Andrea Cosentino created CAMEL-23786:
----------------------------------------
Summary: camel-jackson: block unsafe polymorphic base types by
default in the data format ObjectMapper
Key: CAMEL-23786
URL: https://issues.apache.org/jira/browse/CAMEL-23786
Project: Camel
Issue Type: Improvement
Components: camel-jackson
Reporter: Andrea Cosentino
Assignee: Andrea Cosentino
h3. Problem
{{JacksonDataFormat.createNewObjectMapper()}} builds a bare {{new
ObjectMapper()}} without enabling
{{MapperFeature.BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES}}. The sibling
{{transform/Json.java}} already enables this guard. Users who enable
polymorphic typing (via enableFeatures/moduleClassNames) are then exposed to
gadget-chain deserialization on untrusted input.
h3. Evidence
*
components/camel-jackson/src/main/java/org/apache/camel/component/jackson/JacksonDataFormat.java:88
(new ObjectMapper())
* compare
components/camel-jackson/src/main/java/org/apache/camel/component/jackson/transform/Json.java
h3. Suggested fix
Enable MapperFeature.BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES by default in
createNewObjectMapper(); document as a hardening default in the upgrade guide.
h3. Acceptance criteria
* createNewObjectMapper enables BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES by default
* Consistent with transform/Json.java
* Upgrade guide documents the hardened default and how to opt out if required
* A test confirms an unsafe polymorphic base type is blocked by default
_Created by Claude Code on behalf of Andrea Cosentino._
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
