oscerd opened a new pull request, #23381: URL: https://github.com/apache/camel/pull/23381
## Backport of #23362 Cherry-pick of #23362 onto `camel-4.18.x` (Jira: [CAMEL-23522](https://issues.apache.org/jira/browse/CAMEL-23522), fixVersion `4.18.3`). **Original PR:** #23362 — CAMEL-23522: camel-mail - gate JavaMail session properties from headers behind opt-in **Original author:** @oscerd **Target branch:** `camel-4.18.x` ## Branch-specific adjustments - The `security = "insecure:ssl"` attribute was removed from the `@UriParam`. `@UriParam.security` was introduced together with the security-policy enforcement framework (CAMEL-23250 / `core/camel-util/SecurityUtils`), which lives only on `main` / 4.21. On 4.18.x the categorisation is preserved through `label = "producer,advanced,security"` only. - The corresponding `core/camel-util/SecurityUtils` change was dropped for the same reason — the file does not exist on this branch. - The upgrade-guide entry was added to `camel-4x-upgrade-guide-4_18.adoc` under "Upgrading from 4.18.2 to 4.18.3" (the 4_21 file used on `main` does not exist on this branch). - The `xref:manual::security-model.adoc[…]` cross-link in `mail-component.adoc` was dropped because `security-model.adoc` was introduced on `main` only (CAMEL-23496) and is not present on 4.18.x — the xref-check would fail. - The new test class imports `org.apache.camel.test.junit5.CamelTestSupport` (instead of the `junit6` package used on `main`). A separate doc-sync PR will mirror the 4.18 upgrade-guide entry onto `main`, per the project's "Backport upgrade-guide policy" in CLAUDE.md. ## Verification on `camel-4.18.x` - [x] `mvn test` in `components/camel-mail` — 218/218 pass (4 skipped, no failures); 7 new tests green (`MailSessionPropertiesFromHeadersTest` + `MailHeaderFilterStrategyTest`). - [x] Full-reactor `mvn clean install -DskipTests` exits 0 with all generated catalog mirrors, DSL builder factories, endpoint DSL, and component metadata regenerated and committed. ## Original description (from #23362) `MailProducer.getSender` extracted `mail.smtp.*` / `mail.smtps.*` exchange headers and applied them as JavaMail session properties on a per-message custom sender. The namespace is Camel-internal (only `MailProducer` interprets it) and is not filtered by any `HeaderFilterStrategy`. A route chaining an untrusted producer (e.g. `platform-http` query parameters, JMS/Kafka from untrusted producers) into `smtp`/`smtps` without an explicit `removeHeaders` between them therefore let an attacker drive transport-security settings: `mail.smtp.ssl.trust`, `mail.smtp.ssl.checkserveridentity`, `mail.smtp.starttls.enable`, `mail.smtp.socks.host`, etc. This is the same conceptual pattern as the `Camel*` header-injection family (CAMEL-23222 / CVE-2025-27636), with a namespace that was missed in that sweep. The fix makes the per-message override opt-in (`useJavaMailSessionPropertiesFromHeaders`, default `false`). --- _Claude Code on behalf of Andrea Cosentino_ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
