Hi guys,
I have a question about Kafka routes and security.
I’m worried about injection (like what can be done in sql or http I mean)
through “url options” parameters value (especially for those enclosed between
RAW() such as truststore/keystore password or jaas config).
Is my concern valid or is completely without any fundament or there is anyway
a check and sanitization done by Camel (I saw while debugging that Camel-Kafka
endpoint parses the parameters to create an option object to pass down to the
Kafka-client so I’m wondering if this parsing will sanitize values also).
Thanks!
P.S. I think I discovered a possible issue while trying to set truststore in
PEM format.
I’m using Camel 3.21 (Kafka-client is 3.4.1).
I generated keys and certificates in PEM format and they worked fine if used to
setup a Kafka-client (same version imported by Camel-Kafka endpoint)
Since wasn’t working from the route I debugged the route startup and I
discovered that, even if the truststoreType was set as PEM (uppercase) the
value that come to the lower level (the Kakfa-client ssl initialization I mean)
was lowercase (pem) and then failed to match this check
(DefaultSslEngineFactory):
private static SecurityStore createTruststore(String type, String path,
Password password, Password trustStoreCerts) {
if (trustStoreCerts != null) {
if (!PEM_TYPE.equals(type))
throw new InvalidConfigurationException("SSL trust store certs
can be specified only for PEM, but trust store type is " + type + ".");
else if (path != null)
throw new InvalidConfigurationException("Both SSL trust store
location and separate trust certificates are specified.");
else if (password != null)
throw new InvalidConfigurationException("SSL trust store
password cannot be specified for PEM format.");
else
return new PemStore(trustStoreCerts);
} else if (PEM_TYPE.equals(type) && path != null) {
if (password != null)
throw new InvalidConfigurationException("SSL trust store
password cannot be specified for PEM format.");
else
return new FileBasedPemStore(path, null, false);
} else if (path == null && password != null) {
throw new InvalidConfigurationException("SSL trust store is not
specified, but trust store password is specified.");
} else if (path != null) {
return new FileBasedStore(type, path, password, null, false);
} else
return null;
}
As result the truststore was not set and my Kafka-client wasn’t able to connect
to the Kafka server.
I tried to change the at debug time, on the fly while entering this method, the
type from “pem” to “PEM” and it worked fine.
Am doing something wrong?
Regards,
Riccardo Modanese
