You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "David Handermann (Jira)" <ji...@apache.org> on 2022/11/03 20:58:00 UTC
[jira] [Created] (NIFI-10758) Add Reporting Guidelines to Website Security Policy
David Handermann created NIFI-10758:
---------------------------------------
Summary: Add Reporting Guidelines to Website Security Policy
Key: NIFI-10758
URL: https://issues.apache.org/jira/browse/NIFI-10758
Project: Apache NiFi
Issue Type: Improvement
Components: Documentation & Website
Reporter: David Handermann
Assignee: David Handermann
The Apache NiFi project occasionally receives security vulnerability reports regarding command execution using certain documented Processors. The Security Policy on the project website should be updated to indicate that certain types of custom command execution is not considered a security vulnerability and should not be reported.
Components such as ExecuteProcess and ExecuteStreamCommand support running configurable operating system commands, and other scripted components such as ExecuteGroovyScript support running custom code provided as a property. These components have an {{execute code}} permission restriction that can be configured for multi-tenant deployments. As a framework designed for building complex processing pipelines using little to no code, Apache NiFi provides a number of security guarantees at the framework level, but does not restrict an authenticated and authorized user from configuring and running custom commands.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)