From fcb8432aa77d5b2e147624fe954cb150c568e0b8 Mon Sep 17 00:00:00 2001
From: Maxim Thomas <maxim.thomas@gmail.com>
Date: Tue, 23 Jul 2024 14:44:57 +0300
Subject: [PATCH] FIX GHSA-7726-43hg-m23v  disable the resolution of commonly
 exploited classes in FreeMarker template injection

---
 .../org/forgerock/oauth2/core/RealmOAuth2ProviderSettings.java | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/openam-oauth2/src/main/java/org/forgerock/oauth2/core/RealmOAuth2ProviderSettings.java b/openam-oauth2/src/main/java/org/forgerock/oauth2/core/RealmOAuth2ProviderSettings.java
index 21aec56ba8..230a093680 100644
--- a/openam-oauth2/src/main/java/org/forgerock/oauth2/core/RealmOAuth2ProviderSettings.java
+++ b/openam-oauth2/src/main/java/org/forgerock/oauth2/core/RealmOAuth2ProviderSettings.java
@@ -13,6 +13,7 @@
  *
  * Copyright 2014-2016 ForgeRock AS.
  * Portions Copyrighted 2015 Nomura Research Institute, Ltd.
+ * Portions Copyrighted 2024 3A Systems LLC.
  */
 
 package org.forgerock.oauth2.core;
@@ -39,6 +40,7 @@
 import java.util.Map;
 import java.util.Set;
 
+import freemarker.core.TemplateClassResolver;
 import org.forgerock.guice.core.InjectorHolder;
 import org.forgerock.json.JsonValue;
 import org.forgerock.json.jose.jwk.KeyUse;
@@ -963,6 +965,7 @@ public Template getCustomLoginUrlTemplate() throws ServerException {
             if (loginUrlTemplateString != null) {
                 loginUrlTemplate = new Template("customLoginUrlTemplate", new StringReader(loginUrlTemplateString),
                         new Configuration());
+                loginUrlTemplate.setNewBuiltinClassResolver(TemplateClassResolver.SAFER_RESOLVER);
             }
             return loginUrlTemplate;
         } catch (SSOException | IOException | SMSException e) {