This is an automated email from the ASF dual-hosted git repository.

sergehuber pushed a commit to branch UNOMI-945-3.0.x-fix-it
in repository https://gitbox.apache.org/repos/asf/unomi.git

commit b13429c2f250f07a49df70d4d433517bc4546851
Author: Serge Huber <[email protected]>
AuthorDate: Mon Jun 29 17:36:09 2026 +0200

    UNOMI-945: Apply sanitized parameter values in sanitizeCondition()
    
    sanitizeCondition() computed filtered parameter values but stored the
    original entries and never applied them back onto the Condition. Mixed
    safe/script:: list parameters kept malicious entries in the evaluated
    condition even after sanitizeValue() filtered the list.
---
 .../main/java/org/apache/unomi/rest/endpoints/ContextJsonEndpoint.java | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git 
a/rest/src/main/java/org/apache/unomi/rest/endpoints/ContextJsonEndpoint.java 
b/rest/src/main/java/org/apache/unomi/rest/endpoints/ContextJsonEndpoint.java
index 099926c75..39eca1220 100644
--- 
a/rest/src/main/java/org/apache/unomi/rest/endpoints/ContextJsonEndpoint.java
+++ 
b/rest/src/main/java/org/apache/unomi/rest/endpoints/ContextJsonEndpoint.java
@@ -331,11 +331,12 @@ public class ContextJsonEndpoint {
         for (Map.Entry<String, Object> parameterEntry : 
condition.getParameterValues().entrySet()) {
             Object sanitizedValue = sanitizeValue(parameterEntry.getValue());
             if (sanitizedValue != null) {
-                newParameterValues.put(parameterEntry.getKey(), 
parameterEntry.getValue());
+                newParameterValues.put(parameterEntry.getKey(), 
sanitizedValue);
             } else {
                 return null;
             }
         }
+        condition.setParameterValues(newParameterValues);
         return condition;
     }
 

Reply via email to