[jira] [Updated] (CAMEL-15577) Camel-stringtemplate: Misleading and incorrect implementation of parameter 'allowTemplateFromHeader'
[ https://issues.apache.org/jira/browse/CAMEL-15577?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jiri Ondrusek updated CAMEL-15577: -- Description: There is a difference in implementation of parameter `*allowTemplateFromHeader*` in various templating components and missing implementation in stringtemplate component. Description from documentation (of "*allowTemplateFromHeader*"): {quote}Whether to allow to use resource template from header or not (default false). Enabling this allows to specify dynamic templates via message header. However this can be seen as a potential security vulnerability if the header is coming from a malicious user, so use this with care. {quote} Common sense says that with this parameter I can send template via header. Which is implemented for example in velocity component (see [https://github.com/apache/camel/blob/master/components/camel-velocity/src/main/java/org/apache/camel/component/velocity/VelocityEndpoint.java#L185]) In stringtemplate component there is only functionality about providing own variable map (see [https://github.com/apache/camel/blob/master/components/camel-stringtemplate/src/main/java/org/apache/camel/component/stringtemplate/StringTemplateEndpoint.java#L104]) - the same functionality in velocity is called 'supplementalContext' In stringtemplate documentation is a described usage of this custom context map: {quote}You can define the custom context map by setting the message header "*CamelStringTemplateVariableMap*" just like the below code. {quote} Errors: # -parameter "*CamelStringTemplateVariableMap*" is applied only when "*allowTemplateFromHeader*" is set to true- # there is no way of providing template via header. Fix should # -remove dependency between "*CamelStringTemplateVariableMap*" and "*allowTemplateFromHeader*"- # -add a new parameter to allow definition of template via header- Fix problem with template via header based on other templating components (e.g. velocity) was: There is a difference in implementation of parameter `*allowTemplateFromHeader*` in various templating components and missing implementation in stringtemplate component. Description from documentation (of "*allowTemplateFromHeader*"): {quote}Whether to allow to use resource template from header or not (default false). Enabling this allows to specify dynamic templates via message header. However this can be seen as a potential security vulnerability if the header is coming from a malicious user, so use this with care. {quote} Common sense says that with this parameter I can send template via header. Which is implemented for example in velocity component (see [https://github.com/apache/camel/blob/master/components/camel-velocity/src/main/java/org/apache/camel/component/velocity/VelocityEndpoint.java#L185]) In stringtemplate component there is only functionality about providing own variable map (see [https://github.com/apache/camel/blob/master/components/camel-stringtemplate/src/main/java/org/apache/camel/component/stringtemplate/StringTemplateEndpoint.java#L104]) - the same functionality in velocity is called 'supplementalContext' In stringtemplate documentation is a described usage of this custom context map: {quote}You can define the custom context map by setting the message header "*CamelStringTemplateVariableMap*" just like the below code. {quote} Errors: # -parameter "*CamelStringTemplateVariableMap*" is applied only when "*allowTemplateFromHeader*" is set to true- # there is no way of providing template via header. Fix should # r-emove dependency between "*CamelStringTemplateVariableMap*" and "*allowTemplateFromHeader*"- # -add a new parameter to allow definition of template via header- Fix problem with template via header based on other templating components (e.g. velocity) > Camel-stringtemplate: Misleading and incorrect implementation of parameter > 'allowTemplateFromHeader' > > > Key: CAMEL-15577 > URL: https://issues.apache.org/jira/browse/CAMEL-15577 > Project: Camel > Issue Type: Bug > Components: camel-stringtemplate >Affects Versions: 3.5.0 >Reporter: Jiri Ondrusek >Assignee: Jiri Ondrusek >Priority: Major > > There is a difference in implementation of parameter > `*allowTemplateFromHeader*` in various templating components and missing > implementation in stringtemplate component. > Description from documentation (of "*allowTemplateFromHeader*"): > {quote}Whether to allow to use resource template from header or not (default > false). Enabling this allows to specify dynamic templates via message header. > However this can be seen as a potential security vulnerability if the header > is coming from a malicious user, so use
[jira] [Updated] (CAMEL-15577) Camel-stringtemplate: Misleading and incorrect implementation of parameter 'allowTemplateFromHeader'
[ https://issues.apache.org/jira/browse/CAMEL-15577?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jiri Ondrusek updated CAMEL-15577: -- Description: There is a difference in implementation of parameter `*allowTemplateFromHeader*` in various templating components and missing implementation in stringtemplate component. Description from documentation (of "*allowTemplateFromHeader*"): {quote}Whether to allow to use resource template from header or not (default false). Enabling this allows to specify dynamic templates via message header. However this can be seen as a potential security vulnerability if the header is coming from a malicious user, so use this with care. {quote} Common sense says that with this parameter I can send template via header. Which is implemented for example in velocity component (see [https://github.com/apache/camel/blob/master/components/camel-velocity/src/main/java/org/apache/camel/component/velocity/VelocityEndpoint.java#L185]) In stringtemplate component there is only functionality about providing own variable map (see [https://github.com/apache/camel/blob/master/components/camel-stringtemplate/src/main/java/org/apache/camel/component/stringtemplate/StringTemplateEndpoint.java#L104]) - the same functionality in velocity is called 'supplementalContext' In stringtemplate documentation is a described usage of this custom context map: {quote}You can define the custom context map by setting the message header "*CamelStringTemplateVariableMap*" just like the below code. {quote} Errors: # -parameter "*CamelStringTemplateVariableMap*" is applied only when "*allowTemplateFromHeader*" is set to true- # there is no way of providing template via header. Fix should # r-emove dependency between "*CamelStringTemplateVariableMap*" and "*allowTemplateFromHeader*"- # -add a new parameter to allow definition of template via header- Fix problem with template via header based on other templating components (e.g. velocity) was: There is a difference in implementation of parameter `*allowTemplateFromHeader*` in various templating components and missing implementation in stringtemplate component. Description from documentation (of "*allowTemplateFromHeader*"): {quote}Whether to allow to use resource template from header or not (default false). Enabling this allows to specify dynamic templates via message header. However this can be seen as a potential security vulnerability if the header is coming from a malicious user, so use this with care. {quote} Common sense says that with this parameter I can send template via header. Which is implemented for example in velocity component (see [https://github.com/apache/camel/blob/master/components/camel-velocity/src/main/java/org/apache/camel/component/velocity/VelocityEndpoint.java#L185]) In stringtemplate component there is only functionality about providing own variable map (see [https://github.com/apache/camel/blob/master/components/camel-stringtemplate/src/main/java/org/apache/camel/component/stringtemplate/StringTemplateEndpoint.java#L104]) - the same functionality in velocity is called 'supplementalContext' In stringtemplate documentation is a described usage of this custom context map: {quote}You can define the custom context map by setting the message header "*CamelStringTemplateVariableMap*" just like the below code. {quote} Errors: # parameter "*CamelStringTemplateVariableMap*" is applied only when "*allowTemplateFromHeader*" is set to true # there is no way of providing template via header. Fix should # remove dependency between "*CamelStringTemplateVariableMap*" and "*allowTemplateFromHeader*" # add a new parameter to allow definition of template via header > Camel-stringtemplate: Misleading and incorrect implementation of parameter > 'allowTemplateFromHeader' > > > Key: CAMEL-15577 > URL: https://issues.apache.org/jira/browse/CAMEL-15577 > Project: Camel > Issue Type: Bug > Components: camel-stringtemplate >Affects Versions: 3.5.0 >Reporter: Jiri Ondrusek >Assignee: Jiri Ondrusek >Priority: Major > > There is a difference in implementation of parameter > `*allowTemplateFromHeader*` in various templating components and missing > implementation in stringtemplate component. > Description from documentation (of "*allowTemplateFromHeader*"): > {quote}Whether to allow to use resource template from header or not (default > false). Enabling this allows to specify dynamic templates via message header. > However this can be seen as a potential security vulnerability if the header > is coming from a malicious user, so use this with care. > {quote} > Common sense says that with this parameter I can send template via