You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by "David Handermann (Jira)" <ji...@apache.org> on 2022/11/03 20:58:00 UTC

[jira] [Created] (NIFI-10758) Add Reporting Guidelines to Website Security Policy

David Handermann created NIFI-10758:
---------------------------------------

             Summary: Add Reporting Guidelines to Website Security Policy
                 Key: NIFI-10758
                 URL: https://issues.apache.org/jira/browse/NIFI-10758
             Project: Apache NiFi
          Issue Type: Improvement
          Components: Documentation &amp; Website
            Reporter: David Handermann
            Assignee: David Handermann


The Apache NiFi project occasionally receives security vulnerability reports regarding command execution using certain documented Processors. The Security Policy on the project website should be updated to indicate that certain types of custom command execution is not considered a security vulnerability and should not be reported.

Components such as ExecuteProcess and ExecuteStreamCommand support running configurable operating system commands, and other scripted components such as ExecuteGroovyScript support running custom code provided as a property. These components have an {{execute code}} permission restriction that can be configured for multi-tenant deployments. As a framework designed for building complex processing pipelines using little to no code, Apache NiFi provides a number of security guarantees at the framework level, but does not restrict an authenticated and authorized user from configuring and running custom commands.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)