This is an automated email from the ASF dual-hosted git repository.
oscerd pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel.git
The following commit(s) were added to refs/heads/main by this push:
new 20bf8b60d2fc CAMEL-23786: block unsafe polymorphic base types by
default in camel-jackson data format
20bf8b60d2fc is described below
commit 20bf8b60d2fcc89cda903301a418d47e3d27fc4c
Author: Andrea Cosentino <[email protected]>
AuthorDate: Fri Jun 19 18:02:41 2026 +0200
CAMEL-23786: block unsafe polymorphic base types by default in
camel-jackson data format
Closes #24134.
---
.../camel/component/jackson/JacksonDataFormat.java | 8 +++-
.../JacksonDataFormatPolymorphicHardeningTest.java | 50 ++++++++++++++++++++++
.../ROOT/pages/camel-4x-upgrade-guide-4_14.adoc | 12 ++++++
.../ROOT/pages/camel-4x-upgrade-guide-4_18.adoc | 12 ++++++
.../ROOT/pages/camel-4x-upgrade-guide-4_21.adoc | 12 ++++++
5 files changed, 93 insertions(+), 1 deletion(-)
diff --git
a/components/camel-jackson/src/main/java/org/apache/camel/component/jackson/JacksonDataFormat.java
b/components/camel-jackson/src/main/java/org/apache/camel/component/jackson/JacksonDataFormat.java
index 20cd860cbf78..1ff4cd689f45 100644
---
a/components/camel-jackson/src/main/java/org/apache/camel/component/jackson/JacksonDataFormat.java
+++
b/components/camel-jackson/src/main/java/org/apache/camel/component/jackson/JacksonDataFormat.java
@@ -17,7 +17,9 @@
package org.apache.camel.component.jackson;
import com.fasterxml.jackson.core.StreamReadConstraints;
+import com.fasterxml.jackson.databind.MapperFeature;
import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.json.JsonMapper;
import org.apache.camel.spi.Metadata;
import org.apache.camel.spi.annotations.Dataformat;
import org.slf4j.Logger;
@@ -85,7 +87,11 @@ public class JacksonDataFormat extends
AbstractJacksonDataFormat {
@Override
protected ObjectMapper createNewObjectMapper() {
- ObjectMapper om = new ObjectMapper();
+ // Enable BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES by default as
defense-in-depth against gadget-chain
+ // deserialization when polymorphic typing is enabled, consistent with
transform/Json.java.
+ ObjectMapper om = JsonMapper.builder()
+ .enable(MapperFeature.BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES)
+ .build();
int len = getMaxStringLength();
if (len > 0) {
LOG.debug("Creating ObjectMapper with maxStringLength: {}", len);
diff --git
a/components/camel-jackson/src/test/java/org/apache/camel/component/jackson/JacksonDataFormatPolymorphicHardeningTest.java
b/components/camel-jackson/src/test/java/org/apache/camel/component/jackson/JacksonDataFormatPolymorphicHardeningTest.java
new file mode 100644
index 000000000000..9865f31574bb
--- /dev/null
+++
b/components/camel-jackson/src/test/java/org/apache/camel/component/jackson/JacksonDataFormatPolymorphicHardeningTest.java
@@ -0,0 +1,50 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.camel.component.jackson;
+
+import com.fasterxml.jackson.databind.MapperFeature;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.apache.camel.impl.DefaultCamelContext;
+import org.junit.jupiter.api.Test;
+
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+/**
+ * Verifies that the ObjectMapper created by {@link JacksonDataFormat} enables
+ * {@link MapperFeature#BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES} by default — the
Jackson mechanism that refuses unsafe
+ * polymorphic base types (e.g. Object/Serializable) when polymorphic/default
typing is enabled, as defense-in-depth
+ * against gadget-chain deserialization.
+ */
+public class JacksonDataFormatPolymorphicHardeningTest {
+
+ @Test
+ void blockUnsafePolymorphicBaseTypesEnabledByDefault() throws Exception {
+ try (DefaultCamelContext context = new DefaultCamelContext()) {
+ context.start();
+ JacksonDataFormat df = new JacksonDataFormat();
+ // force createNewObjectMapper() rather than a registry-provided
mapper
+ df.setUseDefaultObjectMapper(false);
+ df.setCamelContext(context);
+ df.start();
+ ObjectMapper om = df.getObjectMapper();
+ assertNotNull(om);
+
assertTrue(om.isEnabled(MapperFeature.BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES),
+ "camel-jackson data format must enable
BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES by default");
+ }
+ }
+}
diff --git
a/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_14.adoc
b/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_14.adoc
index d8e8c3713283..a7153e3f49a5 100644
--- a/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_14.adoc
+++ b/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_14.adoc
@@ -13,6 +13,18 @@ See the xref:camel-upgrade-recipes-tool.adoc[documentation]
page for details.
== Upgrading from 4.14.3 to 4.14.8
+=== camel-jackson - potential breaking change
+
+The `camel-jackson` data format now creates its default `ObjectMapper` with
+`MapperFeature.BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES` enabled, consistent with
the mapper used by the
+component's JSON data-type transformer. This is defense-in-depth against
gadget-chain deserialization: when
+polymorphic / default typing is enabled, Jackson refuses unsafe base types
(such as `Object`, `Serializable`
+or `Comparable`).
+
+This only affects routes that enable polymorphic / default typing on an unsafe
base type; ordinary
+marshalling and unmarshalling are unchanged. If you rely on that behaviour,
supply your own `ObjectMapper`
+(via the `objectMapper` option or the registry) configured without this
feature.
+
=== camel-oauth
`UserProfile` token verification now fails closed when no JWK set is
available: a signed token can no
diff --git
a/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_18.adoc
b/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_18.adoc
index 2da191da341b..f483d39099fc 100644
--- a/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_18.adoc
+++ b/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_18.adoc
@@ -13,6 +13,18 @@ See the xref:camel-upgrade-recipes-tool.adoc[documentation]
page for details.
== Upgrading from 4.18.1 to 4.18.3
+=== camel-jackson - potential breaking change
+
+The `camel-jackson` data format now creates its default `ObjectMapper` with
+`MapperFeature.BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES` enabled, consistent with
the mapper used by the
+component's JSON data-type transformer. This is defense-in-depth against
gadget-chain deserialization: when
+polymorphic / default typing is enabled, Jackson refuses unsafe base types
(such as `Object`, `Serializable`
+or `Comparable`).
+
+This only affects routes that enable polymorphic / default typing on an unsafe
base type; ordinary
+marshalling and unmarshalling are unchanged. If you rely on that behaviour,
supply your own `ObjectMapper`
+(via the `objectMapper` option or the registry) configured without this
feature.
+
=== camel-oauth
`UserProfile` token verification now fails closed when no JWK set is
available: a signed token can no
diff --git
a/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_21.adoc
b/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_21.adoc
index 762f7f8a4340..eb06df2d01e4 100644
--- a/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_21.adoc
+++ b/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_21.adoc
@@ -2547,6 +2547,18 @@ If your Schematron rules legitimately reference an
external DTD, external entity
those references will no longer be resolved and rule compilation will fail;
inline the referenced content
instead.
+=== camel-jackson - potential breaking change
+
+The `camel-jackson` data format now creates its default `ObjectMapper` with
+`MapperFeature.BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES` enabled, consistent with
the mapper used by the
+component's JSON data-type transformer. This is defense-in-depth against
gadget-chain deserialization: when
+polymorphic / default typing is enabled, Jackson refuses unsafe base types
(such as `Object`, `Serializable`
+or `Comparable`).
+
+This only affects routes that enable polymorphic / default typing on an unsafe
base type; ordinary
+marshalling and unmarshalling are unchanged. If you rely on that behaviour,
supply your own `ObjectMapper`
+(via the `objectMapper` option or the registry) configured without this
feature.
+
=== camel-diagram: Embeddable web component
A new `<camel-route-diagram>` web component is now bundled inside
`camel-diagram.jar`
