nifi-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From GitBox <...@apache.org>
Subject [GitHub] [nifi-minifi-cpp] fgerlits commented on a change in pull request #914: MINIFICPP-1323 Encrypt sensitive properties using libsodium
Date Thu, 01 Oct 2020 10:34:34 GMT

fgerlits commented on a change in pull request #914:
URL: https://github.com/apache/nifi-minifi-cpp/pull/914#discussion_r498101379



##########
File path: main/MiNiFiMain.cpp
##########
@@ -208,6 +238,10 @@ int main(int argc, char **argv) {
   configure->setHome(minifiHome);
   configure->loadConfigureFile(DEFAULT_NIFI_PROPERTIES_FILE);
 
+  if (containsEncryptedProperties(*configure)) {
+    decryptSensitiveProperties(*configure, minifiHome, *logger);

Review comment:
       Ouch.  Yes, that is a serious problem.
   
   EDIT: as discussed, persisting the `Configure` object doesn't work at the moment, due to
a bug: new properties are added to the `minifi.properties` file, but existing and modified
properties are not updated.  So the decrypted sensitive properties cannot be leaked right
now.
   
   I think the best long-term solution would be not to update the sensitive values in the
`Configure` object, but store the key instead, and decrypt the sensitive values on the fly
in the getter function.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



Mime
View raw message