Skip to content

UNOMI-945: Apply sanitized condition parameters and add list IT#790

Merged
sergehuber merged 2 commits into
unomi-3.0.xfrom
UNOMI-945-3.0.x-fix-it
Jun 29, 2026
Merged

UNOMI-945: Apply sanitized condition parameters and add list IT#790
sergehuber merged 2 commits into
unomi-3.0.xfrom
UNOMI-945-3.0.x-fix-it

Conversation

@sergehuber

Copy link
Copy Markdown
Contributor

Summary

  • Fix ContextJsonEndpoint.sanitizeCondition() so filtered parameter values are stored and applied via setParameterValues() (complements the list sanitization fix already in [UNOMI-945] fix bug in context endpoint user entry filtering #778).
  • Add integration test for list-based propertyValues payloads mixing safe values with script:: entries.

Complements master #789 — fix + IT only; no REST unit tests (3.0.x has no rest/src/test harness).

Commits

  1. b13429c2f — production fix (sanitizeCondition)
  2. d445ad6d7 — IT (mvel-payload-list.json, testMVELVulnerabilityWithListPropertyValues)

Test plan

  • mvn -pl rest -am compile -DskipTests
  • CI integration tests (ContextServletIT#testMVELVulnerabilityWithListPropertyValues)

sanitizeCondition() computed filtered parameter values but stored the
original entries and never applied them back onto the Condition. Mixed
safe/script:: list parameters kept malicious entries in the evaluated
condition even after sanitizeValue() filtered the list.
Cover propertyValues list payloads that mix safe values with script::
entries; assert the exploit file is not created.
@sergehuber sergehuber merged commit 1ba6454 into unomi-3.0.x Jun 29, 2026
2 checks passed
@sergehuber sergehuber deleted the UNOMI-945-3.0.x-fix-it branch June 29, 2026 16:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant