oscerd opened a new pull request, #24135: URL: https://github.com/apache/camel/pull/24135
Backport of CAMEL-23786 to the `camel-4.18.x` maintenance branch (main PR: apache/camel#24134). Enables `MapperFeature.BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES` by default on the camel-jackson data format's `ObjectMapper` (`JacksonDataFormat.createNewObjectMapper()`), consistent with the component's `transform/Json.java` which already enables it on this branch. Defense-in-depth against gadget-chain deserialization when polymorphic / default typing is enabled. ## Changes - `createNewObjectMapper()` builds the mapper via `JsonMapper.builder().enable(MapperFeature.BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES).build()` (clean cherry-pick of the main commit). - New `JacksonDataFormatPolymorphicHardeningTest` asserts the feature is enabled by default. ## Notes - **Potential breaking change** for routes that enable polymorphic / default typing on an unsafe base type; opt out via a custom `ObjectMapper`. - All camel-jackson module tests pass (101) on this branch; ordinary marshalling / unmarshalling is unaffected. - The 4.18.3 upgrade-guide entry is added on `main` (`camel-4x-upgrade-guide-4_18.adoc`), per the project's docs-on-main convention. Jira: https://issues.apache.org/jira/browse/CAMEL-23786 _Claude Code on behalf of Andrea Cosentino_ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
