markap14 commented on PR #6562:
URL: https://github.com/apache/nifi/pull/6562#issuecomment-1287089943
Thanks @exceptionfactory. I think this does prevent exactly what the Jira
describes, and this is good to address. But I don't think it goes far enough,
actually. This function actually has the ability to sidestep authorization to
the Parameter Context itself. When a user sets a processor's properties, if any
property references a parameter, we have an authorization check that the user
making the change has read permissions to the parameter context. But consider
if a user wanted to sidestep it using a value of:
```
${literal('#'):append('{'):append('myParameter'):append('}'):evaluateELString()}
```
Now, the framework has no way to detect that hey, this is actually
referencing a parameter. So it doesn't do any validation checks. We need to
completely disable this function from accessing any parameters at all.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
