[
https://issues.apache.org/jira/browse/CAMEL-23609?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Work on CAMEL-23609 started by Andrea Cosentino.
------------------------------------------------
> Tighten in-code ObjectInputFilter defaults with JEP-290 graph-shape limits
> --------------------------------------------------------------------------
>
> Key: CAMEL-23609
> URL: https://issues.apache.org/jira/browse/CAMEL-23609
> Project: Camel
> Issue Type: Improvement
> Components: camel-cassandraql, camel-consul, camel-infinispan,
> camel-jms, camel-leveldb, camel-mina, camel-netty, camel-netty-http,
> camel-sjms, camel-sql, camel-vertx-http
> Reporter: Andrea Cosentino
> Assignee: Andrea Cosentino
> Priority: Major
> Fix For: 4.21.0
>
>
> Follow-up to the CAMEL-23297 / CAMEL-23319 / CAMEL-23321 / CAMEL-23322 /
> CAMEL-23324 / CAMEL-23372 series, which introduced an in-code default
> {{ObjectInputFilter}} across components that perform Java deserialization
> (aggregation repositories, on-the-wire converters, exchange holders).
> The current in-code default is a class-pattern allowlist:
> {noformat}
> !java.net.**;java.**;javax.**;org.apache.camel.**;!*
> {noformat}
> {{ObjectInputFilter}} (JEP 290) supports additional structural clauses that
> the current defaults do not use: {{maxdepth}}, {{maxrefs}}, {{maxbytes}},
> {{maxarray}}, {{maxinternalrefs}}. Adding conservative values for these to
> the in-code defaults provides defense in depth so that operators who have not
> set {{-Djdk.serialFilter}} still get sensible graph-shape limits out of the
> box.
> Operators retain the existing override path:
> * JVM-wide {{-Djdk.serialFilter}} takes precedence over the Camel default in
> every site that ships one.
> * The configurable repositories and endpoint configurations
> ({{LevelDBAggregationRepository}}, {{JdbcAggregationRepository}},
> {{CassandraAggregationRepository}}, {{ConsulRegistry}}, {{JmsConfiguration}},
> {{SjmsComponent}}, {{NettyHttp}} / {{VertxHttp}} configuration, etc.) already
> expose a {{deserializationFilter}} {{@UriParam}} that lets a route author
> pass a fully custom filter string including the structural clauses.
> Affected default-filter sites:
> *
> {{components/camel-infinispan/camel-infinispan/.../DefaultExchangeHolderUtils.java}}
> * {{components/camel-jms/.../JmsBinding.java}}
> * {{components/camel-sjms/.../jms/JmsBinding.java}}
> * {{components/camel-mina/.../MinaConverter.java}}
> * {{components/camel-netty/.../NettyConverter.java}}
> * {{components/camel-netty-http/.../NettyHttpHelper.java}}
> * {{components/camel-vertx/camel-vertx-http/.../VertxHttpHelper.java}}
> * {{components/camel-leveldb/.../LevelDBAggregationRepository.java}}
> * {{components/camel-cassandraql/.../CassandraAggregationRepository.java}}
> * {{components/camel-consul/.../ConsulRegistry.java}}
> * {{components/camel-sql/.../JdbcAggregationRepository.java}}
> Proposed defaults (subject to review):
> {noformat}
> !java.net.**;java.**;javax.**;org.apache.camel.**;maxdepth=20;maxrefs=10000;maxbytes=10485760;!*
> {noformat}
> Tests should confirm:
> * Legitimate aggregation payloads continue to deserialize.
> * The new structural clauses are present in the resolved filter.
> * The JVM-wide {{-Djdk.serialFilter}} still takes precedence when set.
> An upgrade-guide entry on {{main}} is required because the tightened defaults
> may reject extremely deep / very-large legitimate payloads on first upgrade.
> The entry should explain the new defaults, list the override options, and
> note that operators can restore the previous behaviour per endpoint via the
> {{deserializationFilter}} option or JVM-wide via {{-Djdk.serialFilter}}.
> h3. Acceptance criteria
> * New defaults applied consistently across all sites above.
> * Tests added at each site asserting that the resolved {{ObjectInputFilter}}
> contains the structural clauses.
> * JVM-wide {{-Djdk.serialFilter}} precedence preserved.
> * Upgrade-guide entry on {{main}} (and the matching
> {{camel-4x-upgrade-guide-4_XX.adoc}} for any backport line that picks this
> up).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
