This is an automated email from the ASF dual-hosted git repository. acosentino pushed a commit to branch 23029-4.14.x in repository https://gitbox.apache.org/repos/asf/camel.git
commit ca3eabe514b07ded64752cbe6c7a5d6a9121af03 Author: Andrea Cosentino <[email protected]> AuthorDate: Wed Feb 18 14:37:24 2026 +0100 CAMEL-23029 - Camel-Consul: Add ObjectInputFilter String pattern parameter in ConsulRegistry to be used in deserialize operations Signed-off-by: Andrea Cosentino <[email protected]> --- .../camel/component/consul/ConsulRegistry.java | 51 ++++++++++++++++++---- .../component/consul/ConsulRegistryUtilsTest.java | 5 ++- 2 files changed, 45 insertions(+), 11 deletions(-) diff --git a/components/camel-consul/src/main/java/org/apache/camel/component/consul/ConsulRegistry.java b/components/camel-consul/src/main/java/org/apache/camel/component/consul/ConsulRegistry.java index ee3e36b090e8..aded2cf4122e 100644 --- a/components/camel-consul/src/main/java/org/apache/camel/component/consul/ConsulRegistry.java +++ b/components/camel-consul/src/main/java/org/apache/camel/component/consul/ConsulRegistry.java @@ -19,6 +19,7 @@ package org.apache.camel.component.consul; import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.IOException; +import java.io.ObjectInputFilter; import java.io.ObjectInputStream; import java.io.ObjectOutputStream; import java.io.Serializable; @@ -52,6 +53,7 @@ public class ConsulRegistry implements Registry { private int port = 8500; private Consul consul; private KeyValueClient kvClient; + private String deserializationFilter = "java.**;org.apache.camel.**;!*"; /* constructor with default port */ public ConsulRegistry(String hostname) { @@ -70,6 +72,9 @@ public class ConsulRegistry implements Registry { this.hostname = builder.hostname; this.port = builder.port; this.consul = Consul.builder().withUrl("http://"; + this.hostname + ":" + this.port).build(); + if (builder.deserializationFilter != null) { + this.deserializationFilter = builder.deserializationFilter; + } } @Override @@ -80,7 +85,7 @@ public class ConsulRegistry implements Registry { return kvClient.getValueAsString(key).map(result -> { byte[] postDecodedValue = ConsulRegistryUtils.decodeBase64(result); - return ConsulRegistryUtils.deserialize(postDecodedValue); + return ConsulRegistryUtils.deserialize(postDecodedValue, deserializationFilter); }).orElse(null); } @@ -219,7 +224,7 @@ public class ConsulRegistry implements Registry { if (lookupByName(key) != null) { remove(key); } - Object clone = ConsulRegistryUtils.clone((Serializable) object); + Object clone = ConsulRegistryUtils.clone((Serializable) object, deserializationFilter); byte[] serializedObject = ConsulRegistryUtils.serialize((Serializable) clone); // pre-encode due native encoding issues String value = ConsulRegistryUtils.encodeBase64(serializedObject); @@ -235,6 +240,7 @@ public class ConsulRegistry implements Registry { String hostname; // optional parameter Integer port = 8500; + String deserializationFilter; public Builder(String hostname) { this.hostname = hostname; @@ -245,6 +251,11 @@ public class ConsulRegistry implements Registry { return this; } + public Builder deserializationFilter(String deserializationFilter) { + this.deserializationFilter = deserializationFilter; + return this; + } + public ConsulRegistry build() { return new ConsulRegistry(this); } @@ -266,6 +277,23 @@ public class ConsulRegistry implements Registry { this.port = port; } + /** + * Gets the deserialization filter applied when reading objects from Consul KV store. + */ + public String getDeserializationFilter() { + return deserializationFilter; + } + + /** + * Sets a deserialization filter while reading objects from Consul KV store. By default the filter will allow all + * java packages and subpackages and all org.apache.camel packages and subpackages, while the remaining will be + * blacklisted and not deserialized. This parameter should be customized if you're using classes you trust to be + * deserialized. + */ + public void setDeserializationFilter(String deserializationFilter) { + this.deserializationFilter = deserializationFilter; + } + static final class ConsulRegistryUtils { private ConsulRegistryUtils() { @@ -296,11 +324,15 @@ public class ConsulRegistry implements Registry { /** * Deserializes an object out of the given byte array. * - * @param bytes the byte array to deserialize from - * @return an {@link Object} deserialized from the given byte array + * @param bytes the byte array to deserialize from + * @param deserializationFilter the deserialization filter to apply (e.g. "java.**;org.apache.camel.**;!*") + * @return an {@link Object} deserialized from the given byte array */ - static Object deserialize(byte[] bytes) { + static Object deserialize(byte[] bytes, String deserializationFilter) { try (ObjectInputStream in = new ObjectInputStream(new ByteArrayInputStream(bytes))) { + if (deserializationFilter != null && !deserializationFilter.isEmpty()) { + in.setObjectInputFilter(ObjectInputFilter.Config.createFilter(deserializationFilter)); + } return in.readObject(); } catch (IOException | ClassNotFoundException e) { throw new RuntimeCamelException(e); @@ -310,11 +342,12 @@ public class ConsulRegistry implements Registry { /** * A deep serialization based clone * - * @param object the object to clone - * @return a deep clone + * @param object the object to clone + * @param deserializationFilter the deserialization filter to apply + * @return a deep clone */ - static Object clone(Serializable object) { - return deserialize(serialize(object)); + static Object clone(Serializable object, String deserializationFilter) { + return deserialize(serialize(object), deserializationFilter); } /** diff --git a/components/camel-consul/src/test/java/org/apache/camel/component/consul/ConsulRegistryUtilsTest.java b/components/camel-consul/src/test/java/org/apache/camel/component/consul/ConsulRegistryUtilsTest.java index 696a7ada8347..0aba6a2074ba 100644 --- a/components/camel-consul/src/test/java/org/apache/camel/component/consul/ConsulRegistryUtilsTest.java +++ b/components/camel-consul/src/test/java/org/apache/camel/component/consul/ConsulRegistryUtilsTest.java @@ -33,9 +33,10 @@ public class ConsulRegistryUtilsTest { @Test public void encodeDecode() { + final String filter = "java.**;org.apache.camel.**;!*"; final List<String> src = Arrays.asList("one", "\u0434\u0432\u0430", "t\u0159i"); final byte[] serialized = ConsulRegistryUtils.serialize((Serializable) src); - assertEquals(src, ConsulRegistryUtils.deserialize(serialized)); + assertEquals(src, ConsulRegistryUtils.deserialize(serialized, filter)); final String encoded = ConsulRegistryUtils.encodeBase64(serialized); assertEquals("rO0ABXNyABpqYXZhLnV0aWwuQXJyYXlzJEFycmF5TGlzdNmkPL7NiAbSAgABWwABYXQAE1tMamF2YS9sYW5nL09iamVjdDt4" + "cHVyABNbTGphdmEubGFuZy5TdHJpbmc7rdJW5+kde0cCAAB4cAAAAAN0AANvbmV0AAbQtNCy0LB0AAR0xZlp", @@ -53,7 +54,7 @@ public class ConsulRegistryUtilsTest { -48, -76, -48, -78, -48, -80, 116, 0, 4, 116, -59, -103, 105 }, decoded); - assertEquals(src, ConsulRegistryUtils.deserialize(decoded)); + assertEquals(src, ConsulRegistryUtils.deserialize(decoded, filter)); } }
