This is an automated email from the ASF dual-hosted git repository.
oscerd pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel.git
The following commit(s) were added to refs/heads/main by this push:
new b4861b079a03 CAMEL-23787: block unsafe polymorphic base types by
default in camel-jacksonxml XmlMapper
b4861b079a03 is described below
commit b4861b079a03923dc2b01784f09c9d35e17ca084
Author: Andrea Cosentino <[email protected]>
AuthorDate: Mon Jun 22 15:18:36 2026 +0200
CAMEL-23787: block unsafe polymorphic base types by default in
camel-jacksonxml XmlMapper
The camel-jacksonxml data format now creates its default XmlMapper with
MapperFeature.BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES enabled, mirroring the
hardening applied to camel-jackson (CAMEL-23786). Defense-in-depth against
gadget-chain deserialization when polymorphic / default typing is enabled;
ordinary marshalling/unmarshalling is unchanged.
Closes #24177
---
.../component/jacksonxml/JacksonXMLDataFormat.java | 6 ++-
...cksonXMLDataFormatPolymorphicHardeningTest.java | 48 ++++++++++++++++++++++
.../ROOT/pages/camel-4x-upgrade-guide-4_14.adoc | 11 +++++
.../ROOT/pages/camel-4x-upgrade-guide-4_18.adoc | 11 +++++
.../ROOT/pages/camel-4x-upgrade-guide-4_21.adoc | 11 +++++
5 files changed, 86 insertions(+), 1 deletion(-)
diff --git
a/components/camel-jacksonxml/src/main/java/org/apache/camel/component/jacksonxml/JacksonXMLDataFormat.java
b/components/camel-jacksonxml/src/main/java/org/apache/camel/component/jacksonxml/JacksonXMLDataFormat.java
index 9b1097c80f9c..5e4567427e42 100644
---
a/components/camel-jacksonxml/src/main/java/org/apache/camel/component/jacksonxml/JacksonXMLDataFormat.java
+++
b/components/camel-jacksonxml/src/main/java/org/apache/camel/component/jacksonxml/JacksonXMLDataFormat.java
@@ -542,7 +542,11 @@ public class JacksonXMLDataFormat extends ServiceSupport
}
protected XmlMapper createNewXmlMapper() {
- XmlMapper xm = new XmlMapper();
+ // Enable BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES by default as
defense-in-depth against gadget-chain
+ // deserialization when polymorphic typing is enabled, consistent with
camel-jackson (CAMEL-23786).
+ XmlMapper xm = XmlMapper.builder()
+ .enable(MapperFeature.BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES)
+ .build();
int len = getMaxStringLength();
if (len > 0) {
LOG.debug("Creating XmlMapper with maxStringLength: {}", len);
diff --git
a/components/camel-jacksonxml/src/test/java/org/apache/camel/component/jacksonxml/JacksonXMLDataFormatPolymorphicHardeningTest.java
b/components/camel-jacksonxml/src/test/java/org/apache/camel/component/jacksonxml/JacksonXMLDataFormatPolymorphicHardeningTest.java
new file mode 100644
index 000000000000..519a6b4def1e
--- /dev/null
+++
b/components/camel-jacksonxml/src/test/java/org/apache/camel/component/jacksonxml/JacksonXMLDataFormatPolymorphicHardeningTest.java
@@ -0,0 +1,48 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.camel.component.jacksonxml;
+
+import com.fasterxml.jackson.databind.MapperFeature;
+import com.fasterxml.jackson.dataformat.xml.XmlMapper;
+import org.apache.camel.impl.DefaultCamelContext;
+import org.junit.jupiter.api.Test;
+
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+/**
+ * Verifies that the XmlMapper created by {@link JacksonXMLDataFormat} enables
+ * {@link MapperFeature#BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES} by default — the
Jackson mechanism that refuses unsafe
+ * polymorphic base types (e.g. Object/Serializable) when polymorphic/default
typing is enabled, as defense-in-depth
+ * against gadget-chain deserialization.
+ */
+public class JacksonXMLDataFormatPolymorphicHardeningTest {
+
+ @Test
+ void blockUnsafePolymorphicBaseTypesEnabledByDefault() throws Exception {
+ try (DefaultCamelContext context = new DefaultCamelContext()) {
+ context.start();
+ JacksonXMLDataFormat df = new JacksonXMLDataFormat();
+ df.setCamelContext(context);
+ df.start();
+ XmlMapper xm = df.getXmlMapper();
+ assertNotNull(xm);
+
assertTrue(xm.isEnabled(MapperFeature.BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES),
+ "camel-jacksonxml data format must enable
BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES by default");
+ }
+ }
+}
diff --git
a/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_14.adoc
b/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_14.adoc
index 9c3d8a44f813..e11c7c4b5b0e 100644
--- a/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_14.adoc
+++ b/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_14.adoc
@@ -25,6 +25,17 @@ This only affects routes that enable polymorphic / default
typing on an unsafe b
marshalling and unmarshalling are unchanged. If you rely on that behaviour,
supply your own `ObjectMapper`
(via the `objectMapper` option or the registry) configured without this
feature.
+=== camel-jacksonxml - potential breaking change
+
+The `camel-jacksonxml` data format now creates its default `XmlMapper` with
+`MapperFeature.BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES` enabled, mirroring the
same hardening applied to
+`camel-jackson`. This is defense-in-depth against gadget-chain
deserialization: when polymorphic / default
+typing is enabled, Jackson refuses unsafe base types (such as `Object`,
`Serializable` or `Comparable`).
+
+This only affects routes that enable polymorphic / default typing on an unsafe
base type; ordinary
+marshalling and unmarshalling are unchanged. If you rely on that behaviour,
supply your own `XmlMapper`
+(via the `xmlMapper` option) configured without this feature.
+
=== camel-oauth
`UserProfile` token verification now fails closed when no JWK set is
available: a signed token can no
diff --git
a/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_18.adoc
b/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_18.adoc
index cf6a89fd6f47..6b73180ce563 100644
--- a/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_18.adoc
+++ b/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_18.adoc
@@ -25,6 +25,17 @@ This only affects routes that enable polymorphic / default
typing on an unsafe b
marshalling and unmarshalling are unchanged. If you rely on that behaviour,
supply your own `ObjectMapper`
(via the `objectMapper` option or the registry) configured without this
feature.
+=== camel-jacksonxml - potential breaking change
+
+The `camel-jacksonxml` data format now creates its default `XmlMapper` with
+`MapperFeature.BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES` enabled, mirroring the
same hardening applied to
+`camel-jackson`. This is defense-in-depth against gadget-chain
deserialization: when polymorphic / default
+typing is enabled, Jackson refuses unsafe base types (such as `Object`,
`Serializable` or `Comparable`).
+
+This only affects routes that enable polymorphic / default typing on an unsafe
base type; ordinary
+marshalling and unmarshalling are unchanged. If you rely on that behaviour,
supply your own `XmlMapper`
+(via the `xmlMapper` option) configured without this feature.
+
=== camel-oauth
`UserProfile` token verification now fails closed when no JWK set is
available: a signed token can no
diff --git
a/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_21.adoc
b/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_21.adoc
index eb57a78ee4b4..685912cba669 100644
--- a/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_21.adoc
+++ b/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_21.adoc
@@ -2569,6 +2569,17 @@ This only affects routes that enable polymorphic /
default typing on an unsafe b
marshalling and unmarshalling are unchanged. If you rely on that behaviour,
supply your own `ObjectMapper`
(via the `objectMapper` option or the registry) configured without this
feature.
+=== camel-jacksonxml - potential breaking change
+
+The `camel-jacksonxml` data format now creates its default `XmlMapper` with
+`MapperFeature.BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES` enabled, mirroring the
same hardening applied to
+`camel-jackson`. This is defense-in-depth against gadget-chain
deserialization: when polymorphic / default
+typing is enabled, Jackson refuses unsafe base types (such as `Object`,
`Serializable` or `Comparable`).
+
+This only affects routes that enable polymorphic / default typing on an unsafe
base type; ordinary
+marshalling and unmarshalling are unchanged. If you rely on that behaviour,
supply your own `XmlMapper`
+(via the `xmlMapper` option) configured without this feature.
+
=== camel-diagram: Embeddable web component
A new `<camel-route-diagram>` web component is now bundled inside
`camel-diagram.jar`
