Mike R created NIFI-9855:
----------------------------
Summary: NiFi Can Delete Its Own Processors
Key: NIFI-9855
URL: https://issues.apache.org/jira/browse/NIFI-9855
Project: Apache NiFi
Issue Type: Bug
Affects Versions: 1.15.3, 1.15.2, 1.16.0
Environment: All Linux Distros
Reporter: Mike R
Using the GetFile and PutFile processors, an attacker could overwrite the
configuration files to the /dev/null. Using a regex of (.*?), an attacker could
point the GetFile Processor to the directory which the NiFi configuration files
are located in. If the attacker is able to login, they can send the files to
/dev/null on Linux, which although it will cause a warning in the PutFile
processor, it will still process.
This does not require that the attacker have access to the underlying system,
but rather just NiFi itself.
The ways to prevent this from happening would be to prevent the GetFile
Processor and other NiFi processors from being able to directly read files from
the configuration directories in a way that deletes the existing files and
another option would be to have processors prevented from overwriting
configuration directory files.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
