[NIFI-10674] Variable access through evaluateELString() - ASF JIRA

Attach files

Attach Screenshot

Voters

Watch issue

Watchers

Create sub-task

Link

Clone

Update Comment Author

Replace String in Comment

Update Comment Visibility

Delete Comments

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Minor
Resolution: Fixed
Affects Version/s: 1.18.0
Fix Version/s: 1.19.0
Component/s: Security, Variable Registry
Labels:
- security

Description

Not sure it's bug, but security breach. With expression language i can view content of sensitive parameter from parameter context. For example:

Create parameter context with sensitive parameter
Create variable with name of this sensitive parameter #{sample}
Create simple flow with EL expression: ${secret:evaluateELString()}
Content of this flowfile will contain sensitive value from parameter

I suppose evaluateELString shouldn't access to sensitive parameters.

Attachments

image-2022-10-20-00-09-57-913.png
19/Oct/22 21:09
4 kB
Gogolev Sergey
image-2022-10-20-00-08-52-510.png
19/Oct/22 21:08
54 kB
Gogolev Sergey
image-2022-10-20-00-07-20-476.png
19/Oct/22 21:07
16 kB
Gogolev Sergey
image-2022-10-20-00-06-19-498.png
19/Oct/22 21:06
13 kB
Gogolev Sergey

Issue Links

Add Link

causes

NIFI-11763 evaluateELString not evaluating ContextParameters

Resolved

Delete this link

links to

GitHub Pull Request #6562

Delete this link

Activity

Comment

This comment will be Viewable by All Users Viewable by All Users

Cancel

People

Assignee:: David Handermann

Reporter:: Gogolev Sergey

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 19/Oct/22 21:12

Updated:: 07/Aug/23 13:58

Resolved:: 21/Oct/22 18:19

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

Variable access through evaluateELString()

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates

Time Tracking

Agile

Slack

Issue deployment