CAMEL-23803: block unsafe polymorphic base types by default in camel-jackson-avro and camel-jackson-protobuf

[oscerd]

Summary

Follow-up to CAMEL-23786 (camel-jackson) and CAMEL-23787 (camel-jacksonxml), raised in review of #24134.

camel-jackson-avro's JacksonAvroDataFormat.createNewObjectMapper() and camel-jackson-protobuf's JacksonProtobufDataFormat.createNewObjectMapper() returned a bare new AvroMapper() / new ProtobufMapper(), while their transform/ counterparts (transform/Avro.java, transform/Protobuf.java) already enable MapperFeature.BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES. This closes that gap so all sibling Jackson data formats are consistent.

When polymorphic / default typing is enabled, Jackson now refuses unsafe base types (Object, Serializable, Comparable) — defense-in-depth against gadget-chain deserialization. Ordinary marshalling/unmarshalling is unchanged.

Changes

• JacksonAvroDataFormat.createNewObjectMapper() → AvroMapper.builder().enable(BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES).build().
• JacksonProtobufDataFormat.createNewObjectMapper() → ProtobufMapper.builder().enable(BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES).build().
• New JacksonAvroDataFormatPolymorphicHardeningTest and JacksonProtobufDataFormatPolymorphicHardeningTest asserting the feature is enabled on each data format's default mapper.
• Upgrade-guide notes for 4.21, 4.18 and 4.14 (entries on main per the docs-on-main policy, since this is backported to the 4.18.x and 4.14.x maintenance lines).

Opt-out

Routes that deliberately rely on polymorphic/default typing on an unsafe base type can supply their own mapper (via the objectMapper option) configured without this feature.

Note on camel-jackson3

camel-jackson3 (Jackson 3.x) is intentionally excluded: no code enables this MapperFeature, and Jackson 3 reworked default typing with a mandatory PolymorphicTypeValidator, so the flag likely does not apply. Left for a dedicated Jackson-3 review.

Backport

Will be backported to camel-4.18.x and camel-4.14.x (code + test only; upgrade-guide entries stay on main), keeping the hardening consistent with camel-jackson/camel-jacksonxml on those lines.

---

AI-generated by Claude Code on behalf of Andrea Cosentino.

[gnodet]

Clean, focused security-hardening PR — consistent with the sibling changes in CAMEL-23786 (camel-jackson, #24134 merged) and CAMEL-23787 (camel-jacksonxml, #24177 merged). The transform/Avro.java and transform/Protobuf.java in the same modules already had this flag, so this closes the gap in the data format classes.

Strengths:

• Minimal, surgical change — two createNewObjectMapper() overrides, two tests, three upgrade-guide entries
• Consistent with the pattern established by the sibling PRs
• Opt-out path clearly documented (supply your own mapper via objectMapper option)
• camel-jackson3 exclusion is sensible and well-explained
• No generated files needed since this is internal to createNewObjectMapper() — correct

Minor observations (non-blocking):

1. Test robustness: The sibling test in PR #24134 calls df.setUseDefaultObjectMapper(false) to ensure createNewObjectMapper() is exercised rather than a registry-provided mapper. These tests don't. In a clean DefaultCamelContext it doesn't matter (no mapper in registry), but the sibling's approach is more explicit — consider aligning for consistency.

2. JIRA housekeeping: CAMEL-23803 is still in "Open" status (not "In Progress") and fixVersions is empty. Per project conventions, transition to "In Progress" before starting work, and set fixVersions before closing.

Overall this looks good to merge.

This review was generated by an AI agent and may contain inaccuracies. Please verify all suggestions before applying.

Claude Code on behalf of Guillaume Nodet

[gnodet]

Nit: the sibling test in PR #24134 (camel-jackson) calls df.setUseDefaultObjectMapper(false) before df.start() to guarantee that createNewObjectMapper() is exercised rather than picking up a mapper from the registry. This test relies on the DefaultCamelContext having no ObjectMapper registered, which is true today but fragile. Consider adding df.setUseDefaultObjectMapper(false) for consistency with the sibling.

Claude Code on behalf of Guillaume Nodet

[github-actions]

🌟 Thank you for your contribution to the Apache Camel project! 🌟
🤖 CI automation will test this PR automatically.

🐫 Apache Camel Committers, please review the following items:

• First-time contributors require MANUAL approval for the GitHub Actions to run
• You can use the command /component-test (camel-)component-name1 (camel-)component-name2.. to request a test from the test bot although they are normally detected and executed by CI.
• You can label PRs using skip-tests and test-dependents to fine-tune the checks executed by this PR.
• Build and test logs are available in the summary page. Only Apache Camel committers have access to the summary.

⚠️ Be careful when sharing logs. Review their contents before sharing them publicly.

[github-actions]

🧪 CI tested the following changed modules:

• components/camel-jackson-avro
• components/camel-jackson-protobuf
• docs

All tested modules (13 modules)

• Camel :: JBang :: MCP
• Camel :: JBang :: Plugin :: Route Parser
• Camel :: JBang :: Plugin :: TUI
• Camel :: JBang :: Plugin :: Validate
• Camel :: Jackson Avro
• Camel :: Jackson Protobuf
• Camel :: Kamelet
• Camel :: Launcher :: Container
• Camel :: Test :: Main :: JUnit5
• Camel :: Test :: Main :: JUnit6
• Camel :: XML DSL with camel-xml-io
• Camel :: YAML DSL :: Validator
• Camel :: YAML DSL :: Validator Maven Plugin

---

⚙️ View full build and test results