This is an automated email from the ASF dual-hosted git repository.

sergehuber pushed a commit to branch unomi-3.0.x
in repository https://gitbox.apache.org/repos/asf/unomi.git


The following commit(s) were added to refs/heads/unomi-3.0.x by this push:
     new 1ba645448 UNOMI-945: Apply sanitized condition parameters and add list 
IT (#790)
1ba645448 is described below

commit 1ba6454484b1b347c70181869b4aac4ea3d1f53d
Author: Serge Huber <[email protected]>
AuthorDate: Mon Jun 29 18:34:09 2026 +0200

    UNOMI-945: Apply sanitized condition parameters and add list IT (#790)
---
 .../org/apache/unomi/itests/ContextServletIT.java  | 20 +++++++++++++++++++
 .../test/resources/security/mvel-payload-list.json | 23 ++++++++++++++++++++++
 .../unomi/rest/endpoints/ContextJsonEndpoint.java  |  3 ++-
 3 files changed, 45 insertions(+), 1 deletion(-)

diff --git a/itests/src/test/java/org/apache/unomi/itests/ContextServletIT.java 
b/itests/src/test/java/org/apache/unomi/itests/ContextServletIT.java
index 7014ec66e..fa51b228b 100644
--- a/itests/src/test/java/org/apache/unomi/itests/ContextServletIT.java
+++ b/itests/src/test/java/org/apache/unomi/itests/ContextServletIT.java
@@ -491,6 +491,26 @@ public class ContextServletIT extends BaseIT {
                 exists -> exists == Boolean.FALSE, DEFAULT_TRYING_TIMEOUT, 
DEFAULT_TRYING_TRIES);
     }
 
+    @Test
+    public void testMVELVulnerabilityWithListPropertyValues() throws Exception 
{
+        File vulnFile = new File("target/vuln-file-list.txt");
+        if (vulnFile.exists()) {
+            vulnFile.delete();
+        }
+        String vulnFileCanonicalPath = vulnFile.getCanonicalPath();
+        vulnFileCanonicalPath = vulnFileCanonicalPath.replace("\\", "\\\\"); 
// this is required for Windows support
+
+        Map<String, String> parameters = new HashMap<>();
+        parameters.put("VULN_FILE_PATH", vulnFileCanonicalPath);
+        HttpPost request = new HttpPost(getFullUrl(CONTEXT_URL));
+        request.setEntity(
+                new 
StringEntity(getValidatedBundleJSON("security/mvel-payload-list.json", 
parameters), ContentType.APPLICATION_JSON));
+        TestUtils.executeContextJSONRequest(request);
+
+        shouldBeTrueUntilEnd("Vulnerability successfully executed ! File 
created at " + vulnFileCanonicalPath, vulnFile::exists,
+                exists -> exists == Boolean.FALSE, DEFAULT_TRYING_TIMEOUT, 
DEFAULT_TRYING_TRIES);
+    }
+
     @Test
     public void testPersonalization() throws Exception {
 
diff --git a/itests/src/test/resources/security/mvel-payload-list.json 
b/itests/src/test/resources/security/mvel-payload-list.json
new file mode 100644
index 000000000..bfc6ff8f8
--- /dev/null
+++ b/itests/src/test/resources/security/mvel-payload-list.json
@@ -0,0 +1,23 @@
+{
+  "filters": [
+    {
+      "id": "filter1",
+      "filters": [
+        {
+          "condition": {
+            "parameterValues": {
+              "propertyName": "firstName",
+              "comparisonOperator": "equals",
+              "propertyValues": [
+                "safe-value",
+                "script::Runtime r = Runtime.getRuntime(); r.exec(\"touch 
###VULN_FILE_PATH###\");"
+              ]
+            },
+            "type": "profilePropertyCondition"
+          }
+        }
+      ]
+    }
+  ],
+  "sessionId": "demo-session-id"
+}
diff --git 
a/rest/src/main/java/org/apache/unomi/rest/endpoints/ContextJsonEndpoint.java 
b/rest/src/main/java/org/apache/unomi/rest/endpoints/ContextJsonEndpoint.java
index 099926c75..39eca1220 100644
--- 
a/rest/src/main/java/org/apache/unomi/rest/endpoints/ContextJsonEndpoint.java
+++ 
b/rest/src/main/java/org/apache/unomi/rest/endpoints/ContextJsonEndpoint.java
@@ -331,11 +331,12 @@ public class ContextJsonEndpoint {
         for (Map.Entry<String, Object> parameterEntry : 
condition.getParameterValues().entrySet()) {
             Object sanitizedValue = sanitizeValue(parameterEntry.getValue());
             if (sanitizedValue != null) {
-                newParameterValues.put(parameterEntry.getKey(), 
parameterEntry.getValue());
+                newParameterValues.put(parameterEntry.getKey(), 
sanitizedValue);
             } else {
                 return null;
             }
         }
+        condition.setParameterValues(newParameterValues);
         return condition;
     }
 

Reply via email to