This is an automated email from the ASF dual-hosted git repository.
acosentino pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel.git
The following commit(s) were added to refs/heads/main by this push:
new c7aa49f8c83 CAMEL-20306 - Camel-CassandraQL: Add ObjectInputFilter
String pattern parameter in CassandraAggregationRepository to be used in
unmarshall operations (#12759)
c7aa49f8c83 is described below
commit c7aa49f8c83b0aca3b62984b6ccfe0a3d3bcee4f
Author: Andrea Cosentino <anco...@gmail.com>
AuthorDate: Thu Jan 11 12:58:26 2024 +0100
CAMEL-20306 - Camel-CassandraQL: Add ObjectInputFilter String pattern
parameter in CassandraAggregationRepository to be used in unmarshall operations
(#12759)
* CAMEL-20306 - Camel-CassandraQL: Add ObjectInputFilter String pattern
parameter in CassandraAggregationRepository to be used in unmarshall operations
Signed-off-by: Andrea Cosentino <anco...@gmail.com>
* CAMEL-20306 - Camel-CassandraQL: Add ObjectInputFilter String pattern
parameter in CassandraAggregationRepository to be used in unmarshall operations
- Docs
Signed-off-by: Andrea Cosentino <anco...@gmail.com>
* CAMEL-20306 - Camel-CassandraQL: Add ObjectInputFilter String pattern
parameter in CassandraAggregationRepository to be used in unmarshall operations
- Migration Docs
Signed-off-by: Andrea Cosentino <anco...@gmail.com>
---------
Signed-off-by: Andrea Cosentino <anco...@gmail.com>
---
.../src/main/docs/cql-component.adoc | 4 ++
.../cassandra/CassandraAggregationRepository.java | 19 +++++++-
.../aggregate/cassandra/CassandraCamelCodec.java | 15 +++---
.../cassandra/CassandraCamelCodecTest.java | 56 ++++++++++++++++++++++
.../test/java/org/malicious/example/Employee.java | 46 ++++++++++++++++++
.../ROOT/pages/camel-4x-upgrade-guide-4_4.adoc | 12 +++--
6 files changed, 139 insertions(+), 13 deletions(-)
diff --git a/components/camel-cassandraql/src/main/docs/cql-component.adoc
b/components/camel-cassandraql/src/main/docs/cql-component.adoc
index a6b0ad65c73..c4390099c77 100644
--- a/components/camel-cassandraql/src/main/docs/cql-component.adoc
+++ b/components/camel-cassandraql/src/main/docs/cql-component.adoc
@@ -187,6 +187,10 @@ Alternatively, the `CassandraAggregationRepository` does
not have a
`LOCAL_QUORUM`…
|=======================================================================
+While deserializing it's important to notice that the the unmarshallExchange
method will allow only all java packages and subpackages
+and org.apache.camel packages and subpackages. The remaining classes will be
blacklisted. So you'll need to change the filter in case of need.
+This could be accomplished by changing the deserializationFilter field on the
repository.
+
== Examples
To insert something on a table you can use the following code:
diff --git
a/components/camel-cassandraql/src/main/java/org/apache/camel/processor/aggregate/cassandra/CassandraAggregationRepository.java
b/components/camel-cassandraql/src/main/java/org/apache/camel/processor/aggregate/cassandra/CassandraAggregationRepository.java
index 00277bbfccd..b64653a96f1 100644
---
a/components/camel-cassandraql/src/main/java/org/apache/camel/processor/aggregate/cassandra/CassandraAggregationRepository.java
+++
b/components/camel-cassandraql/src/main/java/org/apache/camel/processor/aggregate/cassandra/CassandraAggregationRepository.java
@@ -121,6 +121,14 @@ public class CassandraAggregationRepository extends
ServiceSupport implements Re
private boolean allowSerializedHeaders;
+ /**
+ * Sets a deserialization filter while reading Object from Aggregation
Repository. By default the filter will allow
+ * all java packages and subpackages and all org.apache.camel packages and
subpackages, while the remaining will be
+ * blacklisted and not deserialized. This parameter should be customized
if you're using classes you trust to be
+ * deserialized.
+ */
+ private String deserializationFilter = "java.**;org.apache.camel.**;!*";
+
public CassandraAggregationRepository() {
}
@@ -211,7 +219,8 @@ public class CassandraAggregationRepository extends
ServiceSupport implements Re
Exchange exchange = null;
if (row != null) {
try {
- exchange = exchangeCodec.unmarshallExchange(camelContext,
row.getByteBuffer(exchangeColumn));
+ exchange = exchangeCodec.unmarshallExchange(camelContext,
row.getByteBuffer(exchangeColumn),
+ deserializationFilter);
} catch (IOException iOException) {
throw new CassandraAggregationException("Failed to read
exchange", exchange, iOException);
} catch (ClassNotFoundException classNotFoundException) {
@@ -468,4 +477,12 @@ public class CassandraAggregationRepository extends
ServiceSupport implements Re
public void setAllowSerializedHeaders(boolean allowSerializedHeaders) {
this.allowSerializedHeaders = allowSerializedHeaders;
}
+
+ public String getDeserializationFilter() {
+ return deserializationFilter;
+ }
+
+ public void setDeserializationFilter(String deserializationFilter) {
+ this.deserializationFilter = deserializationFilter;
+ }
}
diff --git
a/components/camel-cassandraql/src/main/java/org/apache/camel/processor/aggregate/cassandra/CassandraCamelCodec.java
b/components/camel-cassandraql/src/main/java/org/apache/camel/processor/aggregate/cassandra/CassandraCamelCodec.java
index a4332a718a6..1cd72bc038b 100644
---
a/components/camel-cassandraql/src/main/java/org/apache/camel/processor/aggregate/cassandra/CassandraCamelCodec.java
+++
b/components/camel-cassandraql/src/main/java/org/apache/camel/processor/aggregate/cassandra/CassandraCamelCodec.java
@@ -16,11 +16,7 @@
*/
package org.apache.camel.processor.aggregate.cassandra;
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.ObjectInputStream;
-import java.io.ObjectOutputStream;
+import java.io.*;
import java.nio.ByteBuffer;
import org.apache.camel.CamelContext;
@@ -62,9 +58,10 @@ public class CassandraCamelCodec {
return ByteBuffer.wrap(serialize(pe));
}
- public Exchange unmarshallExchange(CamelContext camelContext, ByteBuffer
buffer)
+ public Exchange unmarshallExchange(CamelContext camelContext, ByteBuffer
buffer, String deserializationFilter)
throws IOException, ClassNotFoundException {
- DefaultExchangeHolder pe = (DefaultExchangeHolder)
deserialize(camelContext, new ByteBufferInputStream(buffer));
+ DefaultExchangeHolder pe
+ = (DefaultExchangeHolder) deserialize(camelContext, new
ByteBufferInputStream(buffer), deserializationFilter);
Exchange answer = new DefaultExchange(camelContext);
DefaultExchangeHolder.unmarshal(answer, pe);
// restore the from endpoint
@@ -86,9 +83,11 @@ public class CassandraCamelCodec {
return bytesOut.toByteArray();
}
- private Object deserialize(CamelContext camelContext, InputStream bytes)
throws IOException, ClassNotFoundException {
+ private Object deserialize(CamelContext camelContext, InputStream bytes,
String deserializationFilter)
+ throws IOException, ClassNotFoundException {
ClassLoader classLoader =
camelContext.getApplicationContextClassLoader();
ObjectInputStream objectIn = new
ClassLoadingAwareObjectInputStream(classLoader, bytes);
+
objectIn.setObjectInputFilter(ObjectInputFilter.Config.createFilter(deserializationFilter));
Object object = objectIn.readObject();
objectIn.close();
return object;
diff --git
a/components/camel-cassandraql/src/test/java/org/apache/camel/processor/aggregate/cassandra/CassandraCamelCodecTest.java
b/components/camel-cassandraql/src/test/java/org/apache/camel/processor/aggregate/cassandra/CassandraCamelCodecTest.java
new file mode 100644
index 00000000000..f7f08a7f664
--- /dev/null
+++
b/components/camel-cassandraql/src/test/java/org/apache/camel/processor/aggregate/cassandra/CassandraCamelCodecTest.java
@@ -0,0 +1,56 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.camel.processor.aggregate.cassandra;
+
+import java.io.*;
+import java.nio.ByteBuffer;
+
+import org.apache.camel.test.junit5.CamelTestSupport;
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Test;
+import org.malicious.example.Employee;
+
+public class CassandraCamelCodecTest extends CamelTestSupport {
+
+ CassandraCamelCodec codec;
+
+ @Override
+ protected void startCamelContext() throws Exception {
+ super.startCamelContext();
+ codec = new CassandraCamelCodec();
+ }
+
+ @Test
+ public void shouldFailWithRejected() throws IOException,
ClassNotFoundException {
+ Employee emp = new Employee("Mickey", "Mouse");
+
+ ByteArrayOutputStream baos = new ByteArrayOutputStream();
+ ObjectOutputStream oos = new ObjectOutputStream(baos);
+
+ oos.writeObject(emp);
+
+ oos.flush();
+ oos.close();
+
+ InputStream is = new ByteArrayInputStream(baos.toByteArray());
+ InvalidClassException thrown =
Assertions.assertThrows(InvalidClassException.class, () -> {
+ codec.unmarshallExchange(context,
ByteBuffer.wrap(is.readAllBytes()), "java.**;org.apache.camel.**;!*");
+ });
+
+ Assertions.assertEquals("filter status: REJECTED",
thrown.getMessage());
+ }
+}
diff --git
a/components/camel-cassandraql/src/test/java/org/malicious/example/Employee.java
b/components/camel-cassandraql/src/test/java/org/malicious/example/Employee.java
new file mode 100644
index 00000000000..3850218d128
--- /dev/null
+++
b/components/camel-cassandraql/src/test/java/org/malicious/example/Employee.java
@@ -0,0 +1,46 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.malicious.example;
+
+import java.io.Serializable;
+
+public class Employee implements Serializable {
+
+ String name;
+ String surname;
+
+ public Employee(String name, String surname) {
+ this.name = name;
+ this.surname = surname;
+ }
+
+ public String getName() {
+ return name;
+ }
+
+ public void setName(String name) {
+ this.name = name;
+ }
+
+ public String getSurname() {
+ return surname;
+ }
+
+ public void setSurname(String surname) {
+ this.surname = surname;
+ }
+}
diff --git
a/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_4.adoc
b/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_4.adoc
index 0bec09092bc..0343463f45f 100644
--- a/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_4.adoc
+++ b/docs/user-manual/modules/ROOT/pages/camel-4x-upgrade-guide-4_4.adoc
@@ -91,6 +91,10 @@ With the AZURE_IDENTITY mode the user will be able to use
the Default Azure Cred
With the SHARED_ACCOUNT_KEY mode the user could explicitly set the accessKey
parameter.
This is part of the effort explained in CAMEL-18590.
+=== camel-cassandraql
+
+The NamedCassandraAggregationRepository now provides a deserializationFilter
parameter. The default value for it is allowing all java packages and
subpackages and all org.apache.camel packages and subpackages. If you plan to
use particular classes and you want to expand the filter, you should change the
value according to your needs. More details in CAMEL-20306.
+
=== camel-consul
This component has migrated from `com.orbitz.consul:consul-client` to
`org.kiwiproject:consul-client` as the former is no longer maintained,
@@ -118,14 +122,14 @@ useful examples of how you might need to change your code
to be compatible with
The component has been removed after deprecation in 4.3.0
-=== camel-sql
-
-The JdbcAggregationRepository now provides a deserializationFilter parameter.
The default value for it is allowing all java packages and subpackages and all
org.apache.camel packages and subpackages. If you plan to use particular
classes and you want to expand the filter, you should change the value
according to your needs. More details in CAMEL-20303.
-
=== camel-jsonata
Replaced the previous JSONata library with a new one that offers complete
compatibility with the JSONata reference implementation's features.
+=== camel-sql
+
+The JdbcAggregationRepository now provides a deserializationFilter parameter.
The default value for it is allowing all java packages and subpackages and all
org.apache.camel packages and subpackages. If you plan to use particular
classes and you want to expand the filter, you should change the value
according to your needs. More details in CAMEL-20303.
+
== Camel Spring Boot
=== Auto Configuration
