You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by "Mark Weghorst (Jira)" <ji...@apache.org> on 2020/05/15 17:32:00 UTC

[jira] [Created] (NIFI-7458) Plain text sensitive properties are exposed in stateless application logs

Mark Weghorst created NIFI-7458:
-----------------------------------

             Summary: Plain text sensitive properties are exposed in stateless application logs
                 Key: NIFI-7458
                 URL: https://issues.apache.org/jira/browse/NIFI-7458
             Project: Apache NiFi
          Issue Type: Bug
          Components: NiFi Stateless
    Affects Versions: 1.11.4
            Reporter: Mark Weghorst


When the stateless NiFi runtime is initialized using the --file filename.json option, it writes to the application logs the contents of the configuration JSON file. 

If the configuration file contains sensitive parameters, those parameters are logged to disk in plain text. 

Additionally the contents of the ssl configuration section are also logged in plan text including keyPass, keystorePass, and truststorePass

I would suggest that the following should happen:

The following entries should be masked in the log message:
 * ssl keyPass
 * ssl keystorePass
 * ssl truststorePass
 * Any parameter defined as sensitive



--
This message was sent by Atlassian Jira
(v8.3.4#803005)