You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "Mark Weghorst (Jira)" <ji...@apache.org> on 2020/05/15 17:32:00 UTC
[jira] [Created] (NIFI-7458) Plain text sensitive properties are
exposed in stateless application logs
Mark Weghorst created NIFI-7458:
-----------------------------------
Summary: Plain text sensitive properties are exposed in stateless application logs
Key: NIFI-7458
URL: https://issues.apache.org/jira/browse/NIFI-7458
Project: Apache NiFi
Issue Type: Bug
Components: NiFi Stateless
Affects Versions: 1.11.4
Reporter: Mark Weghorst
When the stateless NiFi runtime is initialized using the --file filename.json option, it writes to the application logs the contents of the configuration JSON file.
If the configuration file contains sensitive parameters, those parameters are logged to disk in plain text.
Additionally the contents of the ssl configuration section are also logged in plan text including keyPass, keystorePass, and truststorePass
I would suggest that the following should happen:
The following entries should be masked in the log message:
* ssl keyPass
* ssl keystorePass
* ssl truststorePass
* Any parameter defined as sensitive
--
This message was sent by Atlassian Jira
(v8.3.4#803005)