[jira] [Created] (CAMEL-23803) camel-jackson-avro / camel-jackson-protobuf: block unsafe polymorphic base types by default in the data format ObjectMapper

Fri, 19 Jun 2026 05:31:05 -0700 

Andrea Cosentino created CAMEL-23803:
----------------------------------------

             Summary: camel-jackson-avro / camel-jackson-protobuf: block unsafe 
polymorphic base types by default in the data format ObjectMapper
                 Key: CAMEL-23803
                 URL: https://issues.apache.org/jira/browse/CAMEL-23803
             Project: Camel
          Issue Type: Improvement
          Components: camel-jackson-avro
            Reporter: Andrea Cosentino
            Assignee: Andrea Cosentino


h3. Problem
Follow-up to CAMEL-23786 (camel-jackson), raised in review of 
apache/camel#24134. The same missing {{BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES}} 
guard exists in the sibling Jackson data formats, while their {{transform/}} 
counterparts already enable it:

* camel-jackson-avro: {{JacksonAvroDataFormat.createNewObjectMapper()}} returns 
a bare {{new AvroMapper()}}; {{transform/Avro.java}} enables the feature.
* camel-jackson-protobuf: {{JacksonProtobufDataFormat.createNewObjectMapper()}} 
returns a bare {{new ProtobufMapper()}}; {{transform/Protobuf.java}} enables 
the feature.

When polymorphic / default typing is enabled, these mappers are exposed to 
gadget-chain deserialization on untrusted input.

h3. Suggested fix
Enable {{MapperFeature.BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES}} by default in each 
{{createNewObjectMapper()}} (mirroring the respective {{transform/}} mapper and 
CAMEL-23786), each with a test and an upgrade-guide note.

h3. Note on camel-jackson3
camel-jackson3 (Jackson 3.x) was investigated: no code enables this 
MapperFeature, and Jackson 3 reworked default typing (mandatory 
PolymorphicTypeValidator), so BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES likely does 
not apply. Excluded pending a dedicated Jackson-3 review.

h3. Acceptance criteria
* camel-jackson-avro createNewObjectMapper enables 
BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES
* camel-jackson-protobuf createNewObjectMapper enables 
BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES
* Tests assert the feature is enabled on each data format's default mapper
* Upgrade-guide note documenting the hardened default and opt-out

_Created by Claude Code on behalf of Andrea Cosentino._



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to