[jira] [Reopened] (NIFI-10674) Sensitive parameter reveal in evaluateELString

Pierre Villard (Jira) Wed, 19 Oct 2022 18:20:31 -0700


     [ 
https://issues.apache.org/jira/browse/NIFI-10674?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Pierre Villard reopened NIFI-10674:
-----------------------------------
      Assignee: David Handermann

> Sensitive parameter reveal in evaluateELString
> ----------------------------------------------
>
>                 Key: NIFI-10674
>                 URL: https://issues.apache.org/jira/browse/NIFI-10674
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Security, Variable Registry
>    Affects Versions: 1.18.0
>            Reporter: Gogolev Sergey
>            Assignee: David Handermann
>            Priority: Minor
>              Labels: security
>         Attachments: image-2022-10-20-00-06-19-498.png, 
> image-2022-10-20-00-07-20-476.png, image-2022-10-20-00-08-52-510.png, 
> image-2022-10-20-00-09-57-913.png
>
>
> Not sure it's bug, but security breach. With expression language i can view 
> content of sensitive parameter from parameter context. For example:
>  # Create parameter context with sensitive parameter
> !image-2022-10-20-00-06-19-498.png!
>  # Create variable with name of this sensitive parameter #\{sample}
> !image-2022-10-20-00-07-20-476.png!
>  # Create simple flow with EL expression: ${secret:evaluateELString()}
> !image-2022-10-20-00-08-52-510.png!
>  # Content of this flowfile will contain sensitive value from parameter
> !image-2022-10-20-00-09-57-913.png!
> I suppose evaluateELString shouldn't access to sensitive parameters.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Reopened] (NIFI-10674) Sensitive parameter reveal in evaluateELString

Reply via email to