David Handermann created NIFI-10758:
---------------------------------------
Summary: Add Reporting Guidelines to Website Security Policy
Key: NIFI-10758
URL: https://issues.apache.org/jira/browse/NIFI-10758
Project: Apache NiFi
Issue Type: Improvement
Components: Documentation & Website
Reporter: David Handermann
Assignee: David Handermann
The Apache NiFi project occasionally receives security vulnerability reports
regarding command execution using certain documented Processors. The Security
Policy on the project website should be updated to indicate that certain types
of custom command execution is not considered a security vulnerability and
should not be reported.
Components such as ExecuteProcess and ExecuteStreamCommand support running
configurable operating system commands, and other scripted components such as
ExecuteGroovyScript support running custom code provided as a property. These
components have an {{execute code}} permission restriction that can be
configured for multi-tenant deployments. As a framework designed for building
complex processing pipelines using little to no code, Apache NiFi provides a
number of security guarantees at the framework level, but does not restrict an
authenticated and authorized user from configuring and running custom commands.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
