[jira] [Work started] (CAMEL-23803) camel-jackson-avro / camel-jackson-protobuf: block unsafe polymorphic base types by default in the data format ObjectMapper

Tue, 23 Jun 2026 03:27:30 -0700 


     [ 
https://issues.apache.org/jira/browse/CAMEL-23803?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Work on CAMEL-23803 started by Andrea Cosentino.
------------------------------------------------
> camel-jackson-avro / camel-jackson-protobuf: block unsafe polymorphic base 
> types by default in the data format ObjectMapper
> ---------------------------------------------------------------------------------------------------------------------------
>
>                 Key: CAMEL-23803
>                 URL: https://issues.apache.org/jira/browse/CAMEL-23803
>             Project: Camel
>          Issue Type: Improvement
>          Components: camel-jackson-avro
>            Reporter: Andrea Cosentino
>            Assignee: Andrea Cosentino
>            Priority: Major
>
> h3. Problem
> Follow-up to CAMEL-23786 (camel-jackson), raised in review of 
> apache/camel#24134. The same missing {{BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES}} 
> guard exists in the sibling Jackson data formats, while their {{transform/}} 
> counterparts already enable it:
> * camel-jackson-avro: {{JacksonAvroDataFormat.createNewObjectMapper()}} 
> returns a bare {{new AvroMapper()}}; {{transform/Avro.java}} enables the 
> feature.
> * camel-jackson-protobuf: 
> {{JacksonProtobufDataFormat.createNewObjectMapper()}} returns a bare {{new 
> ProtobufMapper()}}; {{transform/Protobuf.java}} enables the feature.
> When polymorphic / default typing is enabled, these mappers are exposed to 
> gadget-chain deserialization on untrusted input.
> h3. Suggested fix
> Enable {{MapperFeature.BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES}} by default in 
> each {{createNewObjectMapper()}} (mirroring the respective {{transform/}} 
> mapper and CAMEL-23786), each with a test and an upgrade-guide note.
> h3. Note on camel-jackson3
> camel-jackson3 (Jackson 3.x) was investigated: no code enables this 
> MapperFeature, and Jackson 3 reworked default typing (mandatory 
> PolymorphicTypeValidator), so BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES likely does 
> not apply. Excluded pending a dedicated Jackson-3 review.
> h3. Acceptance criteria
> * camel-jackson-avro createNewObjectMapper enables 
> BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES
> * camel-jackson-protobuf createNewObjectMapper enables 
> BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES
> * Tests assert the feature is enabled on each data format's default mapper
> * Upgrade-guide note documenting the hardened default and opt-out
> _Created by Claude Code on behalf of Andrea Cosentino._



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to