oscerd opened a new pull request, #24196: URL: https://github.com/apache/camel/pull/24196
Fixes [CAMEL-23769](https://issues.apache.org/jira/browse/CAMEL-23769). ## Problem `HttpHelper.deserializeJavaObjectFromStream` read a Java-serialized object via `CamelObjectInputStream` **without an `ObjectInputFilter`**. This is only reachable behind the opt-in `allowJavaSerializedObject` / `transferException` options, but the sibling `camel-netty-http`, `camel-jms` and `camel-vertx-http` bindings already apply a filter on that path. This aligns `camel-http-common` with them (defense-in-depth). ## Change - **`HttpHelper`** — new overload `deserializeJavaObjectFromStream(is, ctx, deserializationFilter)` that calls `ois.setObjectInputFilter(resolve(filter))` before `readObject()`; the existing 1-/2-arg methods delegate to it, so **every call site is covered** (the `DefaultHttpBinding` request side and the camel-http `HttpProducer` response side). `resolveDeserializationFilter` mirrors the siblings: configured pattern → JVM-wide `jdk.serialFilter` → conservative `DEFAULT_DESERIALIZATION_FILTER`. - **`HttpCommonComponent`** — new `deserializationFilter` `@Metadata` option (`jdk.serialFilter` syntax). - **`HttpBinding`** (SPI) — `get/setDeserializationFilter` added as **`default` methods** (no break for external `HttpBinding` implementations). - Wired in `DefaultHttpBinding`, `HttpCommonEndpoint`, `JettyHttpEndpoint12`, `ServletEndpoint`, and `HttpProducer` (camel-http). Default filter: `!java.net.**;java.**;javax.**;org.apache.camel.**;maxdepth=20;maxrefs=10000;maxbytes=10485760;!*`. ## Tests - `HttpHelperDeserializationTest` — configured filter rejects a denied class, allows a permitted one, and the default filter denies `java.net.**`. - Full reactor build (`mvn clean install -DskipTests`, 2365 modules) green; metadata regenerated for http/jetty/servlet/atmosphere-websocket (the new option + index shift only, verified no unrelated drift). ## Documentation - `camel-4x-upgrade-guide-4_21.adoc` — note for the HTTP components. ## Compatibility / backport Behaviour change: on the **opt-in** deserialization path, a payload referencing a denied class may now be rejected. This is a new option (config surface), so per project convention it likely targets **4.21.0**; final `fixVersions` is at the maintainers' discretion. --- _Claude Code on behalf of Andrea Cosentino_ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
