAssignableFrom(cl)) { throw new _MiscTemplateException(NewBI.this, env, "Bean Models cannot be instantiated using the ?", key, " built-in"); } if (JYTHON_MODEL_CLASS != null && JYTHON_MODEL_CLASS.isAssignableFrom(cl)) { throw new _MiscTemplateException(NewBI.this, env, "Jython Models cannot be instantiated using the ?", key, " built-in"); } }
public Class resolve(String className, Environment env, Template template) throws TemplateException { String templateName = safeGetTemplateName(template); if (templateName != null && (trustedTemplateNames.contains(templateName) || hasMatchingPrefix(templateName))) { return TemplateClassResolver.SAFER_RESOLVER.resolve(className, env, template); } else { if (!allowedClasses.contains(className)) { throw new TemplateException( "Instantiating " + className + " is not allowed in the " + "template for security reasons. (If you meet this problem " + "when using ?new in a template, you may want to look " + "at the \"" + Configurable.NEW_BUILTIN_CLASS_RESOLVER_KEY + "\" setting in the FreeMarker configuration.)", env); } else { try { return ClassUtil.forName(className); } catch (ClassNotFoundException e) { throw new TemplateException(e, env); } } } }
public Class resolve(String className, Environment env, Template template) throws TemplateException { String templateName = safeGetTemplateName(template); if (templateName != null && (trustedTemplateNames.contains(templateName) || hasMatchingPrefix(templateName))) { return TemplateClassResolver.SAFER_RESOLVER.resolve(className, env, template); } else { if (!allowedClasses.contains(className)) { throw new _MiscTemplateException(env, "Instantiating ", className, " is not allowed in the template for security reasons. (If you " + "run into this problem when using ?new in a template, you may want to check the \"", Configurable.NEW_BUILTIN_CLASS_RESOLVER_KEY, "\" setting in the FreeMarker configuration.)"); } else { try { return ClassUtil.forName(className); } catch (ClassNotFoundException e) { throw new _MiscTemplateException(e, env); } } } }
public Class resolve(String className, Environment env, Template template) throws TemplateException { String templateName = safeGetTemplateName(template); if (templateName != null && (trustedTemplateNames.contains(templateName) || hasMatchingPrefix(templateName))) { return TemplateClassResolver.SAFER_RESOLVER.resolve(className, env, template); } else { if (!allowedClasses.contains(className)) { throw new _MiscTemplateException(env, "Instantiating ", className, " is not allowed in the template for security reasons. (If you " + "run into this problem when using ?new in a template, you may want to check the \"", Configurable.NEW_BUILTIN_CLASS_RESOLVER_KEY, "\" setting in the FreeMarker configuration.)"); } else { try { return ClassUtil.forName(className); } catch (ClassNotFoundException e) { throw new _MiscTemplateException(e, env); } } } }