You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@unomi.apache.org by GitBox <gi...@apache.org> on 2020/08/19 15:18:58 UTC

[GitHub] [unomi] sergehuber commented on a change in pull request #179: Improve scripting security

sergehuber commented on a change in pull request #179:
URL: https://github.com/apache/unomi/pull/179#discussion_r473109944



##########
File path: plugins/baseplugin/src/main/java/org/apache/unomi/plugins/baseplugin/conditions/PropertyConditionEvaluator.java
##########
@@ -305,10 +311,16 @@ protected Object getHardcodedPropertyValue(Item item, String expression) {
                 return event.getTarget().getItemId();
             }
             if (expression.startsWith("target.properties.")) {
-                if (event.getTarget() instanceof CustomItem) {
-                    CustomItem customItem = (CustomItem) event.getTarget();
-                    String expressionPart = expression.substring("target.properties.".length());
-                    return getNestedPropertyValue(expressionPart, customItem.getProperties());
+                String expressionPart = expression.substring("target.properties.".length());
+                Item targetItem = event.getTarget();
+                if (targetItem instanceof CustomItem) {
+                    return getNestedPropertyValue(expressionPart, ((CustomItem) targetItem).getProperties());
+                } else if (targetItem instanceof Session) {
+                    return getNestedPropertyValue(expressionPart, ((Session) targetItem).getProperties());
+                } else if (targetItem instanceof Rule) {
+                    return null;

Review comment:
       Yes should be ok, it's testing target.properties which is not available on the Rule class
   

##########
File path: scripting/src/main/java/org/apache/unomi/scripting/MvelScriptExecutor.java
##########
@@ -24,11 +24,20 @@
 import java.util.Map;
 import java.util.concurrent.ConcurrentHashMap;
 
+/**
+ * MVEL script executor implementation
+ */
 public class MvelScriptExecutor implements ScriptExecutor {
 
+    private final static String INVALID_SCRIPT_MARKER = "Invalid String Marker";

Review comment:
       It's a typo I'll correct it.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org