[
https://issues.apache.org/jira/browse/UNOMI-945?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Serge Huber updated UNOMI-945:
------------------------------
Description:
h2. Problem
In ContextJsonEndpoint.sanitizeValue(), when a condition parameter is a list,
the code creates a clean copy (newValues) but returns the original list
(values).
So bad values inside lists (like parameter::… or script::…) are not removed.
Code location :
https://github.com/apache/unomi/blob/31fe93e4f0e79abe7d223d8d76dcd2ea437d3ab7/rest/src/main/java/org/apache/unomi/rest/endpoints/ContextJsonEndpoint.java#L361
{code:java} return values; // wrong — should be: return newValues; {code}
h2. Impact
This affects /context.json when personalization sanitization is on (default
setting).
Filters with list parameters can pass even when they contain unsafe values.
Simple string parameters work correctly.
h2. Fix
Change the return to newValues. Add a test with a list that contains a
disallowed value.
was:
Here, the code should likely return "newValues":
https://github.com/apache/unomi/blob/31fe93e4f0e79abe7d223d8d76dcd2ea437d3ab7/rest/src/main/java/org/apache/unomi/rest/endpoints/ContextJsonEndpoint.java#L361
> Small bug in context.json endpoint
> ----------------------------------
>
> Key: UNOMI-945
> URL: https://issues.apache.org/jira/browse/UNOMI-945
> Project: Apache Unomi
> Issue Type: Bug
> Affects Versions: unomi-3.0.0
> Reporter: Romain Gauthier
> Priority: Minor
> Time Spent: 20m
> Remaining Estimate: 0h
>
> h2. Problem
> In ContextJsonEndpoint.sanitizeValue(), when a condition parameter is a list,
> the code creates a clean copy (newValues) but returns the original list
> (values).
> So bad values inside lists (like parameter::… or script::…) are not removed.
> Code location :
> https://github.com/apache/unomi/blob/31fe93e4f0e79abe7d223d8d76dcd2ea437d3ab7/rest/src/main/java/org/apache/unomi/rest/endpoints/ContextJsonEndpoint.java#L361
> {code:java} return values; // wrong — should be: return newValues; {code}
> h2. Impact
> This affects /context.json when personalization sanitization is on (default
> setting).
> Filters with list parameters can pass even when they contain unsafe values.
> Simple string parameters work correctly.
> h2. Fix
> Change the return to newValues. Add a test with a list that contains a
> disallowed value.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)