Gogolev Sergey created NIFI-10674:
-------------------------------------
Summary: Sensitive parameter reveal in evaluateELString
Key: NIFI-10674
URL: https://issues.apache.org/jira/browse/NIFI-10674
Project: Apache NiFi
Issue Type: Bug
Components: Security, Variable Registry
Affects Versions: 1.18.0
Reporter: Gogolev Sergey
Attachments: image-2022-10-20-00-06-19-498.png,
image-2022-10-20-00-07-20-476.png, image-2022-10-20-00-08-52-510.png,
image-2022-10-20-00-09-57-913.png
Not sure it's bug, but security breach. With expression language i can view
content of sensitive parameter from parameter context. For example:
# Create parameter context with sensitive parameter
!image-2022-10-20-00-06-19-498.png!
# Create variable with name of this sensitive parameter #\{sample}
!image-2022-10-20-00-07-20-476.png!
# Create simple flow with EL expression: ${secret:evaluateELString()}
!image-2022-10-20-00-08-52-510.png!
# Content of this flowfile will contain sensitive value from parameter
!image-2022-10-20-00-09-57-913.png!
I suppose evaluateELString shouldn't access to sensitive parameters.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
