[
https://issues.apache.org/jira/browse/CAMEL-23250?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18068563#comment-18068563
]
Guillaume Nodet commented on CAMEL-23250:
-----------------------------------------
**Security Audit Findings — Additional Recommendations**
After auditing the codebase for CAMEL-22497 (easy HTTPS), here are additional
areas that should be addressed as part of this ticket:
*High Severity — Dev-only settings that disable security checks:*
|| Setting || Scope || Notes ||
| {{trustAllCertificates}} | 37+ AWS components | Disables all SSL certificate
validation, no runtime warning |
| {{sslValidationEnabled=false}} | MongoDB ({{SslAwareMongoClient}}) |
Hardcoded TrustManager that accepts everything + disables hostname verification
|
| {{selfSigned=true}} | Core SSL ({{SSLConfigurationProperties}}) | Already
warns at startup (added in CAMEL-22497) |
*Medium Severity — Insecure defaults or bypassable checks:*
|| Setting || Scope || Notes ||
| {{tls=false}} (default) | Qdrant, other vector DB components | TLS disabled
by default |
| {{httpsHostnameVerificationEnabled}} | PAHO MQTT / MQTT5 | Can be set to
false to skip hostname verification |
*Recommendations:*
# Emit a prominent WARN log at startup whenever any of the above insecure
settings are active (similar to what we already do for {{selfSigned=true}})
# Ensure all password/token/key fields across components have
{{@Metadata(secret=true)}}. Most are correct (Kafka, AI components), but a
systematic audit would catch gaps.
# Consider a "strict mode" or production profile that refuses insecure settings
unless explicitly acknowledged
# All "disable security" properties should follow the same opt-in + warning
pattern
_Claude Code on behalf of Guillaume Nodet_
> Warn or prevent plain-text secrets in configuration properties
> --------------------------------------------------------------
>
> Key: CAMEL-23250
> URL: https://issues.apache.org/jira/browse/CAMEL-23250
> Project: Camel
> Issue Type: Improvement
> Components: camel-core
> Reporter: Guillaume Nodet
> Assignee: Guillaume Nodet
> Priority: Major
>
> Currently, Camel has a well-established pipeline for detecting and masking
> secret properties (via @Metadata(secret=true) and SensitiveUtils), but it
> only masks values in logs and console output. There is no mechanism to warn
> users when secrets are configured via plain-text properties instead of using
> secure alternatives like RAW(), vault references ({{vault:...}}), or
> environment variable placeholders (${env:...}).
> This improvement should:
> h3. 1. Warn on plain-text secrets
> *Log a warning at startup* when a secret property is set via plain-text (not
> RAW(), not {{vault:...}}, not ${env:...}). This could be added in
> MainHelper.sensitiveAwareLogging() or BaseMainSupport auto-configuration.
> h3. 2. Add a configuration flag
> Add a *camel.main.warnOnPlainTextSecrets* flag (default: true) to control
> whether warnings are emitted, allowing users to suppress them in development
> environments.
> h3. 3. Fix PropertiesDevConsole JSON output
> PropertiesDevConsole currently does *not mask secret values in JSON mode*
> (only masks in text mode), potentially exposing secrets via monitoring
> endpoints.
> h3. 4. Strict mode
> Consider adding a *strict mode* (e.g. camel.main.forbidPlainTextSecrets) that
> would fail startup if plain-text secrets are detected, for production
> hardening.
> h3. 5. Warn on development-only settings in production
> Beyond secrets, some configuration options are inherently unsafe for
> production use, such as:
> - *camel.ssl.selfSigned=true* — generates an ephemeral self-signed
> certificate (added in CAMEL-22497)
> - *camel.ssl.trustAllCertificates=true* — disables certificate validation
> These are not secrets (they are boolean flags) so @Metadata(secret=true) is
> not the right mechanism. Consider adding a new annotation attribute like
> @Metadata(label = "development") or @Metadata(warnInProduction = true) that
> would trigger a startup warning when these options are enabled in a
> non-development profile. This would catch cases where development settings
> are accidentally left in production configuration.
> Related: there are currently 143+ secret keys detected by SensitiveUtils. The
> detection infrastructure is solid - it just needs to be leveraged for
> prevention, not just masking.
> Key files:
> - core/camel-main/src/main/java/org/apache/camel/main/MainHelper.java
> (sensitiveAwareLogging)
> - core/camel-util/src/main/java/org/apache/camel/util/SensitiveUtils.java
> -
> core/camel-console/src/main/java/org/apache/camel/impl/console/PropertiesDevConsole.java
> -
> core/camel-main/src/main/java/org/apache/camel/main/SSLConfigurationProperties.java
> (selfSigned, trustAllCertificates)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
