Skip to content

UNOMI-945: Fix context filter list sanitization and add tests#789

Merged
sergehuber merged 3 commits into
masterfrom
UNOMI-945-context-sanitize-fix
Jun 29, 2026
Merged

UNOMI-945: Fix context filter list sanitization and add tests#789
sergehuber merged 3 commits into
masterfrom
UNOMI-945-context-sanitize-fix

Conversation

@sergehuber

Copy link
Copy Markdown
Contributor

Summary

  • Backport the ContextJsonEndpoint.sanitizeValue() list fix from unomi-3.0.x (#778): return newValues instead of the original list so script:: and parameter:: entries are stripped from context filter payloads.
  • Add unit tests (ContextJsonEndpointTest) and an integration test (ContextServletIT#testMVELVulnerabilityWithListPropertyValues) covering list-based script injection in filter conditions.

Commits (intentionally split for cherry-pick):

  1. d610b0004 — fix only (matches 3.0.x [UNOMI-945] fix bug in context endpoint user entry filtering #778)
  2. a53a9cde5 — tests only (portable to unomi-3.0.x via git cherry-pick a53a9cde5)

Test plan

  • mvn -pl rest test -Dtest=ContextJsonEndpointTest
  • CI unit + integration tests (includes testMVELVulnerabilityWithListPropertyValues)

…ue()

Align with unomi-3.0.x #778: the list branch must return newValues so
script:: and parameter:: entries are stripped from context filter payloads.
…tion

Cover list-based script filtering (UNOMI-945), sanitize helpers, and
persona overrides. Split from the fix commit so both can be cherry-picked
independently onto unomi-3.0.x.
sanitizeCondition() computed newParameterValues but discarded it,
returning the original Condition unchanged whenever no parameter
sanitized entirely to null. A list parameter mixing safe and
script::/parameter:: entries kept the malicious entries intact in
the condition actually evaluated downstream. Apply the sanitized
values and propagate them via setParameterValues().
@sergehuber sergehuber merged commit c715771 into master Jun 29, 2026
6 checks passed
@sergehuber sergehuber deleted the UNOMI-945-context-sanitize-fix branch June 29, 2026 17:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant