You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "Mike R (Jira)" <ji...@apache.org> on 2022/03/31 19:05:00 UTC
[jira] [Created] (NIFI-9855) NiFi Can Delete Its Own Processors
Mike R created NIFI-9855:
----------------------------
Summary: NiFi Can Delete Its Own Processors
Key: NIFI-9855
URL: https://issues.apache.org/jira/browse/NIFI-9855
Project: Apache NiFi
Issue Type: Bug
Affects Versions: 1.15.3, 1.15.2, 1.16.0
Environment: All Linux Distros
Reporter: Mike R
Using the GetFile and PutFile processors, an attacker could overwrite the configuration files to the /dev/null. Using a regex of (.*?), an attacker could point the GetFile Processor to the directory which the NiFi configuration files are located in. If the attacker is able to login, they can send the files to /dev/null on Linux, which although it will cause a warning in the PutFile processor, it will still process.
This does not require that the attacker have access to the underlying system, but rather just NiFi itself.
The ways to prevent this from happening would be to prevent the GetFile Processor and other NiFi processors from being able to directly read files from the configuration directories in a way that deletes the existing files and another option would be to have processors prevented from overwriting configuration directory files.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)