This is an automated email from the ASF dual-hosted git repository. sergehuber pushed a commit to branch UNOMI-945-3.0.x-fix-it in repository https://gitbox.apache.org/repos/asf/unomi.git
commit d445ad6d79f1e5fdb75a27a59f3b2be3e5f649db Author: Serge Huber <[email protected]> AuthorDate: Mon Jun 29 17:36:10 2026 +0200 UNOMI-945: Add IT for list-based context filter script sanitization Cover propertyValues list payloads that mix safe values with script:: entries; assert the exploit file is not created. --- .../org/apache/unomi/itests/ContextServletIT.java | 20 +++++++++++++++++++ .../test/resources/security/mvel-payload-list.json | 23 ++++++++++++++++++++++ 2 files changed, 43 insertions(+) diff --git a/itests/src/test/java/org/apache/unomi/itests/ContextServletIT.java b/itests/src/test/java/org/apache/unomi/itests/ContextServletIT.java index 7014ec66e..fa51b228b 100644 --- a/itests/src/test/java/org/apache/unomi/itests/ContextServletIT.java +++ b/itests/src/test/java/org/apache/unomi/itests/ContextServletIT.java @@ -491,6 +491,26 @@ public class ContextServletIT extends BaseIT { exists -> exists == Boolean.FALSE, DEFAULT_TRYING_TIMEOUT, DEFAULT_TRYING_TRIES); } + @Test + public void testMVELVulnerabilityWithListPropertyValues() throws Exception { + File vulnFile = new File("target/vuln-file-list.txt"); + if (vulnFile.exists()) { + vulnFile.delete(); + } + String vulnFileCanonicalPath = vulnFile.getCanonicalPath(); + vulnFileCanonicalPath = vulnFileCanonicalPath.replace("\\", "\\\\"); // this is required for Windows support + + Map<String, String> parameters = new HashMap<>(); + parameters.put("VULN_FILE_PATH", vulnFileCanonicalPath); + HttpPost request = new HttpPost(getFullUrl(CONTEXT_URL)); + request.setEntity( + new StringEntity(getValidatedBundleJSON("security/mvel-payload-list.json", parameters), ContentType.APPLICATION_JSON)); + TestUtils.executeContextJSONRequest(request); + + shouldBeTrueUntilEnd("Vulnerability successfully executed ! File created at " + vulnFileCanonicalPath, vulnFile::exists, + exists -> exists == Boolean.FALSE, DEFAULT_TRYING_TIMEOUT, DEFAULT_TRYING_TRIES); + } + @Test public void testPersonalization() throws Exception { diff --git a/itests/src/test/resources/security/mvel-payload-list.json b/itests/src/test/resources/security/mvel-payload-list.json new file mode 100644 index 000000000..bfc6ff8f8 --- /dev/null +++ b/itests/src/test/resources/security/mvel-payload-list.json @@ -0,0 +1,23 @@ +{ + "filters": [ + { + "id": "filter1", + "filters": [ + { + "condition": { + "parameterValues": { + "propertyName": "firstName", + "comparisonOperator": "equals", + "propertyValues": [ + "safe-value", + "script::Runtime r = Runtime.getRuntime(); r.exec(\"touch ###VULN_FILE_PATH###\");" + ] + }, + "type": "profilePropertyCondition" + } + } + ] + } + ], + "sessionId": "demo-session-id" +}
