You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@unomi.apache.org by GitBox <gi...@apache.org> on 2020/07/27 09:02:01 UTC

[GitHub] [unomi] jkevan commented on a change in pull request #179: Improve scripting security

jkevan commented on a change in pull request #179:
URL: https://github.com/apache/unomi/pull/179#discussion_r460747981



##########
File path: wab/src/main/java/org/apache/unomi/web/ContextServlet.java
##########
@@ -470,4 +472,80 @@ public void setPersonalizationService(PersonalizationService personalizationServ
     public void setConfigSharingService(ConfigSharingService configSharingService) {
         this.configSharingService = configSharingService;
     }
+
+    private List<PersonalizationService.PersonalizedContent> sanitizePersonalizedContentObjects(List<PersonalizationService.PersonalizedContent> personalizedContentObjects) {
+        if (!sanitizeConditions) {
+            return personalizedContentObjects;
+        }
+        List<PersonalizationService.PersonalizedContent> result = new ArrayList<>();
+        for (PersonalizationService.PersonalizedContent personalizedContentObject : personalizedContentObjects) {
+            boolean foundInvalidCondition = false;
+            if (personalizedContentObject.getFilters() != null) {
+                for (PersonalizationService.Filter filter : personalizedContentObject.getFilters()) {
+                    if (sanitizeCondition(filter.getCondition()) == null) {
+                        foundInvalidCondition = true;
+                        break;
+                    }
+                }
+            }
+            if (!foundInvalidCondition) {
+                result.add(personalizedContentObject);
+            }
+        }
+
+        return result;
+    }
+
+    private List<PersonalizationService.PersonalizationRequest> sanitizePersonalizations(List<PersonalizationService.PersonalizationRequest> personalizations) {
+        if (!sanitizeConditions) {
+            return personalizations;
+        }
+        List<PersonalizationService.PersonalizationRequest> result = new ArrayList<>();
+        for (PersonalizationService.PersonalizationRequest personalizationRequest : personalizations) {
+            List<PersonalizationService.PersonalizedContent> personalizedContents = sanitizePersonalizedContentObjects(personalizationRequest.getContents());
+            if (personalizedContents != null && personalizedContents.size() > 0) {
+                result.add(personalizationRequest);
+            }
+        }
+        return result;
+    }

Review comment:
       I understand that this fcts are filtering the elements, it could be great to have some loging here for debuging matter.
   If someone want to undersand why his conditions are not executed so it could find answers in the logs




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org