Croway opened a new pull request, #23551: URL: https://github.com/apache/camel/pull/23551
## Summary Backport of #23535 to `camel-4.18.x`. - Filter LLM tool argument field names against the tool's declared parameter schema before setting them as Exchange headers - Affects `camel-langchain4j-tools`, `camel-langchain4j-agent`, and `camel-spring-ai-tools` - Undeclared field names are logged at WARN level and skipped - Fixes raw `JsonNode` header values in `camel-langchain4j-agent` (now properly extracts Java primitives) - Adds upgrade guide entry documenting the behavior change This is a security hardening measure to prevent prompt-injection attacks from injecting arbitrary Camel control headers (such as `CamelFileName`, `CamelSqlQuery`, `CamelHttpUri`) via crafted tool call arguments. ## Test plan - [x] `LangChain4jToolTest.testUndeclaredToolArgumentsAreNotPropagatedAsHeaders` — verifies undeclared args are blocked - [x] All existing langchain4j-tools tests pass (10/10) - [x] `camel-langchain4j-agent` module compiles successfully _Claude Code on behalf of Federico Mariani_ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
