Andrea Cosentino created CAMEL-23782:
----------------------------------------
Summary: camel-leveldb: apply an ObjectInputFilter to
aggregation-repository key deserialization
Key: CAMEL-23782
URL: https://issues.apache.org/jira/browse/CAMEL-23782
Project: Camel
Issue Type: Improvement
Components: camel-leveldb
Reporter: Andrea Cosentino
Assignee: Andrea Cosentino
h3. Problem
In {{DefaultLevelDBSerializer}}, the exchange deserialization path uses a
{{ClassLoadingAwareObjectInputStream}} with a configured {{ObjectInputFilter}},
but {{deserializeKey(byte[])}} reads key bytes via a raw {{ObjectInputStream}}
with no filter. For defense-in-depth this aggregation-repository key path
should apply the same conservative filter as the exchange path, consistent with
the ObjectInputFilter hardening already applied to other Camel deserialization
sites.
h3. Evidence
*
components/camel-leveldb/src/main/java/org/apache/camel/component/leveldb/serializer/DefaultLevelDBSerializer.java:44
(raw new ObjectInputStream(...) in deserializeKey)
* same file :81-84 (exchange path with setObjectInputFilter)
h3. Suggested fix
Wrap key deserialization in a ClassLoadingAwareObjectInputStream and apply the
same default ObjectInputFilter (keys are typically String, so a tight allowlist
is appropriate).
h3. Acceptance criteria
* deserializeKey applies an ObjectInputFilter consistent with the exchange path
* Default key types (e.g. String) still deserialize correctly
* A unit test covers key round-trip and rejection of an unexpected class
* Upgrade guide notes the tightened default if any previously-working key class
is now rejected
_Created by Claude Code on behalf of Andrea Cosentino._
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
