[jira] [Created] (CAMEL-23372) Tighten default ObjectInputFilter to deny java.net.** before java.**

Tue, 28 Apr 2026 04:37:48 -0700 

Andrea Cosentino created CAMEL-23372:
----------------------------------------

             Summary: Tighten default ObjectInputFilter to deny java.net.** 
before java.**
                 Key: CAMEL-23372
                 URL: https://issues.apache.org/jira/browse/CAMEL-23372
             Project: Camel
          Issue Type: Improvement
          Components: camel-infinispan, camel-amqp, camel-mina, camel-netty, 
camel-leveldb, camel-jms, camel-netty-http, camel-vertx-http, camel-sjms, 
camel-cassandraql, camel-consul, camel-sql
            Reporter: Andrea Cosentino


The default {{ObjectInputFilter}} pattern introduced by the CAMEL-23297 / 
CAMEL-23319 / CAMEL-23321 / CAMEL-23322 / CAMEL-23324 series -- 
{{java.**;javax.**;org.apache.camel.**;!*}} (or the no-{{javax.**}} variant in 
the aggregation-repository components) -- uses a recursive {{java.**}} allow 
that admits classes whose {{hashCode}}/{{equals}}/{{readObject}} paths perform 
network I/O (notably {{java.net.URL}} and {{java.net.InetAddress}}, whose hash 
methods perform DNS resolution). Tighten the default by explicitly denying 
{{java.net.**}} before the broader {{java.**}} allow:

{noformat}
!java.net.**;java.**;javax.**;org.apache.camel.**;!*
{noformat}

Per JEP 290 the filter is evaluated left-to-right, so this rejects classes 
under {{java.net.*}} while keeping {{java.lang.*}}, {{java.util.*}}, 
{{java.sql.*}}, {{java.security.*}}, etc. allowed.

h3. Files to update

* 
{{components/camel-jms/src/main/java/org/apache/camel/component/jms/JmsBinding.java:87}}
 ({{DEFAULT_DESERIALIZATION_FILTER}})
* 
{{components/camel-sjms/src/main/java/org/apache/camel/component/sjms/jms/JmsBinding.java:74}}
* 
{{components/camel-mina/src/main/java/org/apache/camel/component/mina/MinaConverter.java:43}}
* 
{{components/camel-netty/src/main/java/org/apache/camel/component/netty/NettyConverter.java:52}}
* 
{{components/camel-netty-http/src/main/java/org/apache/camel/component/netty/http/NettyHttpHelper.java:52}}
* 
{{components/camel-vertx/camel-vertx-http/src/main/java/org/apache/camel/component/vertx/http/VertxHttpHelper.java:46}}
* 
{{components/camel-infinispan/camel-infinispan/src/main/java/org/apache/camel/component/infinispan/remote/protostream/DefaultExchangeHolderUtils.java:40}}
* 
{{components/camel-leveldb/src/main/java/org/apache/camel/component/leveldb/LevelDBAggregationRepository.java:93-94}}
 (default value and the {{@UriParam defaultValue}} attribute)
* 
{{components/camel-cassandraql/src/main/java/org/apache/camel/processor/aggregate/cassandra/CassandraAggregationRepository.java:124}}
* 
{{components/camel-consul/src/main/java/org/apache/camel/component/consul/ConsulRegistry.java:56}}
* 
{{components/camel-sql/src/main/java/org/apache/camel/processor/aggregate/jdbc/JdbcAggregationRepository.java:118}}
* All {{@UriParam}}/{{@Metadata}} {{description}} strings and setter javadoc 
that quote the previous default (camel-jms {{JmsConfiguration.java:388-394}} 
and {{:2070-2078}}; camel-sjms {{SjmsComponent.java:77-84}} and 
{{SjmsEndpoint.java:212-219}} and {{:765-772}}; equivalents in camel-vertx-http 
and camel-netty-http)
* Regenerate component metadata ({{mvn -DskipTests install}} per affected 
module) and commit the regenerated {{*.json}}, 
{{*ComponentBuilderFactory.java}}, {{*EndpointBuilderFactory.java}}, and 
{{META-INF/.../*.json}} files

h3. Tests

Add a synthetic test per affected component confirming the new default rejects 
a {{java.net.URL}} payload while allowing {{java.lang.String}}, 
{{java.util.HashMap}} (with non-{{java.net.*}} keys), {{java.sql.Timestamp}}, 
and {{org.apache.camel.support.DefaultExchangeHolder}}.

h3. Compatibility

No public API changes. The endpoint option {{deserializationFilter}} and the 
JVM system property {{jdk.serialFilter}} continue to override this default. 
Users who have a legitimate need to deserialize {{java.net.URL}} (uncommon) can 
opt back in via either override.

h3. Documentation

Add a short note to the 4.21 upgrade guide 
({{docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_21.adoc}}) that 
the in-code default has been tightened to deny {{java.net.**}}, and recommend 
that production deployments configure a JMS-provider-side allowList (Artemis 
{{deserializationAllowList}}, ActiveMQ Classic 
{{org.apache.activemq.SERIALIZABLE_PACKAGES}}) as the primary mitigation, with 
the in-code filter as defense-in-depth.

----

_Filed by Claude Code on behalf of Andrea Cosentino._



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to