oscerd opened a new pull request, #24078: URL: https://github.com/apache/camel/pull/24078
This applies an `ObjectInputFilter` to the aggregation-repository **key** deserialization path in `DefaultLevelDBSerializer`, closing a defense-in-depth gap. The exchange path already installs a filter (via `deserializeExchange(..., deserializationFilter)`), but `deserializeKey(byte[])` read key bytes through a raw `ObjectInputStream` with no filter. Keys are always serialized as a `java.lang.String` (`serializeKey(String)`), so the filter is scoped to `java.lang.String` plus JEP-290 graph-shape limits (`maxdepth`/`maxrefs`/`maxbytes`), consistent with the exchange-path filter style. Legitimate String keys still round-trip; any other (object-graph) payload is rejected. ## Changes - `DefaultLevelDBSerializer.deserializeKey` installs a `String`-scoped `ObjectInputFilter`. - New unit test `DefaultLevelDBSerializerKeyFilterTest` covering the String round-trip and rejection of a non-String payload. ## Notes - No public API change; the `@Deprecated` `LevelDBSerializer` / `LevelDBCamelCodec` interfaces are untouched. - Not a breaking change: the repository reads keys as plain UTF-8 strings (`LevelDBAggregationRepository.getKeys()`), so this hardens a latent sink reachable via the deprecated codec or custom serializer use — no upgrade-guide entry needed. - Verified with the `camel-leveldb` module tests (78 passed) and a full `mvn clean install -DskipTests` reactor build (BUILD SUCCESS). Jira: https://issues.apache.org/jira/browse/CAMEL-23782 _Claude Code on behalf of Andrea Cosentino_ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
