You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@camel.apache.org by ac...@apache.org on 2020/11/24 08:36:37 UTC
[camel] branch master updated: CAMEL-15877: camel-salesforce: Use
XStream's security framework
This is an automated email from the ASF dual-hosted git repository.
acosentino pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/camel.git
The following commit(s) were added to refs/heads/master by this push:
new 2a51663 CAMEL-15877: camel-salesforce: Use XStream's security framework
2a51663 is described below
commit 2a5166309755a564228fa7365f2473a69ec9b73d
Author: Jeremy Ross <je...@jeremyross.org>
AuthorDate: Sun Nov 22 21:11:35 2020 -0600
CAMEL-15877: camel-salesforce: Use XStream's security framework
---
.../camel/component/salesforce/SalesforceComponent.java | 15 ++++++++++++++-
.../component/salesforce/api/utils/XStreamUtils.java | 10 ++++++++--
.../modules/ROOT/pages/camel-3x-upgrade-guide-3_7.adoc | 7 +++++--
3 files changed, 27 insertions(+), 5 deletions(-)
diff --git a/components/camel-salesforce/camel-salesforce-component/src/main/java/org/apache/camel/component/salesforce/SalesforceComponent.java b/components/camel-salesforce/camel-salesforce-component/src/main/java/org/apache/camel/component/salesforce/SalesforceComponent.java
index d776d57..4f5e04b 100644
--- a/components/camel-salesforce/camel-salesforce-component/src/main/java/org/apache/camel/component/salesforce/SalesforceComponent.java
+++ b/components/camel-salesforce/camel-salesforce-component/src/main/java/org/apache/camel/component/salesforce/SalesforceComponent.java
@@ -32,6 +32,7 @@ import org.apache.camel.TypeConverter;
import org.apache.camel.component.salesforce.api.SalesforceException;
import org.apache.camel.component.salesforce.api.dto.AbstractSObjectBase;
import org.apache.camel.component.salesforce.api.utils.SecurityUtils;
+import org.apache.camel.component.salesforce.api.utils.XStreamUtils;
import org.apache.camel.component.salesforce.internal.OperationName;
import org.apache.camel.component.salesforce.internal.PayloadFormat;
import org.apache.camel.component.salesforce.internal.SalesforceSession;
@@ -228,7 +229,8 @@ public class SalesforceComponent extends DefaultComponent implements SSLContextP
private boolean httpProxyUseDigestAuth;
@Metadata(description = "In what packages are the generated DTO classes. Typically the classes would be generated"
- + " using camel-salesforce-maven-plugin. Set it if using the generated DTOs to gain the benefit of using short "
+ + " using camel-salesforce-maven-plugin. This must be set if using the XML format. Also,"
+ + " set it if using the generated DTOs to gain the benefit of using short "
+ " SObject names in parameters/header values. Multiple packages can be separated by comma.",
javaType = "java.lang.String", label = "common")
private String packages;
@@ -321,6 +323,16 @@ public class SalesforceComponent extends DefaultComponent implements SSLContextP
return result;
}
+ private void setXStreamPackageWhiteList() {
+ if (packages != null) {
+ String[] packagesArray = getPackagesAsArray();
+ for (int i = 0; i < packagesArray.length; i++) {
+ packagesArray[i] = packagesArray[i] + ".*";
+ }
+ XStreamUtils.packageWhiteList = String.join(",", packagesArray);
+ }
+ }
+
public SalesforceHttpClient getHttpClient() {
return httpClient;
}
@@ -388,6 +400,7 @@ public class SalesforceComponent extends DefaultComponent implements SSLContextP
// parse the packages to create SObject name to class map
classMap = parsePackages();
LOG.info("Found {} generated classes in packages: {}", classMap.size(), packages);
+ setXStreamPackageWhiteList();
} else {
// use an empty map to avoid NPEs later
LOG.warn("Missing property packages, getSObject* operations will NOT work without property rawPayload=true");
diff --git a/components/camel-salesforce/camel-salesforce-component/src/main/java/org/apache/camel/component/salesforce/api/utils/XStreamUtils.java b/components/camel-salesforce/camel-salesforce-component/src/main/java/org/apache/camel/component/salesforce/api/utils/XStreamUtils.java
index ae4dbf4..cf4d94b 100644
--- a/components/camel-salesforce/camel-salesforce-component/src/main/java/org/apache/camel/component/salesforce/api/utils/XStreamUtils.java
+++ b/components/camel-salesforce/camel-salesforce-component/src/main/java/org/apache/camel/component/salesforce/api/utils/XStreamUtils.java
@@ -36,14 +36,19 @@ import org.apache.camel.component.salesforce.internal.dto.RestChoices;
import org.apache.camel.component.salesforce.internal.dto.RestErrors;
public final class XStreamUtils {
- private static final String PERMISSIONS_PROPERTY_DEFAULT = "java.lang.*,java.util.*";
+ public static String packageWhiteList = "";
+
+ private static final String PERMISSIONS_PROPERTY_DEFAULT
+ = "org.apache.camel.**";
private static final String PERMISSIONS_PROPERTY_KEY = "org.apache.camel.xstream.permissions";
private XStreamUtils() {
}
public static void addDefaultPermissions(final XStream xstream) {
- addPermissions(xstream, System.getProperty(PERMISSIONS_PROPERTY_KEY, PERMISSIONS_PROPERTY_DEFAULT));
+ addPermissions(xstream, System.getProperty(PERMISSIONS_PROPERTY_KEY,
+ PERMISSIONS_PROPERTY_DEFAULT));
+ addPermissions(xstream, packageWhiteList);
}
public static void addPermissions(final XStream xstream, final String permissions) {
@@ -95,6 +100,7 @@ public final class XStreamUtils {
};
final XStream result = new XStream(reflectionProvider, hierarchicalStreamDriver);
+ XStream.setupDefaultSecurity(result);
result.aliasSystemAttribute(null, "class");
result.ignoreUnknownElements();
XStreamUtils.addDefaultPermissions(result);
diff --git a/docs/user-manual/modules/ROOT/pages/camel-3x-upgrade-guide-3_7.adoc b/docs/user-manual/modules/ROOT/pages/camel-3x-upgrade-guide-3_7.adoc
index def8346..aa0cb98 100644
--- a/docs/user-manual/modules/ROOT/pages/camel-3x-upgrade-guide-3_7.adoc
+++ b/docs/user-manual/modules/ROOT/pages/camel-3x-upgrade-guide-3_7.adoc
@@ -273,5 +273,8 @@ In this context, it wasn't having any sense to maintain the autodiscoverClient o
=== camel-salesforce
-The default API version for camel-salesforce has been updated to 50.0. Older versions are still supported and can be set via the `apiVersion`
-component option.
+The default API version for camel-salesforce has been updated to 50.0. Older versions are still
+supported and can be set via the `apiVersion` component option.
+
+The `packages` option must be set if using the XML `format` option. This change is a result of
+adopting XStream's Security Framework.