ddekany commented on pull request #68: URL: https://github.com/apache/freemarker/pull/68#issuecomment-647012684
Depends on what kind of values you have in that `HashMap`. If they are maps/lists/strings/number/boolean/dates, then it should be safe as far as the model is concerned. (Normally, if you don't intend to expose POJO-s, you should set `config.objectWrapper` to a `SimpleObjectWrapper`.) Also note that `.locale_object` is a POJO that's always exposed, though I'm not aware of attack vectors there, assuming FreeMarker is up to date (or has a properly restricting `ObjectWrapper`). Other than that, `TemplateLoader`-s can be a problem, as they are accessible through `#include`/`#import`, and DoS attacks (see these in the linked FAQ entry). As of your version, `Execute` can't be obtained since `?new` is disabled. But, I guess you still prefer disabling these models, and then disable `ObjectConstructor` should be disabled as well. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
