Andrea Cosentino created CAMEL-23609:
----------------------------------------
Summary: Tighten in-code ObjectInputFilter defaults with JEP-290
graph-shape limits
Key: CAMEL-23609
URL: https://issues.apache.org/jira/browse/CAMEL-23609
Project: Camel
Issue Type: Improvement
Components: camel-infinispan, camel-mina, camel-netty, camel-leveldb,
camel-jms, camel-netty-http, camel-vertx-http, camel-sjms, camel-cassandraql,
camel-consul, camel-sql
Reporter: Andrea Cosentino
Assignee: Andrea Cosentino
Fix For: 4.21.0
Follow-up to the CAMEL-23297 / CAMEL-23319 / CAMEL-23321 / CAMEL-23322 /
CAMEL-23324 / CAMEL-23372 series, which introduced an in-code default
{{ObjectInputFilter}} across components that perform Java deserialization
(aggregation repositories, on-the-wire converters, exchange holders).
The current in-code default is a class-pattern allowlist:
{noformat}
!java.net.**;java.**;javax.**;org.apache.camel.**;!*
{noformat}
{{ObjectInputFilter}} (JEP 290) supports additional structural clauses that the
current defaults do not use: {{maxdepth}}, {{maxrefs}}, {{maxbytes}},
{{maxarray}}, {{maxinternalrefs}}. Adding conservative values for these to the
in-code defaults provides defense in depth so that operators who have not set
{{-Djdk.serialFilter}} still get sensible graph-shape limits out of the box.
Operators retain the existing override path:
* JVM-wide {{-Djdk.serialFilter}} takes precedence over the Camel default in
every site that ships one.
* The configurable repositories and endpoint configurations
({{LevelDBAggregationRepository}}, {{JdbcAggregationRepository}},
{{CassandraAggregationRepository}}, {{ConsulRegistry}}, {{JmsConfiguration}},
{{SjmsComponent}}, {{NettyHttp}} / {{VertxHttp}} configuration, etc.) already
expose a {{deserializationFilter}} {{@UriParam}} that lets a route author pass
a fully custom filter string including the structural clauses.
Affected default-filter sites:
*
{{components/camel-infinispan/camel-infinispan/.../DefaultExchangeHolderUtils.java}}
* {{components/camel-jms/.../JmsBinding.java}}
* {{components/camel-sjms/.../jms/JmsBinding.java}}
* {{components/camel-mina/.../MinaConverter.java}}
* {{components/camel-netty/.../NettyConverter.java}}
* {{components/camel-netty-http/.../NettyHttpHelper.java}}
* {{components/camel-vertx/camel-vertx-http/.../VertxHttpHelper.java}}
* {{components/camel-leveldb/.../LevelDBAggregationRepository.java}}
* {{components/camel-cassandraql/.../CassandraAggregationRepository.java}}
* {{components/camel-consul/.../ConsulRegistry.java}}
* {{components/camel-sql/.../JdbcAggregationRepository.java}}
Proposed defaults (subject to review):
{noformat}
!java.net.**;java.**;javax.**;org.apache.camel.**;maxdepth=20;maxrefs=10000;maxbytes=10485760;!*
{noformat}
Tests should confirm:
* Legitimate aggregation payloads continue to deserialize.
* The new structural clauses are present in the resolved filter.
* The JVM-wide {{-Djdk.serialFilter}} still takes precedence when set.
An upgrade-guide entry on {{main}} is required because the tightened defaults
may reject extremely deep / very-large legitimate payloads on first upgrade.
The entry should explain the new defaults, list the override options, and note
that operators can restore the previous behaviour per endpoint via the
{{deserializationFilter}} option or JVM-wide via {{-Djdk.serialFilter}}.
h3. Acceptance criteria
* New defaults applied consistently across all sites above.
* Tests added at each site asserting that the resolved {{ObjectInputFilter}}
contains the structural clauses.
* JVM-wide {{-Djdk.serialFilter}} precedence preserved.
* Upgrade-guide entry on {{main}} (and the matching
{{camel-4x-upgrade-guide-4_XX.adoc}} for any backport line that picks this up).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
