[
https://issues.apache.org/jira/browse/CAMEL-23527?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18084337#comment-18084337
]
Karol Krawczyk commented on CAMEL-23527:
----------------------------------------
Hi [~acosentino], I'd like to pick this up — one question on approach before I
open a PR.
There isn't a single shared "API-component documentation template" to edit: the
API-based components
each have their own hand-written <name>-component.adoc, and there's no common
partial for this. By my
count it spans 13 components: as2, box, braintree, dhis2, fhir,
google-calendar, google-drive,
google-mail, google-sheets, olingo2, olingo4, twilio, zendesk.
So the cross-reference to the "Strip Camel-internal headers at the trust
boundary" guidance (in
security-model.adoc, under Deployment hardening) would need to be added in one
of two ways:
- (A) a shared partial (e.g. partial$api-component-security.adoc) include::-ed
into each of the 13
component docs — single source of truth for the text, but still one include
line per component; or
- (B) a short paragraph + xref: added directly to each of the 13 component docs
— self-contained,
slight text duplication.
Do you have a preference? I'd also add it to the camel-archetype-api-component
doc template so new API
components pick it up going forward — let me know if that's in scope.
One small detail: the Deployment hardening section has no explicit anchor (only
the auto-generated id),
and security-model.adoc is recent, so I'd lean toward a page-level
xref:manual::security-model.adoc[...] (no #fragment) to avoid a cross-version
broken anchor — unless
you'd prefer I add an explicit anchor to that section.
> API-based component docs: link to security-model header-filtering guidance
> --------------------------------------------------------------------------
>
> Key: CAMEL-23527
> URL: https://issues.apache.org/jira/browse/CAMEL-23527
> Project: Camel
> Issue Type: Improvement
> Components: documentation
> Reporter: Andrea Cosentino
> Priority: Minor
>
> The API-based components (camel-fhir, camel-box, camel-twilio,
> camel-google-*, etc.) let a route override per-call parameters via prefixed
> exchange headers (e.g. CamelFhir.*). This is documented, intentional
> framework behavior, but the individual component documentation pages do not
> cross-reference the existing guidance in the security model about filtering
> Camel-internal headers from untrusted producers.
> Proposed change: add a brief paragraph (or an xref:) to the API-component
> documentation template linking to the "Strip Camel-internal headers at the
> trust boundary" section of
> docs/user-manual/modules/ROOT/pages/security-model.adoc.
> This is a pure documentation/consistency change spanning the API-based
> components; no code change is required.
> _Filed by Claude Code on behalf of Andrea Cosentino._
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
