oscerd opened a new pull request, #24195: URL: https://github.com/apache/camel/pull/24195
## Summary Follow-up to CAMEL-23786 (camel-jackson) and CAMEL-23787 (camel-jacksonxml), raised in review of #24134. `camel-jackson-avro`'s `JacksonAvroDataFormat.createNewObjectMapper()` and `camel-jackson-protobuf`'s `JacksonProtobufDataFormat.createNewObjectMapper()` returned a bare `new AvroMapper()` / `new ProtobufMapper()`, while their `transform/` counterparts (`transform/Avro.java`, `transform/Protobuf.java`) already enable `MapperFeature.BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES`. This closes that gap so all sibling Jackson data formats are consistent. When polymorphic / default typing is enabled, Jackson now refuses unsafe base types (`Object`, `Serializable`, `Comparable`) — defense-in-depth against gadget-chain deserialization. Ordinary marshalling/unmarshalling is unchanged. ## Changes - `JacksonAvroDataFormat.createNewObjectMapper()` → `AvroMapper.builder().enable(BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES).build()`. - `JacksonProtobufDataFormat.createNewObjectMapper()` → `ProtobufMapper.builder().enable(BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES).build()`. - New `JacksonAvroDataFormatPolymorphicHardeningTest` and `JacksonProtobufDataFormatPolymorphicHardeningTest` asserting the feature is enabled on each data format's default mapper. - Upgrade-guide notes for 4.21, 4.18 and 4.14 (entries on `main` per the docs-on-main policy, since this is backported to the 4.18.x and 4.14.x maintenance lines). ## Opt-out Routes that deliberately rely on polymorphic/default typing on an unsafe base type can supply their own mapper (via the `objectMapper` option) configured without this feature. ## Note on camel-jackson3 `camel-jackson3` (Jackson 3.x) is intentionally excluded: no code enables this `MapperFeature`, and Jackson 3 reworked default typing with a mandatory `PolymorphicTypeValidator`, so the flag likely does not apply. Left for a dedicated Jackson-3 review. ## Backport Will be backported to `camel-4.18.x` and `camel-4.14.x` (code + test only; upgrade-guide entries stay on `main`), keeping the hardening consistent with camel-jackson/camel-jacksonxml on those lines. --- _AI-generated by Claude Code on behalf of Andrea Cosentino._ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
