Andrea Cosentino created CAMEL-23787:
----------------------------------------
Summary: camel-jacksonxml: block unsafe polymorphic base types by
default in the XmlMapper
Key: CAMEL-23787
URL: https://issues.apache.org/jira/browse/CAMEL-23787
Project: Camel
Issue Type: Improvement
Components: camel-jacksonxml
Reporter: Andrea Cosentino
Assignee: Andrea Cosentino
h3. Problem
{{JacksonXMLDataFormat.createNewXmlMapper()}} creates a bare {{new
XmlMapper()}} without enabling
{{MapperFeature.BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES}}, the same exposure as the
JSON data format: enabling polymorphic typing on untrusted XML risks
gadget-chain deserialization.
h3. Evidence
*
components/camel-jacksonxml/src/main/java/org/apache/camel/component/jacksonxml/JacksonXMLDataFormat.java:545
h3. Suggested fix
Enable MapperFeature.BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES by default in
createNewXmlMapper(); document in the upgrade guide. Pairs with the
camel-jackson hardening.
h3. Acceptance criteria
* createNewXmlMapper enables BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES by default
* Upgrade guide documents the hardened default and opt-out
* A test confirms an unsafe polymorphic base type is blocked by default
_Created by Claude Code on behalf of Andrea Cosentino._
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
