[
https://issues.apache.org/jira/browse/CAMEL-23787?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Work on CAMEL-23787 started by Andrea Cosentino.
------------------------------------------------
> camel-jacksonxml: block unsafe polymorphic base types by default in the
> XmlMapper
> ---------------------------------------------------------------------------------
>
> Key: CAMEL-23787
> URL: https://issues.apache.org/jira/browse/CAMEL-23787
> Project: Camel
> Issue Type: Improvement
> Components: camel-jacksonxml
> Reporter: Andrea Cosentino
> Assignee: Andrea Cosentino
> Priority: Major
>
> h3. Problem
> {{JacksonXMLDataFormat.createNewXmlMapper()}} creates a bare {{new
> XmlMapper()}} without enabling
> {{MapperFeature.BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES}}, the same exposure as
> the JSON data format: enabling polymorphic typing on untrusted XML risks
> gadget-chain deserialization.
> h3. Evidence
> *
> components/camel-jacksonxml/src/main/java/org/apache/camel/component/jacksonxml/JacksonXMLDataFormat.java:545
> h3. Suggested fix
> Enable MapperFeature.BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES by default in
> createNewXmlMapper(); document in the upgrade guide. Pairs with the
> camel-jackson hardening.
> h3. Acceptance criteria
> * createNewXmlMapper enables BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES by default
> * Upgrade guide documents the hardened default and opt-out
> * A test confirms an unsafe polymorphic base type is blocked by default
> _Created by Claude Code on behalf of Andrea Cosentino._
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
