[jira] [Updated] (CAMEL-15577) Camel-stringtemplate: Misleading and incorrect implementation of parameter 'allowTemplateFromHeader'

2020-09-29 Thread Jiri Ondrusek (Jira) 


 [ 
https://issues.apache.org/jira/browse/CAMEL-15577?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jiri Ondrusek updated CAMEL-15577:
--
Description: 
There is a difference in implementation of parameter 
`*allowTemplateFromHeader*` in various templating components and missing 
implementation in stringtemplate component.

 Description from documentation (of "*allowTemplateFromHeader*"):
{quote}Whether to allow to use resource template from header or not (default 
false). Enabling this allows to specify dynamic templates via message header. 
However this can be seen as a potential security vulnerability if the header is 
coming from a malicious user, so use this with care.
{quote}
Common sense says that with this parameter I can send template via header.

Which is implemented for example in velocity component (see 
[https://github.com/apache/camel/blob/master/components/camel-velocity/src/main/java/org/apache/camel/component/velocity/VelocityEndpoint.java#L185])

In stringtemplate component there is only functionality about providing own 
variable map (see 
[https://github.com/apache/camel/blob/master/components/camel-stringtemplate/src/main/java/org/apache/camel/component/stringtemplate/StringTemplateEndpoint.java#L104])
 - the same functionality in velocity is called 'supplementalContext'

 In stringtemplate documentation is a described usage of this custom context 
map:
{quote}You can define the custom context map by setting the message header 
"*CamelStringTemplateVariableMap*" just like the below code. 
{quote}
Errors:
 # -parameter "*CamelStringTemplateVariableMap*" is applied only when 
"*allowTemplateFromHeader*" is set to true-
 # there is no way of providing template via header.

 

Fix should
 # -remove dependency between "*CamelStringTemplateVariableMap*" and 
"*allowTemplateFromHeader*"-
 # -add a new parameter to allow definition of template via header-  Fix 
problem with template via header based on other templating components (e.g. 
velocity)

 

  was:
There is a difference in implementation of parameter 
`*allowTemplateFromHeader*` in various templating components and missing 
implementation in stringtemplate component.

 Description from documentation (of "*allowTemplateFromHeader*"):
{quote}Whether to allow to use resource template from header or not (default 
false). Enabling this allows to specify dynamic templates via message header. 
However this can be seen as a potential security vulnerability if the header is 
coming from a malicious user, so use this with care.
{quote}
Common sense says that with this parameter I can send template via header.

Which is implemented for example in velocity component (see 
[https://github.com/apache/camel/blob/master/components/camel-velocity/src/main/java/org/apache/camel/component/velocity/VelocityEndpoint.java#L185])

In stringtemplate component there is only functionality about providing own 
variable map (see 
[https://github.com/apache/camel/blob/master/components/camel-stringtemplate/src/main/java/org/apache/camel/component/stringtemplate/StringTemplateEndpoint.java#L104])
 - the same functionality in velocity is called 'supplementalContext'

 In stringtemplate documentation is a described usage of this custom context 
map:
{quote}You can define the custom context map by setting the message header 
"*CamelStringTemplateVariableMap*" just like the below code. 
{quote}
Errors:
 # -parameter "*CamelStringTemplateVariableMap*" is applied only when 
"*allowTemplateFromHeader*" is set to true-
 # there is no way of providing template via header.

 

Fix should
 # r-emove dependency between "*CamelStringTemplateVariableMap*" and 
"*allowTemplateFromHeader*"-
 # -add a new parameter to allow definition of template via header-  Fix 
problem with template via header based on other templating components (e.g. 
velocity)

 


> Camel-stringtemplate: Misleading and incorrect implementation of parameter 
> 'allowTemplateFromHeader'
> 
>
> Key: CAMEL-15577
> URL: https://issues.apache.org/jira/browse/CAMEL-15577
> Project: Camel
>  Issue Type: Bug
>  Components: camel-stringtemplate
>Affects Versions: 3.5.0
>Reporter: Jiri Ondrusek
>Assignee: Jiri Ondrusek
>Priority: Major
>
> There is a difference in implementation of parameter 
> `*allowTemplateFromHeader*` in various templating components and missing 
> implementation in stringtemplate component.
>  Description from documentation (of "*allowTemplateFromHeader*"):
> {quote}Whether to allow to use resource template from header or not (default 
> false). Enabling this allows to specify dynamic templates via message header. 
> However this can be seen as a potential security vulnerability if the header 
> is coming from a malicious user, so use

[jira] [Updated] (CAMEL-15577) Camel-stringtemplate: Misleading and incorrect implementation of parameter 'allowTemplateFromHeader'

2020-09-29 Thread Jiri Ondrusek (Jira) 


 [ 
https://issues.apache.org/jira/browse/CAMEL-15577?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jiri Ondrusek updated CAMEL-15577:
--
Description: 
There is a difference in implementation of parameter 
`*allowTemplateFromHeader*` in various templating components and missing 
implementation in stringtemplate component.

 Description from documentation (of "*allowTemplateFromHeader*"):
{quote}Whether to allow to use resource template from header or not (default 
false). Enabling this allows to specify dynamic templates via message header. 
However this can be seen as a potential security vulnerability if the header is 
coming from a malicious user, so use this with care.
{quote}
Common sense says that with this parameter I can send template via header.

Which is implemented for example in velocity component (see 
[https://github.com/apache/camel/blob/master/components/camel-velocity/src/main/java/org/apache/camel/component/velocity/VelocityEndpoint.java#L185])

In stringtemplate component there is only functionality about providing own 
variable map (see 
[https://github.com/apache/camel/blob/master/components/camel-stringtemplate/src/main/java/org/apache/camel/component/stringtemplate/StringTemplateEndpoint.java#L104])
 - the same functionality in velocity is called 'supplementalContext'

 In stringtemplate documentation is a described usage of this custom context 
map:
{quote}You can define the custom context map by setting the message header 
"*CamelStringTemplateVariableMap*" just like the below code. 
{quote}
Errors:
 # -parameter "*CamelStringTemplateVariableMap*" is applied only when 
"*allowTemplateFromHeader*" is set to true-
 # there is no way of providing template via header.

 

Fix should
 # r-emove dependency between "*CamelStringTemplateVariableMap*" and 
"*allowTemplateFromHeader*"-
 # -add a new parameter to allow definition of template via header-  Fix 
problem with template via header based on other templating components (e.g. 
velocity)

 

  was:
There is a difference in implementation of parameter 
`*allowTemplateFromHeader*` in various templating components and missing 
implementation in stringtemplate component.

 Description from documentation (of "*allowTemplateFromHeader*"):
{quote}Whether to allow to use resource template from header or not (default 
false). Enabling this allows to specify dynamic templates via message header. 
However this can be seen as a potential security vulnerability if the header is 
coming from a malicious user, so use this with care.
{quote}
Common sense says that with this parameter I can send template via header.

Which is implemented for example in velocity component (see 
[https://github.com/apache/camel/blob/master/components/camel-velocity/src/main/java/org/apache/camel/component/velocity/VelocityEndpoint.java#L185])

In stringtemplate component there is only functionality about providing own 
variable map (see 
[https://github.com/apache/camel/blob/master/components/camel-stringtemplate/src/main/java/org/apache/camel/component/stringtemplate/StringTemplateEndpoint.java#L104])
 - the same functionality in velocity is called 'supplementalContext'

 In stringtemplate documentation is a described usage of this custom context 
map:
{quote}You can define the custom context map by setting the message header 
"*CamelStringTemplateVariableMap*" just like the below code. 
{quote}
Errors:
 # parameter "*CamelStringTemplateVariableMap*" is applied only when 
"*allowTemplateFromHeader*" is set to true
 # there is no way of providing template via header.

 

Fix should
 # remove dependency between "*CamelStringTemplateVariableMap*" and 
"*allowTemplateFromHeader*"
 # add a new parameter to allow definition of template via header

 


> Camel-stringtemplate: Misleading and incorrect implementation of parameter 
> 'allowTemplateFromHeader'
> 
>
> Key: CAMEL-15577
> URL: https://issues.apache.org/jira/browse/CAMEL-15577
> Project: Camel
>  Issue Type: Bug
>  Components: camel-stringtemplate
>Affects Versions: 3.5.0
>Reporter: Jiri Ondrusek
>Assignee: Jiri Ondrusek
>Priority: Major
>
> There is a difference in implementation of parameter 
> `*allowTemplateFromHeader*` in various templating components and missing 
> implementation in stringtemplate component.
>  Description from documentation (of "*allowTemplateFromHeader*"):
> {quote}Whether to allow to use resource template from header or not (default 
> false). Enabling this allows to specify dynamic templates via message header. 
> However this can be seen as a potential security vulnerability if the header 
> is coming from a malicious user, so use this with care.
> {quote}
> Common sense says that with this parameter I can send template via