Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-10674

Variable access through evaluateELString()

    XMLWordPrintableJSON

Details

    Description

      Not sure it's bug, but security breach. With expression language i can view content of sensitive parameter from parameter context. For example:

      1. Create parameter context with sensitive parameter
      2. Create variable with name of this sensitive parameter #{sample}
      3. Create simple flow with EL expression: ${secret:evaluateELString()}
      4. Content of this flowfile will contain sensitive value from parameter

      I suppose evaluateELString shouldn't access to sensitive parameters.

      Attachments

        1. image-2022-10-20-00-09-57-913.png
          4 kB
          Gogolev Sergey
        2. image-2022-10-20-00-08-52-510.png
          54 kB
          Gogolev Sergey
        3. image-2022-10-20-00-07-20-476.png
          16 kB
          Gogolev Sergey
        4. image-2022-10-20-00-06-19-498.png
          13 kB
          Gogolev Sergey

        Issue Links

          Activity

            People

              exceptionfactory David Handermann
              gogolev.sergey Gogolev Sergey
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 1h 10m
                  1h 10m