oscerd opened a new pull request, #22490: URL: https://github.com/apache/camel/pull/22490
## Summary _Claude Code on behalf of Andrea Cosentino_ Adds `ObjectInputFilter` support to camel-netty's deserialization paths to restrict which classes can be instantiated during Java deserialization of network data. ### Changes: - **NettyConverter.toObjectInput()**: Applies a default `ObjectInputFilter` (`java.**;javax.**;org.apache.camel.**;!*`) when converting `ByteBuf` to `ObjectInput`. Respects JVM-wide filter (`jdk.serialFilter`) if already set. - **ObjectDecoder**: Reimplemented to support `ObjectInputFilter`. Compatible with Netty's `CompactObjectOutputStream` wire format. Accepts an optional `deserializationFilter` pattern. Logs a warning when no filter is configured. - **DatagramPacketObjectDecoder**: New constructor accepting `deserializationFilter`, passed through to `ObjectDecoder`. ### Migration notes: - `ObjectDecoder` no longer extends `io.netty.handler.codec.serialization.ObjectDecoder` — it now extends `LengthFieldBasedFrameDecoder` directly with a custom `CompactFilteringObjectInputStream` that handles Netty's compact wire format. Wire compatibility is maintained. - Existing code using `new ObjectDecoder(classResolver)` continues to work but will log a warning about missing deserialization filter. Use `new ObjectDecoder(classResolver, filterPattern)` to suppress the warning and restrict allowed classes. Fixes: https://issues.apache.org/jira/browse/CAMEL-23297 ## Test plan - [x] `ObjectSerializationTest` passes (both failure-by-default and allowed-via-decoder cases) - [x] `NettyConverterTest` passes - [x] No regressions in existing tests 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
