This is an automated email from the ASF dual-hosted git repository.
davsclaus pushed a commit to branch camel-2.25.x
in repository https://gitbox.apache.org/repos/asf/camel.git
The following commit(s) were added to refs/heads/camel-2.25.x by this push:
new 4aea303 CAMEL-15050: Templating components - Variable map to be
limited to body/headers
4aea303 is described below
commit 4aea303eee1a902df8a714ae85ebf6b7064ee02c
Author: Claus Ibsen <claus.ib...@gmail.com>
AuthorDate: Tue May 12 09:14:07 2020 +0200
CAMEL-15050: Templating components - Variable map to be limited to
body/headers
---
components/camel-mvel/src/main/docs/mvel-component.adoc | 6 ++++--
.../org/apache/camel/component/mvel/MvelComponent.java | 17 +++++++++++++++++
.../org/apache/camel/component/mvel/MvelEndpoint.java | 2 +-
.../apache/camel/language/mvel/MvelComponentTest.java | 2 +-
components/camel-mvel/src/test/resources/template.mvel | 2 +-
components/camel-mvel/src/test/resources/template2.mvel | 2 +-
.../mvel/springboot/MvelComponentConfiguration.java | 16 ++++++++++++++++
7 files changed, 41 insertions(+), 6 deletions(-)
diff --git a/components/camel-mvel/src/main/docs/mvel-component.adoc
b/components/camel-mvel/src/main/docs/mvel-component.adoc
index e342cb6..0315a06 100644
--- a/components/camel-mvel/src/main/docs/mvel-component.adoc
+++ b/components/camel-mvel/src/main/docs/mvel-component.adoc
@@ -39,7 +39,7 @@ You can append query options to the URI in the following
format,
// component options: START
-The MVEL component supports 2 options, which are listed below.
+The MVEL component supports 3 options, which are listed below.
@@ -47,6 +47,7 @@ The MVEL component supports 2 options, which are listed below.
|===
| Name | Description | Default | Type
| *allowTemplateFrom Header* (producer) | Whether to allow to use resource
template from header or not (default false). Enabling this allows to specify
dynamic templates via message header. However this can be seen as a potential
security vulnerability if the header is coming from a malicious user, so use
this with care. | false | boolean
+| *allowContextMapAll* (producer) | Sets whether the context map should allow
access to all details. By default only the message body and headers can be
accessed. This option can be enabled for full access to the current Exchange
and CamelContext. Doing so impose a potential security risk as this opens
access to the full power of CamelContext API. | false | boolean
| *resolveProperty Placeholders* (advanced) | Whether the component should
resolve property placeholders on itself when starting. Only properties which
are of String type can use property placeholders. | true | boolean
|===
// component options: END
@@ -73,12 +74,13 @@ with the following path and query parameters:
|===
-=== Query Parameters (4 parameters):
+=== Query Parameters (5 parameters):
[width="100%",cols="2,5,^1,2",options="header"]
|===
| Name | Description | Default | Type
+| *allowContextMapAll* (producer) | Sets whether the context map should allow
access to all details. By default only the message body and headers can be
accessed. This option can be enabled for full access to the current Exchange
and CamelContext. Doing so impose a potential security risk as this opens
access to the full power of CamelContext API. | false | boolean
| *allowTemplateFromHeader* (producer) | Whether to allow to use resource
template from header or not (default false). Enabling this allows to specify
dynamic templates via message header. However this can be seen as a potential
security vulnerability if the header is coming from a malicious user, so use
this with care. | false | boolean
| *contentCache* (producer) | Sets whether to use resource content cache or
not | false | boolean
| *encoding* (producer) | Character encoding of the resource content. | |
String
diff --git
a/components/camel-mvel/src/main/java/org/apache/camel/component/mvel/MvelComponent.java
b/components/camel-mvel/src/main/java/org/apache/camel/component/mvel/MvelComponent.java
index 53eb41d..285ce9e 100644
---
a/components/camel-mvel/src/main/java/org/apache/camel/component/mvel/MvelComponent.java
+++
b/components/camel-mvel/src/main/java/org/apache/camel/component/mvel/MvelComponent.java
@@ -31,6 +31,8 @@ public class MvelComponent extends UriEndpointComponent {
@Metadata(defaultValue = "false")
private boolean allowTemplateFromHeader;
+ @Metadata(defaultValue = "false")
+ private boolean allowContextMapAll;
public MvelComponent() {
super(MvelEndpoint.class);
@@ -42,6 +44,7 @@ public class MvelComponent extends UriEndpointComponent {
MvelEndpoint answer = new MvelEndpoint(uri, this, remaining);
answer.setContentCache(cache);
answer.setAllowTemplateFromHeader(allowTemplateFromHeader);
+ answer.setAllowContextMapAll(allowContextMapAll);
setProperties(answer, parameters);
@@ -68,4 +71,18 @@ public class MvelComponent extends UriEndpointComponent {
this.allowTemplateFromHeader = allowTemplateFromHeader;
}
+ public boolean isAllowContextMapAll() {
+ return allowContextMapAll;
+ }
+
+ /**
+ * Sets whether the context map should allow access to all details.
+ * By default only the message body and headers can be accessed.
+ * This option can be enabled for full access to the current Exchange and
CamelContext.
+ * Doing so impose a potential security risk as this opens access to the
full power of CamelContext API.
+ */
+ public void setAllowContextMapAll(boolean allowContextMapAll) {
+ this.allowContextMapAll = allowContextMapAll;
+ }
+
}
diff --git
a/components/camel-mvel/src/main/java/org/apache/camel/component/mvel/MvelEndpoint.java
b/components/camel-mvel/src/main/java/org/apache/camel/component/mvel/MvelEndpoint.java
index 4187413..dc52013 100644
---
a/components/camel-mvel/src/main/java/org/apache/camel/component/mvel/MvelEndpoint.java
+++
b/components/camel-mvel/src/main/java/org/apache/camel/component/mvel/MvelEndpoint.java
@@ -111,7 +111,7 @@ public class MvelEndpoint extends ResourceEndpoint {
CompiledTemplate compiled;
ParserContext mvelContext = ParserContext.create();
- Map<String, Object> variableMap =
ExchangeHelper.createVariableMap(exchange);
+ Map<String, Object> variableMap =
ExchangeHelper.createVariableMap(exchange, isAllowContextMapAll());
String content = null;
if (allowTemplateFromHeader) {
diff --git
a/components/camel-mvel/src/test/java/org/apache/camel/language/mvel/MvelComponentTest.java
b/components/camel-mvel/src/test/java/org/apache/camel/language/mvel/MvelComponentTest.java
index 768fecc..b2606c2 100644
---
a/components/camel-mvel/src/test/java/org/apache/camel/language/mvel/MvelComponentTest.java
+++
b/components/camel-mvel/src/test/java/org/apache/camel/language/mvel/MvelComponentTest.java
@@ -73,7 +73,7 @@ public class MvelComponentTest extends CamelTestSupport {
to("mvel:template.mvel");
from("direct:b").
- to("mvel:template.mvel?allowTemplateFromHeader=true");
+
to("mvel:template.mvel?allowTemplateFromHeader=true&allowContextMapAll=true");
// END SNIPPET: example
}
};
diff --git a/components/camel-mvel/src/test/resources/template.mvel
b/components/camel-mvel/src/test/resources/template.mvel
index 84be224..368dda6 100644
--- a/components/camel-mvel/src/test/resources/template.mvel
+++ b/components/camel-mvel/src/test/resources/template.mvel
@@ -1 +1 @@
-{ "text": "@{"The result is " + request.body * 2}" }
\ No newline at end of file
+{ "text": "@{"The result is " + body * 2}" }
\ No newline at end of file
diff --git a/components/camel-mvel/src/test/resources/template2.mvel
b/components/camel-mvel/src/test/resources/template2.mvel
index fd89eeb..2e86ad5 100644
--- a/components/camel-mvel/src/test/resources/template2.mvel
+++ b/components/camel-mvel/src/test/resources/template2.mvel
@@ -1 +1 @@
-{ "text": "@{"The result is " + request.body * 4}" }
\ No newline at end of file
+{ "text": "@{"The result is " + body * 4}" }
\ No newline at end of file
diff --git
a/platforms/spring-boot/components-starter/camel-mvel-starter/src/main/java/org/apache/camel/component/mvel/springboot/MvelComponentConfiguration.java
b/platforms/spring-boot/components-starter/camel-mvel-starter/src/main/java/org/apache/camel/component/mvel/springboot/MvelComponentConfiguration.java
index 7b16cbd..6b2aebd 100644
---
a/platforms/spring-boot/components-starter/camel-mvel-starter/src/main/java/org/apache/camel/component/mvel/springboot/MvelComponentConfiguration.java
+++
b/platforms/spring-boot/components-starter/camel-mvel-starter/src/main/java/org/apache/camel/component/mvel/springboot/MvelComponentConfiguration.java
@@ -44,6 +44,14 @@ public class MvelComponentConfiguration
*/
private Boolean allowTemplateFromHeader = false;
/**
+ * Sets whether the context map should allow access to all details. By
+ * default only the message body and headers can be accessed. This option
+ * can be enabled for full access to the current Exchange and CamelContext.
+ * Doing so impose a potential security risk as this opens access to the
+ * full power of CamelContext API.
+ */
+ private Boolean allowContextMapAll = false;
+ /**
* Whether the component should resolve property placeholders on itself
when
* starting. Only properties which are of String type can use property
* placeholders.
@@ -58,6 +66,14 @@ public class MvelComponentConfiguration
this.allowTemplateFromHeader = allowTemplateFromHeader;
}
+ public Boolean getAllowContextMapAll() {
+ return allowContextMapAll;
+ }
+
+ public void setAllowContextMapAll(Boolean allowContextMapAll) {
+ this.allowContextMapAll = allowContextMapAll;
+ }
+
public Boolean getResolvePropertyPlaceholders() {
return resolvePropertyPlaceholders;
}
