Andrea Cosentino created CAMEL-23876:
----------------------------------------

             Summary: camel-a2a: pin the validated address when dispatching 
push-notification webhooks
                 Key: CAMEL-23876
                 URL: https://issues.apache.org/jira/browse/CAMEL-23876
             Project: Camel
          Issue Type: Improvement
          Components: camel-ai
            Reporter: Andrea Cosentino


h3. Background

For A2A push notifications, a caller-registered webhook URL is validated by 
{{WebhookUrlValidator.validate(...)}}, which resolves the host via 
{{InetAddress.getByName}} and rejects loopback, wildcard, link-local, and 
site-local/private addresses (and requires HTTPS for non-local hosts).

{{PushNotificationDispatcher.dispatchToWebhook}} then builds a 
{{java.net.http.HttpRequest}} from the original URL string and lets 
{{HttpClient}} perform its own, independent DNS resolution at connection time. 
The address that was validated and the address actually connected to are 
resolved separately, so they can differ for the same hostname between the two 
calls. There is no mechanism pinning the connection to the address the 
validator approved.

h3. Proposed change

Resolve the host once, validate that resolved address, and connect to the 
validated address rather than re-resolving the hostname at connect time. For 
{{java.net.http.HttpClient}} this can be done via a custom resolver on 
{{HttpClient.Builder}}, or by caching the validated address alongside the 
stored config at registration time. The requirement is that the address used 
for the real connection is the one {{WebhookUrlValidator}} already approved.

h3. Affected code

* 
{{components/camel-ai/camel-a2a/src/main/java/org/apache/camel/component/a2a/push/PushNotificationDispatcher.java}}
 ({{dispatchToWebhook}}, ~lines 135-156; send path ~line 180)
* 
{{components/camel-ai/camel-a2a/src/main/java/org/apache/camel/component/a2a/util/WebhookUrlValidator.java}}
 ({{validate}}, ~lines 48-115)

h3. Notes

If address pinning is impractical with the current client, an alternative is to 
re-validate immediately before connecting and reject DNS answers with unusually 
short TTLs. A test should assert the dispatched connection targets the 
validated address.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to