This is an automated email from the ASF dual-hosted git repository.
davsclaus pushed a commit to branch camel-2.25.x
in repository https://gitbox.apache.org/repos/asf/camel.git
The following commit(s) were added to refs/heads/camel-2.25.x by this push:
new ae5e270 CAMEL-15050: Templating components - Variable map to be
limited to body/headers
ae5e270 is described below
commit ae5e2701a0f3ebe93291c5703c87865c50c009a4
Author: Claus Ibsen <claus.ib...@gmail.com>
AuthorDate: Tue May 12 09:33:00 2020 +0200
CAMEL-15050: Templating components - Variable map to be limited to
body/headers
---
.../src/main/docs/velocity-component.adoc | 6 ++++--
.../camel/component/velocity/VelocityComponent.java | 17 +++++++++++++++++
.../camel/component/velocity/VelocityEndpoint.java | 2 +-
.../camel/component/velocity/VelocityEndpointTest.java | 1 +
.../velocity/VelocityMethodInvokationTest.java | 2 +-
.../velocity/VelocityOverridesPropertiesTest.java | 2 +-
.../camel/component/velocity/VelocitySetHeaderTest.java | 2 +-
.../velocity/VelocitySupplementalContextTest.java | 2 +-
.../apache/camel/component/velocity/VelocityTest.java | 2 +-
.../velocity/VelocityValuesInPropertiesTest.java | 2 +-
.../apache/camel/component/velocity/camel-context.xml | 4 ++--
.../springboot/VelocityComponentConfiguration.java | 16 ++++++++++++++++
12 files changed, 47 insertions(+), 11 deletions(-)
diff --git a/components/camel-velocity/src/main/docs/velocity-component.adoc
b/components/camel-velocity/src/main/docs/velocity-component.adoc
index 9a8c0d2..ddc16c4 100644
--- a/components/camel-velocity/src/main/docs/velocity-component.adoc
+++ b/components/camel-velocity/src/main/docs/velocity-component.adoc
@@ -41,7 +41,7 @@ You can append query options to the URI in the following
format,
// component options: START
-The Velocity component supports 3 options, which are listed below.
+The Velocity component supports 4 options, which are listed below.
@@ -50,6 +50,7 @@ The Velocity component supports 3 options, which are listed
below.
| Name | Description | Default | Type
| *velocityEngine* (advanced) | To use the VelocityEngine otherwise a new
engine is created | | VelocityEngine
| *allowTemplateFrom Header* (producer) | Whether to allow to use resource
template from header or not (default false). Enabling this allows to specify
dynamic templates via message header. However this can be seen as a potential
security vulnerability if the header is coming from a malicious user, so use
this with care. | false | boolean
+| *allowContextMapAll* (producer) | Sets whether the context map should allow
access to all details. By default only the message body and headers can be
accessed. This option can be enabled for full access to the current Exchange
and CamelContext. Doing so impose a potential security risk as this opens
access to the full power of CamelContext API. | false | boolean
| *resolveProperty Placeholders* (advanced) | Whether the component should
resolve property placeholders on itself when starting. Only properties which
are of String type can use property placeholders. | true | boolean
|===
// component options: END
@@ -76,12 +77,13 @@ with the following path and query parameters:
|===
-=== Query Parameters (6 parameters):
+=== Query Parameters (7 parameters):
[width="100%",cols="2,5,^1,2",options="header"]
|===
| Name | Description | Default | Type
+| *allowContextMapAll* (producer) | Sets whether the context map should allow
access to all details. By default only the message body and headers can be
accessed. This option can be enabled for full access to the current Exchange
and CamelContext. Doing so impose a potential security risk as this opens
access to the full power of CamelContext API. | false | boolean
| *allowTemplateFromHeader* (producer) | Whether to allow to use resource
template from header or not (default false). Enabling this allows to specify
dynamic templates via message header. However this can be seen as a potential
security vulnerability if the header is coming from a malicious user, so use
this with care. | false | boolean
| *contentCache* (producer) | Sets whether to use resource content cache or
not | false | boolean
| *encoding* (producer) | Character encoding of the resource content. | |
String
diff --git
a/components/camel-velocity/src/main/java/org/apache/camel/component/velocity/VelocityComponent.java
b/components/camel-velocity/src/main/java/org/apache/camel/component/velocity/VelocityComponent.java
index a10e750..269d411 100644
---
a/components/camel-velocity/src/main/java/org/apache/camel/component/velocity/VelocityComponent.java
+++
b/components/camel-velocity/src/main/java/org/apache/camel/component/velocity/VelocityComponent.java
@@ -31,6 +31,8 @@ public class VelocityComponent extends UriEndpointComponent {
@Metadata(defaultValue = "false")
private boolean allowTemplateFromHeader;
+ @Metadata(defaultValue = "false")
+ private boolean allowContextMapAll;
@Metadata(label = "advanced")
private VelocityEngine velocityEngine;
@@ -63,6 +65,20 @@ public class VelocityComponent extends UriEndpointComponent {
this.allowTemplateFromHeader = allowTemplateFromHeader;
}
+ public boolean isAllowContextMapAll() {
+ return allowContextMapAll;
+ }
+
+ /**
+ * Sets whether the context map should allow access to all details.
+ * By default only the message body and headers can be accessed.
+ * This option can be enabled for full access to the current Exchange and
CamelContext.
+ * Doing so impose a potential security risk as this opens access to the
full power of CamelContext API.
+ */
+ public void setAllowContextMapAll(boolean allowContextMapAll) {
+ this.allowContextMapAll = allowContextMapAll;
+ }
+
@Override
protected Endpoint createEndpoint(String uri, String remaining,
Map<String, Object> parameters) throws Exception {
boolean cache = getAndRemoveParameter(parameters, "contentCache",
Boolean.class, Boolean.TRUE);
@@ -71,6 +87,7 @@ public class VelocityComponent extends UriEndpointComponent {
answer.setContentCache(cache);
answer.setVelocityEngine(velocityEngine);
answer.setAllowTemplateFromHeader(allowTemplateFromHeader);
+ answer.setAllowContextMapAll(allowContextMapAll);
setProperties(answer, parameters);
diff --git
a/components/camel-velocity/src/main/java/org/apache/camel/component/velocity/VelocityEndpoint.java
b/components/camel-velocity/src/main/java/org/apache/camel/component/velocity/VelocityEndpoint.java
index ead3a19..aff472b 100644
---
a/components/camel-velocity/src/main/java/org/apache/camel/component/velocity/VelocityEndpoint.java
+++
b/components/camel-velocity/src/main/java/org/apache/camel/component/velocity/VelocityEndpoint.java
@@ -224,7 +224,7 @@ public class VelocityEndpoint extends ResourceEndpoint {
velocityContext =
exchange.getIn().getHeader(VelocityConstants.VELOCITY_CONTEXT, Context.class);
}
if (velocityContext == null) {
- Map<String, Object> variableMap =
ExchangeHelper.createVariableMap(exchange);
+ Map<String, Object> variableMap =
ExchangeHelper.createVariableMap(exchange, isAllowContextMapAll());
if (allowTemplateFromHeader) {
@SuppressWarnings("unchecked")
Map<String, Object> supplementalMap =
exchange.getIn().getHeader(VelocityConstants.VELOCITY_SUPPLEMENTAL_CONTEXT,
Map.class);
diff --git
a/components/camel-velocity/src/test/java/org/apache/camel/component/velocity/VelocityEndpointTest.java
b/components/camel-velocity/src/test/java/org/apache/camel/component/velocity/VelocityEndpointTest.java
index 5a38969..9463dd5 100644
---
a/components/camel-velocity/src/test/java/org/apache/camel/component/velocity/VelocityEndpointTest.java
+++
b/components/camel-velocity/src/test/java/org/apache/camel/component/velocity/VelocityEndpointTest.java
@@ -30,6 +30,7 @@ public class VelocityEndpointTest extends VelocityTest {
endpoint.setCamelContext(context);
endpoint.setResourceUri("org/apache/camel/component/velocity/example.vm");
endpoint.setAllowTemplateFromHeader(true);
+ endpoint.setAllowContextMapAll(true);
context.addEndpoint("velo", endpoint);
diff --git
a/components/camel-velocity/src/test/java/org/apache/camel/component/velocity/VelocityMethodInvokationTest.java
b/components/camel-velocity/src/test/java/org/apache/camel/component/velocity/VelocityMethodInvokationTest.java
index f26f29c..f2d487f 100644
---
a/components/camel-velocity/src/test/java/org/apache/camel/component/velocity/VelocityMethodInvokationTest.java
+++
b/components/camel-velocity/src/test/java/org/apache/camel/component/velocity/VelocityMethodInvokationTest.java
@@ -50,7 +50,7 @@ public class VelocityMethodInvokationTest extends
CamelTestSupport {
public void configure() {
from("direct:a")
.setHeader("esc", constant(new EscapeTool()))
-
.to("velocity:org/apache/camel/component/velocity/escape.vm");
+
.to("velocity:org/apache/camel/component/velocity/escape.vm?allowContextMapAll=true");
}
};
}
diff --git
a/components/camel-velocity/src/test/java/org/apache/camel/component/velocity/VelocityOverridesPropertiesTest.java
b/components/camel-velocity/src/test/java/org/apache/camel/component/velocity/VelocityOverridesPropertiesTest.java
index a600119..f5be535 100644
---
a/components/camel-velocity/src/test/java/org/apache/camel/component/velocity/VelocityOverridesPropertiesTest.java
+++
b/components/camel-velocity/src/test/java/org/apache/camel/component/velocity/VelocityOverridesPropertiesTest.java
@@ -43,7 +43,7 @@ public class VelocityOverridesPropertiesTest extends
CamelTestSupport {
return new RouteBuilder() {
public void configure() throws Exception {
from("direct:a")
-
.to("velocity:org/apache/camel/component/velocity/example.vm?propertiesFile=org/apache/camel/component/velocity/velocity-logging.properties");
+
.to("velocity:org/apache/camel/component/velocity/example.vm?propertiesFile=org/apache/camel/component/velocity/velocity-logging.properties&allowContextMapAll=true");
}
};
}
diff --git
a/components/camel-velocity/src/test/java/org/apache/camel/component/velocity/VelocitySetHeaderTest.java
b/components/camel-velocity/src/test/java/org/apache/camel/component/velocity/VelocitySetHeaderTest.java
index ad6c177..1de84ef 100644
---
a/components/camel-velocity/src/test/java/org/apache/camel/component/velocity/VelocitySetHeaderTest.java
+++
b/components/camel-velocity/src/test/java/org/apache/camel/component/velocity/VelocitySetHeaderTest.java
@@ -39,7 +39,7 @@ public class VelocitySetHeaderTest extends
CamelSpringTestSupport {
assertRespondsWith("orange", "I am an orange");
}
- protected void assertRespondsWith(final String value, String expectedBody)
throws InvalidPayloadException, InterruptedException {
+ protected void assertRespondsWith(final String value, String expectedBody)
throws Exception {
MockEndpoint mock = getMockEndpoint("mock:result");
mock.expectedMessageCount(1);
mock.expectedHeaderReceived("fruit", value);
diff --git
a/components/camel-velocity/src/test/java/org/apache/camel/component/velocity/VelocitySupplementalContextTest.java
b/components/camel-velocity/src/test/java/org/apache/camel/component/velocity/VelocitySupplementalContextTest.java
index 93244b4..93d5e5f 100644
---
a/components/camel-velocity/src/test/java/org/apache/camel/component/velocity/VelocitySupplementalContextTest.java
+++
b/components/camel-velocity/src/test/java/org/apache/camel/component/velocity/VelocitySupplementalContextTest.java
@@ -61,7 +61,7 @@ public class VelocitySupplementalContextTest extends
CamelTestSupport {
public void configure() throws Exception {
from("direct:input")
.setHeader(VelocityConstants.VELOCITY_SUPPLEMENTAL_CONTEXT).constant(supplementalContext)
-
.to("velocity:template-in-header?allowTemplateFromHeader=true")
+
.to("velocity:template-in-header?allowTemplateFromHeader=true&allowContextMapAll=true")
.to("mock:results");
}
};
diff --git
a/components/camel-velocity/src/test/java/org/apache/camel/component/velocity/VelocityTest.java
b/components/camel-velocity/src/test/java/org/apache/camel/component/velocity/VelocityTest.java
index 423e8d7f..76c65c6 100644
---
a/components/camel-velocity/src/test/java/org/apache/camel/component/velocity/VelocityTest.java
+++
b/components/camel-velocity/src/test/java/org/apache/camel/component/velocity/VelocityTest.java
@@ -76,7 +76,7 @@ public class VelocityTest extends CamelTestSupport {
public void configure() {
// START SNIPPET: example
from("direct:a").
-
to("velocity:org/apache/camel/component/velocity/example.vm?allowTemplateFromHeader=true");
+
to("velocity:org/apache/camel/component/velocity/example.vm?allowTemplateFromHeader=true&allowContextMapAll=true");
// END SNIPPET: example
}
};
diff --git
a/components/camel-velocity/src/test/java/org/apache/camel/component/velocity/VelocityValuesInPropertiesTest.java
b/components/camel-velocity/src/test/java/org/apache/camel/component/velocity/VelocityValuesInPropertiesTest.java
index 2fa24a5..1b1abc6 100644
---
a/components/camel-velocity/src/test/java/org/apache/camel/component/velocity/VelocityValuesInPropertiesTest.java
+++
b/components/camel-velocity/src/test/java/org/apache/camel/component/velocity/VelocityValuesInPropertiesTest.java
@@ -49,7 +49,7 @@ public class VelocityValuesInPropertiesTest extends
CamelTestSupport {
return new RouteBuilder() {
public void configure() throws Exception {
from("direct:a")
- .to("velocity:dummy?allowTemplateFromHeader=true")
+
.to("velocity:dummy?allowTemplateFromHeader=true&allowContextMapAll=true")
.to("mock:result");
}
};
diff --git
a/components/camel-velocity/src/test/resources/org/apache/camel/component/velocity/camel-context.xml
b/components/camel-velocity/src/test/resources/org/apache/camel/component/velocity/camel-context.xml
index 0091eed..cfecf47 100644
---
a/components/camel-velocity/src/test/resources/org/apache/camel/component/velocity/camel-context.xml
+++
b/components/camel-velocity/src/test/resources/org/apache/camel/component/velocity/camel-context.xml
@@ -28,12 +28,12 @@
<from uri="direct:start"/>
<filter>
<method bean="fruitFilter" method="isApple"/>
- <to
uri="velocity:org/apache/camel/component/velocity/AppleTemplate.vm" />
+ <to
uri="velocity:org/apache/camel/component/velocity/AppleTemplate.vm?allowContextMapAll=true"
/>
<to uri="mock:result" />
</filter>
<filter>
<method bean="fruitFilter" method="isOrange"/>
- <to
uri="velocity:org/apache/camel/component/velocity/OrangeTemplate.vm" />
+ <to
uri="velocity:org/apache/camel/component/velocity/OrangeTemplate.vm?allowContextMapAll=true"
/>
<to uri="mock:result" />
</filter>
</route>
diff --git
a/platforms/spring-boot/components-starter/camel-velocity-starter/src/main/java/org/apache/camel/component/velocity/springboot/VelocityComponentConfiguration.java
b/platforms/spring-boot/components-starter/camel-velocity-starter/src/main/java/org/apache/camel/component/velocity/springboot/VelocityComponentConfiguration.java
index a513de1..09835e8 100644
---
a/platforms/spring-boot/components-starter/camel-velocity-starter/src/main/java/org/apache/camel/component/velocity/springboot/VelocityComponentConfiguration.java
+++
b/platforms/spring-boot/components-starter/camel-velocity-starter/src/main/java/org/apache/camel/component/velocity/springboot/VelocityComponentConfiguration.java
@@ -49,6 +49,14 @@ public class VelocityComponentConfiguration
*/
private Boolean allowTemplateFromHeader = false;
/**
+ * Sets whether the context map should allow access to all details. By
+ * default only the message body and headers can be accessed. This option
+ * can be enabled for full access to the current Exchange and CamelContext.
+ * Doing so impose a potential security risk as this opens access to the
+ * full power of CamelContext API.
+ */
+ private Boolean allowContextMapAll = false;
+ /**
* Whether the component should resolve property placeholders on itself
when
* starting. Only properties which are of String type can use property
* placeholders.
@@ -71,6 +79,14 @@ public class VelocityComponentConfiguration
this.allowTemplateFromHeader = allowTemplateFromHeader;
}
+ public Boolean getAllowContextMapAll() {
+ return allowContextMapAll;
+ }
+
+ public void setAllowContextMapAll(Boolean allowContextMapAll) {
+ this.allowContextMapAll = allowContextMapAll;
+ }
+
public Boolean getResolvePropertyPlaceholders() {
return resolvePropertyPlaceholders;
}
