Nikita Awasthi created CAMEL-23814:
--------------------------------------
Summary: Optional secret property placeholders in YAML DSL
parameters not stripped due to RAW() wrapping
Key: CAMEL-23814
URL: https://issues.apache.org/jira/browse/CAMEL-23814
Project: Camel
Issue Type: Bug
Components: camel-yaml-dsl
Reporter: Nikita Awasthi
When a Kamelet (or any YAML DSL route) uses optional property placeholders
{{?xxx}} in the to endpoint parameters section, and the parameter is a secret
(format: password), the optional placeholder is not stripped when the property
is not provided.
The root cause is in the interaction between YamlSupport.createEndpointUri()
and EndpointHelper.extractParamsToKeep():
1. YamlSupport.createEndpointUri() wraps secret parameter values in RAW()
*before* property placeholder resolution. An unprovided optional param like
{{?accessKey}} becomes RAW({{?accessKey}}).
2. EndpointHelper.extractParamsToKeep() checks if parameter values start with
{{? to identify unresolved optional placeholders that should be removed. But
RAW-wrapped values start with RAW( instead of {{?, so they survive the filter.
3. The endpoint URI ends up containing invalid parameters like
accessKey=RAW({{?accessKey}}), which causes endpoint creation to fail.
*Non-secret* optional params (e.g. log components showHeaders, showStreams) are
stripped correctly because they are never RAW-wrapped.
This affects all Kamelets with optional secret parameters, including kafka-sink
(saslPassword, oauthClientSecret, SSL passwords), aws-s3-source (accessKey,
secretKey, sessionToken), and many others.
h3. Steps to reproduce
Use the my-aws-s3-source kamelet (which has optional secret params accessKey,
secretKey, sessionToken in its template parameters section) without providing
the secret parameters:
{code:java}
from("kamelet:my-aws-s3-source?bucketNameOrArn=mybucket®ion=eu-south-2&autoCreateBucket=false&useDefaultCredentialsProvider=true")
.to("mock:result");
{code}
The resulting endpoint URI contains:
{code}
aws2-s3://mybucket?accessKey=RAW(%7B%7B?accessKey%7D%7D)&secretKey=RAW(%7B%7B?cheeseKey%7D%7D)&sessionToken=RAW(%7B%7B?sessionToken%7D%7D)&...
{code}
The optional secret params should have been stripped entirely from the URI.
A reproducing unit test has been written in
KameletOptionalParameterTest.testAwsOptionalSecretParamsNotProvided (currently
@Disabled).
h3. Affected code
* dsl/camel-yaml-dsl/camel-yaml-dsl-common/.../YamlSupport.java -
createEndpointUri() wraps secrets in RAW() before resolution
* core/camel-support/.../EndpointHelper.java - extractParamsToKeep() does not
detect RAW({{?xxx}}) pattern
h3. Possible fix
Either:
* EndpointHelper.extractParamsToKeep() should also detect RAW({{?xxx}})
patterns (unwrap RAW before checking for {{?), or
* YamlSupport.createEndpointUri() should defer RAW() wrapping until after
optional placeholder resolution
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
