[ 
https://issues.apache.org/jira/browse/UNOMI-945?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Serge Huber updated UNOMI-945:
------------------------------
    Description: 
h2. Problem

In ContextJsonEndpoint.sanitizeValue(), when a condition parameter is a list, 
the code creates a clean copy (newValues) but returns the original list 
(values).

So bad values inside lists (like parameter::… or script::…) are not removed.

Code location : 
https://github.com/apache/unomi/blob/31fe93e4f0e79abe7d223d8d76dcd2ea437d3ab7/rest/src/main/java/org/apache/unomi/rest/endpoints/ContextJsonEndpoint.java#L361

{code:java} return values; // wrong — should be: return newValues; {code}

h2. Impact

This affects /context.json when personalization sanitization is on (default 
setting).

Filters with list parameters can pass even when they contain unsafe values. 
Simple string parameters work correctly.

h2. Fix

Change the return to newValues. Add a test with a list that contains a 
disallowed value.


  was:

Here, the code should likely return "newValues": 
https://github.com/apache/unomi/blob/31fe93e4f0e79abe7d223d8d76dcd2ea437d3ab7/rest/src/main/java/org/apache/unomi/rest/endpoints/ContextJsonEndpoint.java#L361


> Small bug in context.json endpoint
> ----------------------------------
>
>                 Key: UNOMI-945
>                 URL: https://issues.apache.org/jira/browse/UNOMI-945
>             Project: Apache Unomi
>          Issue Type: Bug
>    Affects Versions: unomi-3.0.0
>            Reporter: Romain Gauthier
>            Priority: Minor
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> h2. Problem
> In ContextJsonEndpoint.sanitizeValue(), when a condition parameter is a list, 
> the code creates a clean copy (newValues) but returns the original list 
> (values).
> So bad values inside lists (like parameter::… or script::…) are not removed.
> Code location : 
> https://github.com/apache/unomi/blob/31fe93e4f0e79abe7d223d8d76dcd2ea437d3ab7/rest/src/main/java/org/apache/unomi/rest/endpoints/ContextJsonEndpoint.java#L361
> {code:java} return values; // wrong — should be: return newValues; {code}
> h2. Impact
> This affects /context.json when personalization sanitization is on (default 
> setting).
> Filters with list parameters can pass even when they contain unsafe values. 
> Simple string parameters work correctly.
> h2. Fix
> Change the return to newValues. Add a test with a list that contains a 
> disallowed value.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to