From ceb25744501d7d9dcf3325b4af5313d74cdfa443 Mon Sep 17 00:00:00 2001
From: jasmith-hs <jasmith@hubspot.com>
Date: Fri, 20 Mar 2026 11:25:06 -0400
Subject: [PATCH] Add a dot to the allowed jinjava packages to not allowlist
 packages with prefix

---
 .../jinjava/el/ext/AllowlistGroup.java        |  4 +--
 .../el/ext/BannedAllowlistOptions.java        |  2 +-
 .../com/hubspot/jinjava/BaseJinjavaTest.java  |  4 +--
 .../ValidatorConfigBannedConstructsTest.java  | 30 +++++++++++++++++++
 4 files changed, 35 insertions(+), 5 deletions(-)

diff --git a/src/main/java/com/hubspot/jinjava/el/ext/AllowlistGroup.java b/src/main/java/com/hubspot/jinjava/el/ext/AllowlistGroup.java
index 9d2fd1cb5..78d22c44b 100644
--- a/src/main/java/com/hubspot/jinjava/el/ext/AllowlistGroup.java
+++ b/src/main/java/com/hubspot/jinjava/el/ext/AllowlistGroup.java
@@ -143,7 +143,7 @@ String[] allowedDeclaredMethodsFromClasses() {
     }
   },
   JinjavaFilters {
-    private static final String[] ARRAY = { Filter.class.getPackageName() };
+    private static final String[] ARRAY = { Filter.class.getPackageName() + '.' };
 
     @Override
     String[] allowedDeclaredMethodsFromCanonicalClassPrefixes() {
@@ -169,7 +169,7 @@ String[] allowedReturnTypeClasses() {
     }
   },
   JinjavaExpTests {
-    private static final String[] ARRAY = { ExpTest.class.getPackageName() };
+    private static final String[] ARRAY = { ExpTest.class.getPackageName() + '.' };
 
     @Override
     String[] allowedDeclaredMethodsFromCanonicalClassPrefixes() {
diff --git a/src/main/java/com/hubspot/jinjava/el/ext/BannedAllowlistOptions.java b/src/main/java/com/hubspot/jinjava/el/ext/BannedAllowlistOptions.java
index 0f5295ba7..6949f4933 100644
--- a/src/main/java/com/hubspot/jinjava/el/ext/BannedAllowlistOptions.java
+++ b/src/main/java/com/hubspot/jinjava/el/ext/BannedAllowlistOptions.java
@@ -25,7 +25,7 @@ public class BannedAllowlistOptions {
 
   private static final Set<String> ALLOWED_JINJAVA_PREFIXES = Stream
     .concat(
-      Stream.of("com.hubspot.jinjava.testobjects"),
+      Stream.of("com.hubspot.jinjava.testobjects."),
       Arrays
         .stream(AllowlistGroup.values())
         .flatMap(g ->
diff --git a/src/test/java/com/hubspot/jinjava/BaseJinjavaTest.java b/src/test/java/com/hubspot/jinjava/BaseJinjavaTest.java
index c0c88e852..f7b3244a4 100644
--- a/src/test/java/com/hubspot/jinjava/BaseJinjavaTest.java
+++ b/src/test/java/com/hubspot/jinjava/BaseJinjavaTest.java
@@ -14,7 +14,7 @@ public abstract class BaseJinjavaTest {
         .builder()
         .addDefaultAllowlistGroups()
         .addAllowedDeclaredMethodsFromCanonicalClassPrefixes(
-          "com.hubspot.jinjava.testobjects"
+          "com.hubspot.jinjava.testobjects."
         )
         .build()
     );
@@ -23,7 +23,7 @@ public abstract class BaseJinjavaTest {
       ReturnTypeValidatorConfig
         .builder()
         .addDefaultAllowlistGroups()
-        .addAllowedCanonicalClassPrefixes("com.hubspot.jinjava.testobjects")
+        .addAllowedCanonicalClassPrefixes("com.hubspot.jinjava.testobjects.")
         .build()
     );
   public Jinjava jinjava;
diff --git a/src/test/java/com/hubspot/jinjava/el/ext/ValidatorConfigBannedConstructsTest.java b/src/test/java/com/hubspot/jinjava/el/ext/ValidatorConfigBannedConstructsTest.java
index 976271504..a22fbe017 100644
--- a/src/test/java/com/hubspot/jinjava/el/ext/ValidatorConfigBannedConstructsTest.java
+++ b/src/test/java/com/hubspot/jinjava/el/ext/ValidatorConfigBannedConstructsTest.java
@@ -4,6 +4,8 @@
 
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.hubspot.jinjava.interpret.JinjavaInterpreter;
+import com.hubspot.jinjava.lib.exptest.ExpTest;
+import com.hubspot.jinjava.lib.filter.Filter;
 import java.lang.reflect.Method;
 import org.junit.Test;
 
@@ -119,6 +121,34 @@ public void itRejectsJacksonDatabindPackageInAllowedDeclaredMethodPrefixes() {
       .hasMessageContaining("Banned classes or prefixes");
   }
 
+  @Test
+  public void itRejectsEvilJinjavaFilterPathInAllowedDeclaredMethodPrefixes() {
+    assertThatThrownBy(() ->
+        MethodValidatorConfig
+          .builder()
+          .addAllowedDeclaredMethodsFromCanonicalClassPrefixes(
+            Filter.class.getPackageName() + "_evil"
+          )
+          .build()
+      )
+      .isInstanceOf(IllegalStateException.class)
+      .hasMessageContaining("Banned classes or prefixes");
+  }
+
+  @Test
+  public void itRejectsEvilJinjavaExptestPathInAllowedDeclaredMethodPrefixes() {
+    assertThatThrownBy(() ->
+        MethodValidatorConfig
+          .builder()
+          .addAllowedDeclaredMethodsFromCanonicalClassPrefixes(
+            ExpTest.class.getPackageName() + "_evil"
+          )
+          .build()
+      )
+      .isInstanceOf(IllegalStateException.class)
+      .hasMessageContaining("Banned classes or prefixes");
+  }
+
   // ReturnTypeValidatorConfig: allowedCanonicalClassNames() path
 
   @Test