[jira] [Work started] (CAMEL-23372) Tighten default ObjectInputFilter to deny java.net.** before java.**

Tue, 28 Apr 2026 04:36:07 -0700 


     [ 
https://issues.apache.org/jira/browse/CAMEL-23372?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Work on CAMEL-23372 started by Andrea Cosentino.
------------------------------------------------
> Tighten default ObjectInputFilter to deny java.net.** before java.**
> --------------------------------------------------------------------
>
>                 Key: CAMEL-23372
>                 URL: https://issues.apache.org/jira/browse/CAMEL-23372
>             Project: Camel
>          Issue Type: Improvement
>          Components: camel-amqp, camel-cassandraql, camel-consul, 
> camel-infinispan, camel-jms, camel-leveldb, camel-mina, camel-netty, 
> camel-netty-http, camel-sjms, camel-sql, camel-vertx-http
>            Reporter: Andrea Cosentino
>            Assignee: Andrea Cosentino
>            Priority: Major
>
> The default {{ObjectInputFilter}} pattern introduced by the CAMEL-23297 / 
> CAMEL-23319 / CAMEL-23321 / CAMEL-23322 / CAMEL-23324 series -- 
> {{java.**;javax.**;org.apache.camel.**;!*}} (or the no-{{javax.**}} variant 
> in the aggregation-repository components) -- uses a recursive {{java.**}} 
> allow that admits classes whose {{hashCode}}/{{equals}}/{{readObject}} paths 
> perform network I/O (notably {{java.net.URL}} and {{java.net.InetAddress}}, 
> whose hash methods perform DNS resolution). Tighten the default by explicitly 
> denying {{java.net.**}} before the broader {{java.**}} allow:
> {noformat}
> !java.net.**;java.**;javax.**;org.apache.camel.**;!*
> {noformat}
> Per JEP 290 the filter is evaluated left-to-right, so this rejects classes 
> under {{java.net.*}} while keeping {{java.lang.*}}, {{java.util.*}}, 
> {{java.sql.*}}, {{java.security.*}}, etc. allowed.
> h3. Files to update
> * 
> {{components/camel-jms/src/main/java/org/apache/camel/component/jms/JmsBinding.java:87}}
>  ({{DEFAULT_DESERIALIZATION_FILTER}})
> * 
> {{components/camel-sjms/src/main/java/org/apache/camel/component/sjms/jms/JmsBinding.java:74}}
> * 
> {{components/camel-mina/src/main/java/org/apache/camel/component/mina/MinaConverter.java:43}}
> * 
> {{components/camel-netty/src/main/java/org/apache/camel/component/netty/NettyConverter.java:52}}
> * 
> {{components/camel-netty-http/src/main/java/org/apache/camel/component/netty/http/NettyHttpHelper.java:52}}
> * 
> {{components/camel-vertx/camel-vertx-http/src/main/java/org/apache/camel/component/vertx/http/VertxHttpHelper.java:46}}
> * 
> {{components/camel-infinispan/camel-infinispan/src/main/java/org/apache/camel/component/infinispan/remote/protostream/DefaultExchangeHolderUtils.java:40}}
> * 
> {{components/camel-leveldb/src/main/java/org/apache/camel/component/leveldb/LevelDBAggregationRepository.java:93-94}}
>  (default value and the {{@UriParam defaultValue}} attribute)
> * 
> {{components/camel-cassandraql/src/main/java/org/apache/camel/processor/aggregate/cassandra/CassandraAggregationRepository.java:124}}
> * 
> {{components/camel-consul/src/main/java/org/apache/camel/component/consul/ConsulRegistry.java:56}}
> * 
> {{components/camel-sql/src/main/java/org/apache/camel/processor/aggregate/jdbc/JdbcAggregationRepository.java:118}}
> * All {{@UriParam}}/{{@Metadata}} {{description}} strings and setter javadoc 
> that quote the previous default (camel-jms {{JmsConfiguration.java:388-394}} 
> and {{:2070-2078}}; camel-sjms {{SjmsComponent.java:77-84}} and 
> {{SjmsEndpoint.java:212-219}} and {{:765-772}}; equivalents in 
> camel-vertx-http and camel-netty-http)
> * Regenerate component metadata ({{mvn -DskipTests install}} per affected 
> module) and commit the regenerated {{*.json}}, 
> {{*ComponentBuilderFactory.java}}, {{*EndpointBuilderFactory.java}}, and 
> {{META-INF/.../*.json}} files
> h3. Tests
> Add a synthetic test per affected component confirming the new default 
> rejects a {{java.net.URL}} payload while allowing {{java.lang.String}}, 
> {{java.util.HashMap}} (with non-{{java.net.*}} keys), {{java.sql.Timestamp}}, 
> and {{org.apache.camel.support.DefaultExchangeHolder}}.
> h3. Compatibility
> No public API changes. The endpoint option {{deserializationFilter}} and the 
> JVM system property {{jdk.serialFilter}} continue to override this default. 
> Users who have a legitimate need to deserialize {{java.net.URL}} (uncommon) 
> can opt back in via either override.
> h3. Documentation
> Add a short note to the 4.21 upgrade guide 
> ({{docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_21.adoc}}) 
> that the in-code default has been tightened to deny {{java.net.**}}, and 
> recommend that production deployments configure a JMS-provider-side allowList 
> (Artemis {{deserializationAllowList}}, ActiveMQ Classic 
> {{org.apache.activemq.SERIALIZABLE_PACKAGES}}) as the primary mitigation, 
> with the in-code filter as defense-in-depth.
> ----
> _Filed by Claude Code on behalf of Andrea Cosentino._



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to