This is an automated email from the ASF dual-hosted git repository.

sergehuber pushed a commit to branch UNOMI-945-3.0.x-fix-it
in repository https://gitbox.apache.org/repos/asf/unomi.git

commit d445ad6d79f1e5fdb75a27a59f3b2be3e5f649db
Author: Serge Huber <[email protected]>
AuthorDate: Mon Jun 29 17:36:10 2026 +0200

    UNOMI-945: Add IT for list-based context filter script sanitization
    
    Cover propertyValues list payloads that mix safe values with script::
    entries; assert the exploit file is not created.
---
 .../org/apache/unomi/itests/ContextServletIT.java  | 20 +++++++++++++++++++
 .../test/resources/security/mvel-payload-list.json | 23 ++++++++++++++++++++++
 2 files changed, 43 insertions(+)

diff --git a/itests/src/test/java/org/apache/unomi/itests/ContextServletIT.java 
b/itests/src/test/java/org/apache/unomi/itests/ContextServletIT.java
index 7014ec66e..fa51b228b 100644
--- a/itests/src/test/java/org/apache/unomi/itests/ContextServletIT.java
+++ b/itests/src/test/java/org/apache/unomi/itests/ContextServletIT.java
@@ -491,6 +491,26 @@ public class ContextServletIT extends BaseIT {
                 exists -> exists == Boolean.FALSE, DEFAULT_TRYING_TIMEOUT, 
DEFAULT_TRYING_TRIES);
     }
 
+    @Test
+    public void testMVELVulnerabilityWithListPropertyValues() throws Exception 
{
+        File vulnFile = new File("target/vuln-file-list.txt");
+        if (vulnFile.exists()) {
+            vulnFile.delete();
+        }
+        String vulnFileCanonicalPath = vulnFile.getCanonicalPath();
+        vulnFileCanonicalPath = vulnFileCanonicalPath.replace("\\", "\\\\"); 
// this is required for Windows support
+
+        Map<String, String> parameters = new HashMap<>();
+        parameters.put("VULN_FILE_PATH", vulnFileCanonicalPath);
+        HttpPost request = new HttpPost(getFullUrl(CONTEXT_URL));
+        request.setEntity(
+                new 
StringEntity(getValidatedBundleJSON("security/mvel-payload-list.json", 
parameters), ContentType.APPLICATION_JSON));
+        TestUtils.executeContextJSONRequest(request);
+
+        shouldBeTrueUntilEnd("Vulnerability successfully executed ! File 
created at " + vulnFileCanonicalPath, vulnFile::exists,
+                exists -> exists == Boolean.FALSE, DEFAULT_TRYING_TIMEOUT, 
DEFAULT_TRYING_TRIES);
+    }
+
     @Test
     public void testPersonalization() throws Exception {
 
diff --git a/itests/src/test/resources/security/mvel-payload-list.json 
b/itests/src/test/resources/security/mvel-payload-list.json
new file mode 100644
index 000000000..bfc6ff8f8
--- /dev/null
+++ b/itests/src/test/resources/security/mvel-payload-list.json
@@ -0,0 +1,23 @@
+{
+  "filters": [
+    {
+      "id": "filter1",
+      "filters": [
+        {
+          "condition": {
+            "parameterValues": {
+              "propertyName": "firstName",
+              "comparisonOperator": "equals",
+              "propertyValues": [
+                "safe-value",
+                "script::Runtime r = Runtime.getRuntime(); r.exec(\"touch 
###VULN_FILE_PATH###\");"
+              ]
+            },
+            "type": "profilePropertyCondition"
+          }
+        }
+      ]
+    }
+  ],
+  "sessionId": "demo-session-id"
+}

Reply via email to