This is an automated email from the ASF dual-hosted git repository. sergehuber pushed a commit to branch UNOMI-945-3.0.x-fix-it in repository https://gitbox.apache.org/repos/asf/unomi.git
commit b13429c2f250f07a49df70d4d433517bc4546851 Author: Serge Huber <[email protected]> AuthorDate: Mon Jun 29 17:36:09 2026 +0200 UNOMI-945: Apply sanitized parameter values in sanitizeCondition() sanitizeCondition() computed filtered parameter values but stored the original entries and never applied them back onto the Condition. Mixed safe/script:: list parameters kept malicious entries in the evaluated condition even after sanitizeValue() filtered the list. --- .../main/java/org/apache/unomi/rest/endpoints/ContextJsonEndpoint.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rest/src/main/java/org/apache/unomi/rest/endpoints/ContextJsonEndpoint.java b/rest/src/main/java/org/apache/unomi/rest/endpoints/ContextJsonEndpoint.java index 099926c75..39eca1220 100644 --- a/rest/src/main/java/org/apache/unomi/rest/endpoints/ContextJsonEndpoint.java +++ b/rest/src/main/java/org/apache/unomi/rest/endpoints/ContextJsonEndpoint.java @@ -331,11 +331,12 @@ public class ContextJsonEndpoint { for (Map.Entry<String, Object> parameterEntry : condition.getParameterValues().entrySet()) { Object sanitizedValue = sanitizeValue(parameterEntry.getValue()); if (sanitizedValue != null) { - newParameterValues.put(parameterEntry.getKey(), parameterEntry.getValue()); + newParameterValues.put(parameterEntry.getKey(), sanitizedValue); } else { return null; } } + condition.setParameterValues(newParameterValues); return condition; }
