CAMEL-23891: camel-mail - filter Camel internal headers in MimeMultipartDataFormat unmarshal#24406
Conversation
…artDataFormat unmarshal Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
|
🌟 Thank you for your contribution to the Apache Camel project! 🌟 🐫 Apache Camel Committers, please review the following items:
|
|
🧪 CI tested the following changed modules:
🔬 Scalpel shadow comparison — Scalpel: 11 tested, 28 compile-only — current: 10 all testedMaveniverse Scalpel detected 39 affected modules (current approach: 10).
|
davsclaus
left a comment
There was a problem hiding this comment.
APPROVE — Clean, well-scoped security-hardening change.
MimeMultipartDataFormat.copyNonStandardHeaders() previously copied every non-standard MIME header onto the Camel message with no filtering, allowing Camel* headers from external MIME content to be injected into the exchange. The fix adds a DefaultHeaderFilterStrategy on the inbound path, filtering Camel*/camel* prefixes case-insensitively — consistent with the mail consumer's own inbound filtering.
Verified:
DefaultHeaderFilterStrategywith defaults correctly catches all case variants (CamelFoo,camelBar,CAMELBaz) viainFilterStartsWith+lowerCase=true- Using
DefaultHeaderFilterStrategy(notMailHeaderFilterStrategy) is correct — the data format operates on MIME content generically, not JavaMail sessions - Test covers prefix matching, case-insensitivity, and normal header passthrough
- Upgrade guide entry documents the behavior change with a clear workaround
- Branch naming, commit format, JIRA linkage, AI attribution all follow project conventions
This review was generated by an AI agent and may contain inaccuracies. Please verify all suggestions before applying.
gnodet
left a comment
There was a problem hiding this comment.
Clean, well-scoped security hardening. Verified independently — agreed with the existing review.
Analysis:
-
Correct strategy choice — Using
DefaultHeaderFilterStrategy(notMailHeaderFilterStrategy) is appropriate. The data format operates on generic MIME content independent of the mail component.MailHeaderFilterStrategyadditionally filtersmail.smtp.*/mail.smtps.*prefixes which are specific to the mail consumer's JavaMail session properties (CAMEL-23522) and don't apply to the data format. -
Case-insensitive filtering works correctly — Traced through
DefaultHeaderFilterStrategy.doFiltering(): theinFilterStartsWithdefaults to{ "Camel", "camel" }and withlowerCase=true(default), all case variants are caught. ForCAMELBaz: firsttryHeaderMatch("CAMELBaz", {"Camel", "camel"})→ false, thenlower = "camelbaz"→tryHeaderMatch("camelbaz", {"Camel", "camel"})→ true (matches"camel"prefix). Confirmed by the test'sassertNullon all three case variants. -
Scope is correct — Only the
headersInline=trueunmarshal path (unmarshalWithInlineHeaders→copyNonStandardHeaders) is affected. TheunmarshalWithExternalHeaderspath doesn't callcopyNonStandardHeaders. -
Thread safety —
DefaultHeaderFilterStrategyis effectively immutable after construction (default configuration, no mutations). Theprivate finalfield is safe for concurrent access. -
Upgrade guide — Accurate, clear workaround documented.
This is consistent with the security model in CLAUDE.md: external message senders are untrusted, and Camel* headers from untrusted sources should be filtered to prevent header-injection attacks (the same class as CVE-2025-27636).
This review does not replace specialized AI review tools (CodeRabbit, Sourcery) or static analysis (SonarCloud).
This review was generated by an AI agent and may contain inaccuracies. Please verify all suggestions before applying.
Claude Code on behalf of Jiri Ondrusek
This aligns
MimeMultipartDataFormatunmarshalling (headersInline=true) with the camel-mail consumer: internal Camel headers (Camel*, matched case-insensitively) present in the external MIME headers are no longer copied verbatim onto the Camel message.Background
Previously
copyNonStandardHeaders()copied every MIME header (exceptMessage-ID,MIME-Version,Content-Type) straight into the message header map with noHeaderFilterStrategy. This is inconsistent with:MailHeaderFilterStrategy(extendsDefaultHeaderFilterStrategy) and filters theCamel*namespace case-insensitively on the inbound direction;includeHeaderspattern.Change
copyNonStandardHeaders()now delegates toDefaultHeaderFilterStrategy.applyFilterToExternalHeaders(...), soCamel*headers arriving in MIME content are filtered on the inbound path. Ordinary application headers (e.g.X-...) continue to pass through unchanged.JIRA: https://issues.apache.org/jira/browse/CAMEL-23891
🤖 Generated with Claude Code on behalf of Andrea Cosentino