[
https://issues.apache.org/jira/browse/NIFI-10674?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17622402#comment-17622402
]
ASF subversion and git services commented on NIFI-10674:
--------------------------------------------------------
Commit 3e9b7e27a54a333201fe53a9fd89a7cbbd318569 in nifi's branch
refs/heads/main from David Handermann
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=3e9b7e27a5 ]
NIFI-10674 Block evaluateELString from reading Parameters (#6562)
* NIFI-10674 Blocked access to Parameters from evaluateELString()
> Variable access through evaluateELString()
> ------------------------------------------
>
> Key: NIFI-10674
> URL: https://issues.apache.org/jira/browse/NIFI-10674
> Project: Apache NiFi
> Issue Type: Bug
> Components: Security, Variable Registry
> Affects Versions: 1.18.0
> Reporter: Gogolev Sergey
> Assignee: David Handermann
> Priority: Minor
> Labels: security
> Attachments: image-2022-10-20-00-06-19-498.png,
> image-2022-10-20-00-07-20-476.png, image-2022-10-20-00-08-52-510.png,
> image-2022-10-20-00-09-57-913.png
>
> Time Spent: 1h 10m
> Remaining Estimate: 0h
>
> Not sure it's bug, but security breach. With expression language i can view
> content of sensitive parameter from parameter context. For example:
> # Create parameter context with sensitive parameter
> !image-2022-10-20-00-06-19-498.png!
> # Create variable with name of this sensitive parameter #\{sample}
> !image-2022-10-20-00-07-20-476.png!
> # Create simple flow with EL expression: ${secret:evaluateELString()}
> !image-2022-10-20-00-08-52-510.png!
> # Content of this flowfile will contain sensitive value from parameter
> !image-2022-10-20-00-09-57-913.png!
> I suppose evaluateELString shouldn't access to sensitive parameters.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
