This is an automated email from the ASF dual-hosted git repository.
acosentino pushed a commit to branch camel-4.18.x
in repository https://gitbox.apache.org/repos/asf/camel.git
The following commit(s) were added to refs/heads/camel-4.18.x by this push:
new 4e3f709b97ae CAMEL-23029 - Camel-Consul: Add ObjectInputFilter String
pattern parameter in ConsulRegistry to be used in deserialize operations
(#21531)
4e3f709b97ae is described below
commit 4e3f709b97aef3ed99e3a52a99c752b37b104063
Author: Andrea Cosentino <[email protected]>
AuthorDate: Wed Feb 18 15:06:00 2026 +0100
CAMEL-23029 - Camel-Consul: Add ObjectInputFilter String pattern parameter
in ConsulRegistry to be used in deserialize operations (#21531)
Signed-off-by: Andrea Cosentino <[email protected]>
---
.../camel/component/consul/ConsulRegistry.java | 51 ++++++++++++++++++----
.../component/consul/ConsulRegistryUtilsTest.java | 5 ++-
2 files changed, 45 insertions(+), 11 deletions(-)
diff --git
a/components/camel-consul/src/main/java/org/apache/camel/component/consul/ConsulRegistry.java
b/components/camel-consul/src/main/java/org/apache/camel/component/consul/ConsulRegistry.java
index cbbf4ccd8cea..825ba64faf8c 100644
---
a/components/camel-consul/src/main/java/org/apache/camel/component/consul/ConsulRegistry.java
+++
b/components/camel-consul/src/main/java/org/apache/camel/component/consul/ConsulRegistry.java
@@ -19,6 +19,7 @@ package org.apache.camel.component.consul;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
+import java.io.ObjectInputFilter;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.io.Serializable;
@@ -52,6 +53,7 @@ public class ConsulRegistry implements Registry {
private int port = 8500;
private Consul consul;
private KeyValueClient kvClient;
+ private String deserializationFilter = "java.**;org.apache.camel.**;!*";
/* constructor with default port */
public ConsulRegistry(String hostname) {
@@ -70,6 +72,9 @@ public class ConsulRegistry implements Registry {
this.hostname = builder.hostname;
this.port = builder.port;
this.consul = Consul.builder().withUrl("http://"; + this.hostname + ":"
+ this.port).build();
+ if (builder.deserializationFilter != null) {
+ this.deserializationFilter = builder.deserializationFilter;
+ }
}
@Override
@@ -80,7 +85,7 @@ public class ConsulRegistry implements Registry {
return kvClient.getValueAsString(key).map(result -> {
byte[] postDecodedValue = ConsulRegistryUtils.decodeBase64(result);
- return ConsulRegistryUtils.deserialize(postDecodedValue);
+ return ConsulRegistryUtils.deserialize(postDecodedValue,
deserializationFilter);
}).orElse(null);
}
@@ -219,7 +224,7 @@ public class ConsulRegistry implements Registry {
if (lookupByName(key) != null) {
remove(key);
}
- Object clone = ConsulRegistryUtils.clone((Serializable) object);
+ Object clone = ConsulRegistryUtils.clone((Serializable) object,
deserializationFilter);
byte[] serializedObject = ConsulRegistryUtils.serialize((Serializable)
clone);
// pre-encode due native encoding issues
String value = ConsulRegistryUtils.encodeBase64(serializedObject);
@@ -239,6 +244,7 @@ public class ConsulRegistry implements Registry {
String hostname;
// optional parameter
Integer port = 8500;
+ String deserializationFilter;
public Builder(String hostname) {
this.hostname = hostname;
@@ -249,6 +255,11 @@ public class ConsulRegistry implements Registry {
return this;
}
+ public Builder deserializationFilter(String deserializationFilter) {
+ this.deserializationFilter = deserializationFilter;
+ return this;
+ }
+
public ConsulRegistry build() {
return new ConsulRegistry(this);
}
@@ -270,6 +281,23 @@ public class ConsulRegistry implements Registry {
this.port = port;
}
+ /**
+ * Gets the deserialization filter applied when reading objects from
Consul KV store.
+ */
+ public String getDeserializationFilter() {
+ return deserializationFilter;
+ }
+
+ /**
+ * Sets a deserialization filter while reading objects from Consul KV
store. By default the filter will allow all
+ * java packages and subpackages and all org.apache.camel packages and
subpackages, while the remaining will be
+ * blacklisted and not deserialized. This parameter should be customized
if you're using classes you trust to be
+ * deserialized.
+ */
+ public void setDeserializationFilter(String deserializationFilter) {
+ this.deserializationFilter = deserializationFilter;
+ }
+
static final class ConsulRegistryUtils {
private ConsulRegistryUtils() {
@@ -300,11 +328,15 @@ public class ConsulRegistry implements Registry {
/**
* Deserializes an object out of the given byte array.
*
- * @param bytes the byte array to deserialize from
- * @return an {@link Object} deserialized from the given byte
array
+ * @param bytes the byte array to deserialize from
+ * @param deserializationFilter the deserialization filter to apply
(e.g. "java.**;org.apache.camel.**;!*")
+ * @return an {@link Object} deserialized from
the given byte array
*/
- static Object deserialize(byte[] bytes) {
+ static Object deserialize(byte[] bytes, String deserializationFilter) {
try (ObjectInputStream in = new ObjectInputStream(new
ByteArrayInputStream(bytes))) {
+ if (deserializationFilter != null &&
!deserializationFilter.isEmpty()) {
+
in.setObjectInputFilter(ObjectInputFilter.Config.createFilter(deserializationFilter));
+ }
return in.readObject();
} catch (IOException | ClassNotFoundException e) {
throw new RuntimeCamelException(e);
@@ -314,11 +346,12 @@ public class ConsulRegistry implements Registry {
/**
* A deep serialization based clone
*
- * @param object the object to clone
- * @return a deep clone
+ * @param object the object to clone
+ * @param deserializationFilter the deserialization filter to apply
+ * @return a deep clone
*/
- static Object clone(Serializable object) {
- return deserialize(serialize(object));
+ static Object clone(Serializable object, String deserializationFilter)
{
+ return deserialize(serialize(object), deserializationFilter);
}
/**
diff --git
a/components/camel-consul/src/test/java/org/apache/camel/component/consul/ConsulRegistryUtilsTest.java
b/components/camel-consul/src/test/java/org/apache/camel/component/consul/ConsulRegistryUtilsTest.java
index 696a7ada8347..0aba6a2074ba 100644
---
a/components/camel-consul/src/test/java/org/apache/camel/component/consul/ConsulRegistryUtilsTest.java
+++
b/components/camel-consul/src/test/java/org/apache/camel/component/consul/ConsulRegistryUtilsTest.java
@@ -33,9 +33,10 @@ public class ConsulRegistryUtilsTest {
@Test
public void encodeDecode() {
+ final String filter = "java.**;org.apache.camel.**;!*";
final List<String> src = Arrays.asList("one", "\u0434\u0432\u0430",
"t\u0159i");
final byte[] serialized = ConsulRegistryUtils.serialize((Serializable)
src);
- assertEquals(src, ConsulRegistryUtils.deserialize(serialized));
+ assertEquals(src, ConsulRegistryUtils.deserialize(serialized, filter));
final String encoded = ConsulRegistryUtils.encodeBase64(serialized);
assertEquals("rO0ABXNyABpqYXZhLnV0aWwuQXJyYXlzJEFycmF5TGlzdNmkPL7NiAbSAgABWwABYXQAE1tMamF2YS9sYW5nL09iamVjdDt4"
+
"cHVyABNbTGphdmEubGFuZy5TdHJpbmc7rdJW5+kde0cCAAB4cAAAAAN0AANvbmV0AAbQtNCy0LB0AAR0xZlp",
@@ -53,7 +54,7 @@ public class ConsulRegistryUtilsTest {
-48, -76, -48, -78, -48, -80, 116, 0,
4, 116, -59, -103, 105 },
decoded);
- assertEquals(src, ConsulRegistryUtils.deserialize(decoded));
+ assertEquals(src, ConsulRegistryUtils.deserialize(decoded, filter));
}
}
