davsclaus opened a new pull request, #23143: URL: https://github.com/apache/camel/pull/23143
## Summary Improves documentation and adds security policy enforcement for the `strictHostKeyChecking` parameter in the SFTP component, as requested in [CAMEL-23404](https://issues.apache.org/jira/browse/CAMEL-23404). ## Changes ### 1. Security Annotation (`BaseSftpConfiguration.java`) - Added `security = "insecure:ssl"` to the `strictHostKeyChecking` parameter annotation - Enhanced the description to explicitly warn about MITM vulnerability when set to `no` - This enables the security policy framework to warn/fail when strictHostKeyChecking=no is used in production ### 2. Documentation (`sftp-component.adoc`) - Added new "Security Best Practices: Host Key Verification" section - Included WARNING admonition about the insecure default (`strictHostKeyChecking=no`) - Provided multiple examples showing secure configuration patterns: - Using `knownHostsFile` with `strictHostKeyChecking=yes` - Using `knownHostsUri` for classpath-loaded known hosts - Relying on `~/.ssh/known_hosts` (default behavior) - Explained the relationship with the security policy enforcement framework ### 3. Generated Metadata (`sftp.json`) - Regenerated component metadata to include the `security: "insecure:ssl"` attribute - Updated parameter description in the JSON metadata ## Test Plan - [x] Built camel-ftp-common and camel-ftp modules successfully - [x] Unit tests pass (56 tests run, 0 failures) - [x] Code generation executed successfully - [x] Verified generated JSON includes security attribute - [ ] Manual verification: test SFTP connection with `strictHostKeyChecking=yes` (requires SFTP server) - [ ] Security policy framework integration test (requires `camel.security.insecureSslPolicy=fail`) ## Documentation Documentation has been enhanced with: - Clear warning about the security implications of the default value - Multiple secure configuration examples - Explanation of host key verification - Links to security policy framework documentation 🤖 Generated with [Claude Code](https://claude.com/claude-code) on behalf of Claus Ibsen -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
