adding a AllowListforFreemarker

nihussmann · nihussmann · commit efa60964613d · 2025-11-10T14:49:44.000+01:00
diff --git a/src/main/groovy/com/cloudogu/gitops/utils/AllowlistFreemarkerObjectWrapper.groovy b/src/main/groovy/com/cloudogu/gitops/utils/AllowlistFreemarkerObjectWrapper.groovy
@@ -0,0 +1,40 @@
+package com.cloudogu.gitops.utils
+
+import freemarker.template.DefaultObjectWrapper
+import freemarker.template.TemplateHashModel
+import freemarker.template.TemplateModel
+import freemarker.template.TemplateModelException
+import freemarker.template.Version
+
+
+class AllowlistFreemarkerObjectWrapper extends DefaultObjectWrapper {
+
+    private Set<String> allowlist = []
+
+    AllowlistFreemarkerObjectWrapper(Version freemarkerVersion, Set<String> allowlist) {
+        super(freemarkerVersion)
+        this.allowlist = allowlist
+    }
+
+    @Override
+    public TemplateHashModel getStaticModels() {
+        // Hole alle statischen Modelle
+        TemplateHashModel staticModels = super.getStaticModels()
+
+        // Filtere die Modelle basierend auf der Allowlist
+        return new TemplateHashModel() {
+            @Override
+            TemplateModel get(String key) throws TemplateModelException {
+                if (allowlist.contains(key)) {
+                    return staticModels.get(key)
+                }
+                return null
+            }
+
+            @Override
+            boolean isEmpty() throws TemplateModelException {
+                return allowlist.isEmpty()
+            }
+        }
+    }
+}
diff --git a/src/test/groovy/com/cloudogu/gitops/utils/AllowlistFreemarkerObjectWrapperTest.groovy b/src/test/groovy/com/cloudogu/gitops/utils/AllowlistFreemarkerObjectWrapperTest.groovy
@@ -0,0 +1,33 @@
+package com.cloudogu.gitops.utils
+
+import freemarker.template.Configuration
+import org.junit.jupiter.api.Test
+
+import static org.junit.jupiter.api.Assertions.*
+
+class AllowlistFreemarkerObjectWrapperTest {
+
+    @Test
+    void 'should allow access to whitelisted static models'() {
+        def wrapper = new AllowlistFreemarkerObjectWrapper(Configuration.VERSION_2_3_32, ["java.lang.String"] as Set)
+        def staticModels = wrapper.getStaticModels()
+
+        assertNotNull(staticModels.get("java.lang.String"))
+    }
+
+    @Test
+    void 'should deny access to non-whitelisted static models'() {
+        def wrapper = new AllowlistFreemarkerObjectWrapper(Configuration.VERSION_2_3_32, ["java.lang.String"] as Set)
+        def staticModels = wrapper.getStaticModels()
+
+        assertNull(staticModels.get("java.lang.Integer"))
+    }
+
+    @Test
+    void 'should return true for isEmpty when allowlist is empty'() {
+        def wrapper = new AllowlistFreemarkerObjectWrapper(Configuration.VERSION_2_3_32, [] as Set)
+        def staticModels = wrapper.getStaticModels()
+
+        assertTrue(staticModels.isEmpty())
+    }
+}
