nifi-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (NIFI-4274) SSLContextService keystore and truststore location property descriptors incorrectly attempt to evaluate EL
Date Thu, 10 Aug 2017 08:07:00 GMT

    [ https://issues.apache.org/jira/browse/NIFI-4274?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16121232#comment-16121232
] 

ASF GitHub Bot commented on NIFI-4274:
--------------------------------------

Github user asfgit closed the pull request at:

    https://github.com/apache/nifi/pull/2071


> SSLContextService keystore and truststore location property descriptors incorrectly attempt
to evaluate EL
> ----------------------------------------------------------------------------------------------------------
>
>                 Key: NIFI-4274
>                 URL: https://issues.apache.org/jira/browse/NIFI-4274
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Core Framework
>    Affects Versions: 1.3.0
>            Reporter: Andy LoPresto
>            Assignee: Andy LoPresto
>              Labels: expression-language, security, tls, truststore
>
> As reported on [Stack Overflow|https://stackoverflow.com/q/45561985/70465], the {{StandardSSLContextService}}
truststore location property descriptor would not evaluate an environment variable containing
the location of the truststore file. The reporter said that by adding a space prior to the
EL expression, it would evaluate, but result in an invalid path because it started with a
space. 
> Bryan Bende pointed out that this field does not support Expression Language. 
> While I could not reproduce this behavior, I did verify using a remote debugger that
while the field does not support EL, the [custom file validator incorrectly attempts to evaluate
EL|https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/main/java/org/apache/nifi/ssl/StandardSSLContextService.java#L183-L183],
which is counter-indicated by the documentation and will cause issues. This line follows immediately
after comments explaining the existence of the custom validator is because the default evaluates
EL, which is not desired here. 
> While personally, I do not believe these fields should support EL (security risk of the
sensitive location being changed outside of NiFi with no visibility), the documentation and
actual behavior should at least agree. 
> The custom validator should not evaluate EL. Follow on discussion on this ticket or the
mailing list may lead to new requirements to handle EL, but this can be implemented correctly
and consistently at such time. 



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message