This is an automated email from the ASF dual-hosted git repository.
pcongiusti pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel.git
The following commit(s) were added to refs/heads/main by this push:
new 9ab764c15b93 feat(components): prevents potential injections
9ab764c15b93 is described below
commit 9ab764c15b93c2d972c221010baffe8d0738ada8
Author: Pasquale Congiusti <[email protected]>
AuthorDate: Wed Nov 26 09:32:03 2025 +0100
feat(components): prevents potential injections
Add a sanitization level in order to avoid potential log and header
injections
---
.../camel/http/common/DefaultHttpBinding.java | 8 +++--
.../org/apache/camel/http/common/HttpHelper.java | 20 +++++++++++--
.../apache/camel/http/common/HttpHelperTest.java | 34 ++++++++++++++++++++++
.../component/jetty12/AttachmentHttpBinding.java | 11 ++++---
4 files changed, 63 insertions(+), 10 deletions(-)
diff --git
a/components/camel-http-common/src/main/java/org/apache/camel/http/common/DefaultHttpBinding.java
b/components/camel-http-common/src/main/java/org/apache/camel/http/common/DefaultHttpBinding.java
index e0ac3d0126df..797f83c3bd05 100644
---
a/components/camel-http-common/src/main/java/org/apache/camel/http/common/DefaultHttpBinding.java
+++
b/components/camel-http-common/src/main/java/org/apache/camel/http/common/DefaultHttpBinding.java
@@ -241,11 +241,13 @@ public class DefaultHttpBinding implements HttpBinding {
String name = (String) names.nextElement();
// there may be multiple values for the same name
String[] values = request.getParameterValues(name);
- if (values != null) {
+ // Avoid potential injections
+ String[] sanitizedValues = HttpHelper.sanitizeLog(values);
+ if (sanitizedValues != null) {
if (LOG.isTraceEnabled()) {
- LOG.trace("HTTP parameter {} = {}", name,
HttpHelper.sanitizeLog(values));
+ LOG.trace("HTTP parameter {} = {}", name, sanitizedValues);
}
- for (String value : values) {
+ for (String value : sanitizedValues) {
// use http helper to extract parameter value as it may
contain multiple values
Object extracted =
HttpHelper.extractHttpParameterValue(value);
if (headerFilterStrategy != null
diff --git
a/components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpHelper.java
b/components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpHelper.java
index 42cf8c975989..337e9aca3821 100644
---
a/components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpHelper.java
+++
b/components/camel-http-common/src/main/java/org/apache/camel/http/common/HttpHelper.java
@@ -363,16 +363,30 @@ public final class HttpHelper {
* Sanitize log: it removes any new line and carriage return in order to
avoid third party integrations with logging
* system to suffer potential log injection.
*
- * @param input the log trace
- * @return a sanitized log trace
+ * @param input the log traces
+ * @return sanitized log traces
*/
public static String[] sanitizeLog(String[] input) {
String[] sanitizedLog = new String[input.length];
for (int i = 0; i < input.length; i++) {
- sanitizedLog[i] = input[i].replaceAll("[\n\r]", "_");
+ sanitizedLog[i] = sanitizeLog(input[i]);
}
return sanitizedLog;
}
+ /**
+ * Sanitize log: it removes any new line and carriage return in order to
avoid third party integrations with logging
+ * system to suffer potential log injection.
+ *
+ * @param input the log trace
+ * @return a sanitized log trace
+ */
+ public static String sanitizeLog(String input) {
+ if (input == null) {
+ return null;
+ }
+ return input.replaceAll("[\n\r]", "_");
+ }
+
}
diff --git
a/components/camel-http-common/src/test/java/org/apache/camel/http/common/HttpHelperTest.java
b/components/camel-http-common/src/test/java/org/apache/camel/http/common/HttpHelperTest.java
new file mode 100644
index 000000000000..7bd93c0ff1c7
--- /dev/null
+++
b/components/camel-http-common/src/test/java/org/apache/camel/http/common/HttpHelperTest.java
@@ -0,0 +1,34 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.camel.http.common;
+
+import org.junit.jupiter.api.Test;
+
+import static org.junit.jupiter.api.Assertions.assertArrayEquals;
+
+public class HttpHelperTest {
+
+ @Test
+ public void testSanitizeLog() {
+ String values[] = { "This is ok", "Bad stuff \nhere\n", "Another bad
\rthing here" };
+ String expectedValues[] = { "This is ok", "Bad stuff _here_", "Another
bad _thing here" };
+
+ String sanitized[] = HttpHelper.sanitizeLog(values);
+
+ assertArrayEquals(expectedValues, sanitized);
+ }
+}
diff --git
a/components/camel-jetty/src/main/java/org/apache/camel/component/jetty12/AttachmentHttpBinding.java
b/components/camel-jetty/src/main/java/org/apache/camel/component/jetty12/AttachmentHttpBinding.java
index e299db0b555c..fd15b719c2cc 100644
---
a/components/camel-jetty/src/main/java/org/apache/camel/component/jetty12/AttachmentHttpBinding.java
+++
b/components/camel-jetty/src/main/java/org/apache/camel/component/jetty12/AttachmentHttpBinding.java
@@ -112,7 +112,8 @@ final class AttachmentHttpBinding extends
DefaultHttpBinding {
DataHandler dh = am.getAttachment(name);
Object value = dh;
if (dh.getContentType() == null ||
dh.getContentType().startsWith("text/plain")) {
- value = request.getParameter(name);
+ // prevent potential injections
+ value =
HttpHelper.sanitizeLog(request.getParameter(name));
}
if (getHeaderFilterStrategy() != null
&&
!getHeaderFilterStrategy().applyFilterToExternalHeaders(name, value,
message.getExchange())) {
@@ -123,11 +124,13 @@ final class AttachmentHttpBinding extends
DefaultHttpBinding {
// there may be multiple values for the same name
String[] values = request.getParameterValues(name);
- if (values != null) {
+ // Avoid potential injections
+ String[] sanitizedValues = HttpHelper.sanitizeLog(values);
+ if (sanitizedValues != null) {
if (LOG.isTraceEnabled()) {
- LOG.trace("HTTP parameter {} = {}", name,
HttpHelper.sanitizeLog(values));
+ LOG.trace("HTTP parameter {} = {}", name,
sanitizedValues);
}
- for (String value : values) {
+ for (String value : sanitizedValues) {
// use http helper to extract parameter value as it
may contain multiple values
Object extracted =
HttpHelper.extractHttpParameterValue(value);
if (getHeaderFilterStrategy() != null
