[NIFI-10674] Variable access through evaluateELString() - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Minor
Resolution: Fixed
Affects Version/s: 1.18.0
Fix Version/s: 1.19.0
Component/s: Security, Variable Registry
Labels:
- security

Description

Not sure it's bug, but security breach. With expression language i can view content of sensitive parameter from parameter context. For example:

Create parameter context with sensitive parameter
Create variable with name of this sensitive parameter #{sample}
Create simple flow with EL expression: ${secret:evaluateELString()}
Content of this flowfile will contain sensitive value from parameter

I suppose evaluateELString shouldn't access to sensitive parameters.

Attachments

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

image-2022-10-20-00-09-57-913.png
19/Oct/22 21:09
4 kB
Gogolev Sergey
image-2022-10-20-00-08-52-510.png
19/Oct/22 21:08
54 kB
Gogolev Sergey
image-2022-10-20-00-07-20-476.png
19/Oct/22 21:07
16 kB
Gogolev Sergey
image-2022-10-20-00-06-19-498.png
19/Oct/22 21:06
13 kB
Gogolev Sergey

Issue Links

causes

NIFI-11763 evaluateELString not evaluating ContextParameters

Resolved

links to

GitHub Pull Request #6562

Activity

People

Assignee:: David Handermann

Reporter:: Gogolev Sergey

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 19/Oct/22 21:12

Updated:: 07/Aug/23 13:58

Resolved:: 21/Oct/22 18:19

Time Tracking

Estimated:

Not Specified

Remaining:

0h

Logged:

1h 10m