[camel] branch master updated: CAMEL-15877: camel-salesforce: Use XStream's security framework

[ac...@apache.org]

This is an automated email from the ASF dual-hosted git repository.

acosentino pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/camel.git


The following commit(s) were added to refs/heads/master by this push:
     new 2a51663  CAMEL-15877: camel-salesforce: Use XStream's security framework
2a51663 is described below

commit 2a5166309755a564228fa7365f2473a69ec9b73d
Author: Jeremy Ross <je...@jeremyross.org>
AuthorDate: Sun Nov 22 21:11:35 2020 -0600

    CAMEL-15877: camel-salesforce: Use XStream's security framework
---
 .../camel/component/salesforce/SalesforceComponent.java   | 15 ++++++++++++++-
 .../component/salesforce/api/utils/XStreamUtils.java      | 10 ++++++++--
 .../modules/ROOT/pages/camel-3x-upgrade-guide-3_7.adoc    |  7 +++++--
 3 files changed, 27 insertions(+), 5 deletions(-)

diff --git a/components/camel-salesforce/camel-salesforce-component/src/main/java/org/apache/camel/component/salesforce/SalesforceComponent.java b/components/camel-salesforce/camel-salesforce-component/src/main/java/org/apache/camel/component/salesforce/SalesforceComponent.java
index d776d57..4f5e04b 100644
--- a/components/camel-salesforce/camel-salesforce-component/src/main/java/org/apache/camel/component/salesforce/SalesforceComponent.java
+++ b/components/camel-salesforce/camel-salesforce-component/src/main/java/org/apache/camel/component/salesforce/SalesforceComponent.java
@@ -32,6 +32,7 @@ import org.apache.camel.TypeConverter;
 import org.apache.camel.component.salesforce.api.SalesforceException;
 import org.apache.camel.component.salesforce.api.dto.AbstractSObjectBase;
 import org.apache.camel.component.salesforce.api.utils.SecurityUtils;
+import org.apache.camel.component.salesforce.api.utils.XStreamUtils;
 import org.apache.camel.component.salesforce.internal.OperationName;
 import org.apache.camel.component.salesforce.internal.PayloadFormat;
 import org.apache.camel.component.salesforce.internal.SalesforceSession;
@@ -228,7 +229,8 @@ public class SalesforceComponent extends DefaultComponent implements SSLContextP
     private boolean httpProxyUseDigestAuth;
 
     @Metadata(description = "In what packages are the generated DTO classes. Typically the classes would be generated"
-                            + " using camel-salesforce-maven-plugin. Set it if using the generated DTOs to gain the benefit of using short "
+                            + " using camel-salesforce-maven-plugin. This must be set if using the XML format. Also,"
+                            + " set it if using the generated DTOs to gain the benefit of using short "
                             + " SObject names in parameters/header values. Multiple packages can be separated by comma.",
               javaType = "java.lang.String", label = "common")
     private String packages;
@@ -321,6 +323,16 @@ public class SalesforceComponent extends DefaultComponent implements SSLContextP
         return result;
     }
 
+    private void setXStreamPackageWhiteList() {
+        if (packages != null) {
+            String[] packagesArray = getPackagesAsArray();
+            for (int i = 0; i < packagesArray.length; i++) {
+                packagesArray[i] = packagesArray[i] + ".*";
+            }
+            XStreamUtils.packageWhiteList = String.join(",", packagesArray);
+        }
+    }
+
     public SalesforceHttpClient getHttpClient() {
         return httpClient;
     }
@@ -388,6 +400,7 @@ public class SalesforceComponent extends DefaultComponent implements SSLContextP
             // parse the packages to create SObject name to class map
             classMap = parsePackages();
             LOG.info("Found {} generated classes in packages: {}", classMap.size(), packages);
+            setXStreamPackageWhiteList();
         } else {
             // use an empty map to avoid NPEs later
             LOG.warn("Missing property packages, getSObject* operations will NOT work without property rawPayload=true");
diff --git a/components/camel-salesforce/camel-salesforce-component/src/main/java/org/apache/camel/component/salesforce/api/utils/XStreamUtils.java b/components/camel-salesforce/camel-salesforce-component/src/main/java/org/apache/camel/component/salesforce/api/utils/XStreamUtils.java
index ae4dbf4..cf4d94b 100644
--- a/components/camel-salesforce/camel-salesforce-component/src/main/java/org/apache/camel/component/salesforce/api/utils/XStreamUtils.java
+++ b/components/camel-salesforce/camel-salesforce-component/src/main/java/org/apache/camel/component/salesforce/api/utils/XStreamUtils.java
@@ -36,14 +36,19 @@ import org.apache.camel.component.salesforce.internal.dto.RestChoices;
 import org.apache.camel.component.salesforce.internal.dto.RestErrors;
 
 public final class XStreamUtils {
-    private static final String PERMISSIONS_PROPERTY_DEFAULT = "java.lang.*,java.util.*";
+    public static String packageWhiteList = "";
+
+    private static final String PERMISSIONS_PROPERTY_DEFAULT
+            = "org.apache.camel.**";
     private static final String PERMISSIONS_PROPERTY_KEY = "org.apache.camel.xstream.permissions";
 
     private XStreamUtils() {
     }
 
     public static void addDefaultPermissions(final XStream xstream) {
-        addPermissions(xstream, System.getProperty(PERMISSIONS_PROPERTY_KEY, PERMISSIONS_PROPERTY_DEFAULT));
+        addPermissions(xstream, System.getProperty(PERMISSIONS_PROPERTY_KEY,
+                PERMISSIONS_PROPERTY_DEFAULT));
+        addPermissions(xstream, packageWhiteList);
     }
 
     public static void addPermissions(final XStream xstream, final String permissions) {
@@ -95,6 +100,7 @@ public final class XStreamUtils {
         };
 
         final XStream result = new XStream(reflectionProvider, hierarchicalStreamDriver);
+        XStream.setupDefaultSecurity(result);
         result.aliasSystemAttribute(null, "class");
         result.ignoreUnknownElements();
         XStreamUtils.addDefaultPermissions(result);
diff --git a/docs/user-manual/modules/ROOT/pages/camel-3x-upgrade-guide-3_7.adoc b/docs/user-manual/modules/ROOT/pages/camel-3x-upgrade-guide-3_7.adoc
index def8346..aa0cb98 100644
--- a/docs/user-manual/modules/ROOT/pages/camel-3x-upgrade-guide-3_7.adoc
+++ b/docs/user-manual/modules/ROOT/pages/camel-3x-upgrade-guide-3_7.adoc
@@ -273,5 +273,8 @@ In this context, it wasn't having any sense to maintain the autodiscoverClient o
 
 === camel-salesforce
 
-The default API version for camel-salesforce has been updated to 50.0. Older versions are still supported and can be set via the `apiVersion`
-component option.
+The default API version for camel-salesforce has been updated to 50.0. Older versions are still 
+supported and can be set via the `apiVersion` component option. 
+
+The `packages` option must be set if using the XML `format` option. This change is a result of 
+adopting XStream's Security Framework.