You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "David Handermann (Jira)" <ji...@apache.org> on 2022/11/03 21:49:00 UTC
[jira] [Updated] (NIFI-10758) Add Reporting Guidelines to Website Security Policy
[ https://issues.apache.org/jira/browse/NIFI-10758?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
David Handermann updated NIFI-10758:
------------------------------------
Status: Patch Available (was: Open)
> Add Reporting Guidelines to Website Security Policy
> ---------------------------------------------------
>
> Key: NIFI-10758
> URL: https://issues.apache.org/jira/browse/NIFI-10758
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Documentation & Website
> Reporter: David Handermann
> Assignee: David Handermann
> Priority: Minor
> Time Spent: 10m
> Remaining Estimate: 0h
>
> The Apache NiFi project occasionally receives security vulnerability reports regarding command execution using certain documented Processors. The Security Policy on the project website should be updated to indicate that certain types of custom command execution is not considered a security vulnerability and should not be reported.
> Components such as ExecuteProcess and ExecuteStreamCommand support running configurable operating system commands, and other scripted components such as ExecuteGroovyScript support running custom code provided as a property. These components have an {{execute code}} permission restriction that can be configured for multi-tenant deployments. As a framework designed for building complex processing pipelines using little to no code, Apache NiFi provides a number of security guarantees at the framework level, but does not restrict an authenticated and authorized user from configuring and running custom commands.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)