[
https://issues.apache.org/jira/browse/NIFI-14952?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18019315#comment-18019315
]
Pierre Villard commented on NIFI-14952:
---------------------------------------
As stated on [https://nifi.apache.org/documentation/security/]
{quote}
h2. Security Model
Apache NiFi provides a framework for developing processing pipelines using
standard and custom components. Authenticated and authorized users are
responsible for the security of operating system commands and custom code.
Privileged users are also responsible for designing processing pipelines with
security measures appropriate to the level of trust expected for systems and
services providing input to such processing pipelines.
Configuring dangerous operating system commands or custom scripts is not a
project security vulnerability.
The framework supports configurable permissions that enable authorized users to
execute code using several standard components. Components such as
ExecuteProcess and ExecuteStreamCommand support running operating system
commands, while other scripted components support executing custom code using
different programming languages. Configuring these components with untrusted
commands or arguments is contrary to best practices, but it does not constitute
of security issue for remediation.
{quote}
Your example is likely using the ScriptedReportingTask which also requires
elevated permissions in order to be used, as stated on
[https://nifi.apache.org/components/org.apache.nifi.reporting.script.ScriptedReportingTask/]
> nifi-api/reporting-task too verbose during failed requests
> ----------------------------------------------------------
>
> Key: NIFI-14952
> URL: https://issues.apache.org/jira/browse/NIFI-14952
> Project: Apache NiFi
> Issue Type: Bug
> Components: NiFi API
> Affects Versions: 2.4.0, 2.5.0
> Environment: RHEL 9
> Reporter: WojciechWitos
> Priority: Major
> Labels: Security
> Attachments: image-2025-09-10-09-53-40-894.png,
> image-2025-09-10-09-54-52-967.png, image-2025-09-10-09-56-03-281.png,
> image-2025-09-10-09-57-35-290.png
>
>
> It was found out that using a certain request, it is possible to enumerate
> files and directories on the server - application returns descriptive error
> that informs whether the requested script was found in the filesystem or not.
> Originally, application appends the "script file" value to default path, but
> it was possible to specify other files using path traversal technique. It is
> recommended to check if this is accepted behavior or an indicator of
> vulnerability (in case only scripts in default path should be run).
> NiFi-reporting task is too verbose verbose in error messages, allowing
> attacker to enumerate files and directories in the filesystem.
> The /nifi-api/reporting-tasks/ endpoint is too verbose in error messages,
> allowing attacker to enumerate
> Error message indicating non existing file in cwd.
> !image-2025-09-10-09-57-35-290.png!
> Error message indicating existing directory outside of the application
> location.
> !image-2025-09-10-09-53-40-894.png!
> Error message indicating existing file outside of the application location.
> !image-2025-09-10-09-54-52-967.png!
> In order to make this request work, there has to be Reporting Task existing.
> reporting-tasks endpoint requires the reporting task identifier. The request
> made:
> !image-2025-09-10-09-56-03-281.png!
> CWE-209:
> https://cwe.mitre.org/data/definitions/209.html
> CWE-200:
> https://cwe.mitre.org/data/definitions/200.html
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
