How to allow a custom script expression

Question

Following the upgrade to JCustomer/Unomi 1.4.4, my custom rules using a scripting expression does not seem to work anymore. For example, script::profile.itemId does not work.

Cause

Since the discovery of the security breach CVE-2020-13942, the new JCustomer/Unomi versions have a filtering mechanism for the scripting expressions. Consequently, this filtering can prevent the execution of your custom scripts.

Solution

Edit the file JCUSTOMER_HOME/etc/mvel-allow.json in order to allow the execution of your custom script, in our case, profile.itemId:

[
  "\\Q'systemProperties.campaigns.'+campaignId+'Engaged'\\E",
  "\\Q'properties.pageViewCount.' + (scope != null ? scope : 'defaultSiteKey')\\E",
  "\\Q'properties.interests.'+ (interestName != null ? interestName.toLowerCase() : 'default')\\E",
  "\\Qevent.properties['src_languages.values'] != null ? event.properties['src_languages.values'].toLowerCase() : 'en'\\E",
  "\\Qevent.properties['src_terms[0].term'] != null ? event.properties['src_terms[0].term'].toLowerCase() : ''\\E",
  "\\Qr = profile.properties['interests']; foreach(interest : event.target.properties['interests'].entrySet()) { if (r == null) { r = [interest.key: interest.value] } else if (r[interest.key] != null) { r[interest.key] = r[interest.key] + interest.value } else { r[interest.key] = interest.value } } r\\E",
  "\\Qr = profile.properties['pageViewCount']; if (r == null) { profile.properties['pageViewCount'] = []; profile.properties.pageViewCount = [event.scope : 1] } else { if (r[event.scope] != null) { r[event.scope] = r[event.scope] + 1 } else { r[event.scope] = 1 }} r\\E",
  "\\Qevent.properties['src_terms[0].term'].toLowerCase()\\E",
  "\\Qsession.size + 1\\E",
  "\\Qprofile.itemId\\E"