You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@camel.apache.org by "Jiri Ondrusek (Jira)" <ji...@apache.org> on 2020/09/29 08:45:00 UTC
[jira] [Updated] (CAMEL-15577) Camel-stringtemplate: Misleading and
incorrect implementation of parameter 'allowTemplateFromHeader'
[ https://issues.apache.org/jira/browse/CAMEL-15577?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jiri Ondrusek updated CAMEL-15577:
----------------------------------
Description:
There is a difference in implementation of parameter `*allowTemplateFromHeader*` in various templating components and missing implementation in stringtemplate component.
Description from documentation (of "*allowTemplateFromHeader*"):
{quote}Whether to allow to use resource template from header or not (default false). Enabling this allows to specify dynamic templates via message header. However this can be seen as a potential security vulnerability if the header is coming from a malicious user, so use this with care.
{quote}
Common sense says that with this parameter I can send template via header.
Which is implemented for example in velocity component (see [https://github.com/apache/camel/blob/master/components/camel-velocity/src/main/java/org/apache/camel/component/velocity/VelocityEndpoint.java#L185])
In stringtemplate component there is only functionality about providing own variable map (see [https://github.com/apache/camel/blob/master/components/camel-stringtemplate/src/main/java/org/apache/camel/component/stringtemplate/StringTemplateEndpoint.java#L104]) - the same functionality in velocity is called 'supplementalContext'
In stringtemplate documentation is a described usage of this custom context map:
{quote}You can define the custom context map by setting the message header "*CamelStringTemplateVariableMap*" just like the below code.
{quote}
Errors:
# -parameter "*CamelStringTemplateVariableMap*" is applied only when "*allowTemplateFromHeader*" is set to true-
# there is no way of providing template via header.
Fix should
# r-emove dependency between "*CamelStringTemplateVariableMap*" and "*allowTemplateFromHeader*"-
# -add a new parameter to allow definition of template via header- Fix problem with template via header based on other templating components (e.g. velocity)
was:
There is a difference in implementation of parameter `*allowTemplateFromHeader*` in various templating components and missing implementation in stringtemplate component.
Description from documentation (of "*allowTemplateFromHeader*"):
{quote}Whether to allow to use resource template from header or not (default false). Enabling this allows to specify dynamic templates via message header. However this can be seen as a potential security vulnerability if the header is coming from a malicious user, so use this with care.
{quote}
Common sense says that with this parameter I can send template via header.
Which is implemented for example in velocity component (see [https://github.com/apache/camel/blob/master/components/camel-velocity/src/main/java/org/apache/camel/component/velocity/VelocityEndpoint.java#L185])
In stringtemplate component there is only functionality about providing own variable map (see [https://github.com/apache/camel/blob/master/components/camel-stringtemplate/src/main/java/org/apache/camel/component/stringtemplate/StringTemplateEndpoint.java#L104]) - the same functionality in velocity is called 'supplementalContext'
In stringtemplate documentation is a described usage of this custom context map:
{quote}You can define the custom context map by setting the message header "*CamelStringTemplateVariableMap*" just like the below code.
{quote}
Errors:
# parameter "*CamelStringTemplateVariableMap*" is applied only when "*allowTemplateFromHeader*" is set to true
# there is no way of providing template via header.
Fix should
# remove dependency between "*CamelStringTemplateVariableMap*" and "*allowTemplateFromHeader*"
# add a new parameter to allow definition of template via header
> Camel-stringtemplate: Misleading and incorrect implementation of parameter 'allowTemplateFromHeader'
> ----------------------------------------------------------------------------------------------------
>
> Key: CAMEL-15577
> URL: https://issues.apache.org/jira/browse/CAMEL-15577
> Project: Camel
> Issue Type: Bug
> Components: camel-stringtemplate
> Affects Versions: 3.5.0
> Reporter: Jiri Ondrusek
> Assignee: Jiri Ondrusek
> Priority: Major
>
> There is a difference in implementation of parameter `*allowTemplateFromHeader*` in various templating components and missing implementation in stringtemplate component.
> Description from documentation (of "*allowTemplateFromHeader*"):
> {quote}Whether to allow to use resource template from header or not (default false). Enabling this allows to specify dynamic templates via message header. However this can be seen as a potential security vulnerability if the header is coming from a malicious user, so use this with care.
> {quote}
> Common sense says that with this parameter I can send template via header.
> Which is implemented for example in velocity component (see [https://github.com/apache/camel/blob/master/components/camel-velocity/src/main/java/org/apache/camel/component/velocity/VelocityEndpoint.java#L185])
> In stringtemplate component there is only functionality about providing own variable map (see [https://github.com/apache/camel/blob/master/components/camel-stringtemplate/src/main/java/org/apache/camel/component/stringtemplate/StringTemplateEndpoint.java#L104]) - the same functionality in velocity is called 'supplementalContext'
> In stringtemplate documentation is a described usage of this custom context map:
> {quote}You can define the custom context map by setting the message header "*CamelStringTemplateVariableMap*" just like the below code.
> {quote}
> Errors:
> # -parameter "*CamelStringTemplateVariableMap*" is applied only when "*allowTemplateFromHeader*" is set to true-
> # there is no way of providing template via header.
>
> Fix should
> # r-emove dependency between "*CamelStringTemplateVariableMap*" and "*allowTemplateFromHeader*"-
> # -add a new parameter to allow definition of template via header- Fix problem with template via header based on other templating components (e.g. velocity)
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)