adding whitelist for freemarker in content templates

Author: nihussmann

src/main/groovy/com/cloudogu/gitops/config/Config.groovy

@@ -104,6 +104,22 @@ class Config {
         @JsonPropertyDescription(CONTENT_VARIABLES_DESCRIPTION)
         Map<String, Object> variables = [:]
 
+        @Option(names = ['--content-whitelist'], description = CONTENT_STATICSWHITELIST_ENABLED_DESCRIPTION)
+        @JsonPropertyDescription(CONTENT_STATICSWHITELIST_ENABLED_DESCRIPTION)
+        Boolean useWhitelist = false
+
+        @JsonPropertyDescription(CONTENT_STATICSWHITELIST_DESCRIPTION)
+        Set<String> allowedStaticsWhitelist = [
+                'java.lang.String',
+                'java.lang.Integer',
+                'java.lang.Long',
+                'java.lang.Double',
+                'java.lang.Float',
+                'java.lang.Boolean',
+                'java.lang.Math',
+                'com.cloudogu.gitops.utils.DockerImageParser'
+        ] as Set<String>
+
         static class ContentRepositorySchema {
             static final String DEFAULT_PATH = '.'
             // This is controversial. Forcing users to explicitly choose a type requires them to understand the concept

src/main/groovy/com/cloudogu/gitops/config/ConfigConstants.groovy

@@ -43,6 +43,8 @@ interface ConfigConstants {
     String CONTENT_REPO_TARGET_OVERWRITE_MODE_DESCRIPTION = "This defines, how customer repos will be updated.\nINIT - push only if repo does not exist.\nRESET - delete all files after cloning source - files not in content are deleted\nUPGRADE - clone and copy - existing files will be overwritten, files not in content are kept. For type: MIRROR reset and upgrade have same result: in both cases source repo will be force pushed to target repo."
     String CONTENT_REPO_CREATE_JENKINS_JOB_DESCRIPTION = "If true, creates a Jenkins job, if jenkinsfile exists in one of the content repo's branches."
     String CONTENT_VARIABLES_DESCRIPTION = "Additional variables to use in custom templates."
+    String CONTENT_STATICSWHITELIST_ENABLED_DESCRIPTION = 'Enables the whitelist for statics in content templating'
+    String CONTENT_STATICSWHITELIST_DESCRIPTION = 'Whitelist for Statics freemarker is allowing in user templates'
 
     // group jenkins
     String JENKINS_ENABLE_DESCRIPTION = 'Installs Jenkins as CI server'

src/main/groovy/com/cloudogu/gitops/features/Content.groovy

@@ -6,6 +6,7 @@ import com.cloudogu.gitops.config.Config.OverwriteMode
 import com.cloudogu.gitops.scmm.ScmmRepo
 import com.cloudogu.gitops.scmm.ScmmRepoProvider
 import com.cloudogu.gitops.scmm.api.ScmmApiClient
+import com.cloudogu.gitops.utils.AllowListFreemarkerObjectWrapper
 import com.cloudogu.gitops.utils.FileSystemUtils
 import com.cloudogu.gitops.utils.K8sClient
 import com.cloudogu.gitops.utils.TemplatingEngine
@@ -234,7 +235,8 @@ class Content extends Feature {
             engine.replaceTemplates(srcPath, [
                     config : config,
                     // Allow for using static classes inside the templates
-                    statics: new DefaultObjectWrapperBuilder(Configuration.VERSION_2_3_32).build().getStaticModels()
+                    statics: !config.content.useWhitelist ? new DefaultObjectWrapperBuilder(Configuration.VERSION_2_3_32).build().getStaticModels() :
+                            new AllowListFreemarkerObjectWrapper(Configuration.VERSION_2_3_32, config.content.getAllowedStaticsWhitelist()).getStaticModels()
             ])
         }
     }

src/main/groovy/com/cloudogu/gitops/utils/AllowListFreemarkerObjectWrapper.groovy

@@ -0,0 +1,33 @@
+package com.cloudogu.gitops.utils
+
+import freemarker.template.*
+
+class AllowListFreemarkerObjectWrapper extends DefaultObjectWrapper {
+
+    Set<String> allowlist
+
+    AllowListFreemarkerObjectWrapper(Version freemarkerVersion, Set<String> allowlist) {
+        super(freemarkerVersion)
+        this.allowlist = allowlist
+    }
+
+    TemplateHashModel getStaticModels() {
+        final TemplateHashModel originalStaticModels = super.getStaticModels()
+        final Set<String> allowlistCopy = this.allowlist
+
+        return new TemplateHashModel() {
+            @Override
+            TemplateModel get(String key) throws TemplateModelException {
+                if (allowlistCopy.contains(key)) {
+                    return originalStaticModels.get(key)
+                }
+                return null
+            }
+
+            @Override
+            boolean isEmpty() throws TemplateModelException {
+                return allowlistCopy.isEmpty()
+            }
+        }
+    }
+}

src/main/groovy/com/cloudogu/gitops/utils/AllowlistFreemarkerObjectWrapper.groovy

@@ -7,27 +7,75 @@ import static org.junit.jupiter.api.Assertions.*
 
 class AllowlistFreemarkerObjectWrapperTest {
 
+
     @Test
     void 'should allow access to whitelisted static models'() {
-        def wrapper = new AllowlistFreemarkerObjectWrapper(Configuration.VERSION_2_3_32, ["java.lang.String"] as Set)
+        def wrapper = new AllowListFreemarkerObjectWrapper(Configuration.VERSION_2_3_32, ["com.cloudogu.gitops.utils.DockerImageParser"] as Set)
         def staticModels = wrapper.getStaticModels()
 
-        assertNotNull(staticModels.get("java.lang.String"))
+        assertNotNull(staticModels.get("com.cloudogu.gitops.utils.DockerImageParser"))
+        assertNull(staticModels.get("java.lang.Integer"))
+        assertNull(staticModels.get("java.lang.String"))
     }
 
     @Test
     void 'should deny access to non-whitelisted static models'() {
-        def wrapper = new AllowlistFreemarkerObjectWrapper(Configuration.VERSION_2_3_32, ["java.lang.String"] as Set)
+        def wrapper = new AllowListFreemarkerObjectWrapper(Configuration.VERSION_2_3_32, ["java.lang.String"] as Set)
         def staticModels = wrapper.getStaticModels()
 
         assertNull(staticModels.get("java.lang.Integer"))
+        assertNotNull(staticModels.get("java.lang.String"))
+        assertNull(staticModels.get("com.cloudogu.gitops.utils.DockerImageParser"))
     }
 
     @Test
     void 'should return true for isEmpty when allowlist is empty'() {
-        def wrapper = new AllowlistFreemarkerObjectWrapper(Configuration.VERSION_2_3_32, [] as Set)
+        def wrapper = new AllowListFreemarkerObjectWrapper(Configuration.VERSION_2_3_32, [] as Set)
         def staticModels = wrapper.getStaticModels()
 
         assertTrue(staticModels.isEmpty())
     }
+
+    @Test
+    void 'templating only works for whitelisted statics'() {
+        def templateText = '''
+     <#assign DockerImageParser=statics['com.cloudogu.gitops.utils.DockerImageParser']>
+    <#assign imageObject = DockerImageParser.parse('test:latest')>
+  <#assign staticsTests=statics['System']>
+  <#assign imageObject = staticsTests.exit()>
+    '''.stripIndent()
+
+        def model = [
+                statics: new AllowListFreemarkerObjectWrapper(Configuration.VERSION_2_3_32, ['com.cloudogu.gitops.utils.DockerImageParser'] as Set).getStaticModels()
+        ] as Map<String, Object>
+        // create a temporary file to simulate an actual file input
+        def tempInputFile = File.createTempFile("test", ".ftl.yaml")
+        tempInputFile.text = templateText
+
+        def exception = assertThrows(freemarker.core.InvalidReferenceException) {
+            new TemplatingEngine().replaceTemplates(tempInputFile, model)
+        }
+
+        assert exception.message.contains("System") : "Exception message should mention 'System'"
+    }
+
+    @Test
+    void 'templating in ftl files works correctly with whitelisted static models'() {
+        def templateText = '''
+<#assign DockerImageParser=statics['com.cloudogu.gitops.utils.DockerImageParser']>
+<#assign imageObject = DockerImageParser.parse('test:latest')>
+<#assign staticsTests=statics['java.lang.Math']>
+<#assign number = staticsTests.round(3.14)>
+    '''.stripIndent()
+
+        def model = [
+                statics: new AllowListFreemarkerObjectWrapper(Configuration.VERSION_2_3_32, ['java.lang.Math', 'com.cloudogu.gitops.utils.DockerImageParser'] as Set).getStaticModels()
+        ] as Map<String, Object>
+        // create a temporary file to simulate an actual file input
+        def tempInputFile = File.createTempFile("test", ".ftl.yaml")
+        tempInputFile.text = templateText
+
+        new TemplatingEngine().replaceTemplates(tempInputFile, model)
+
+    }
 }