[jira] [Resolved] (NIFI-4274) SSLContextService keystore and truststore location property descriptors incorrectly attempt to evaluate EL

Thu, 10 Aug 2017 01:10:39 -0700 

     [ 
https://issues.apache.org/jira/browse/NIFI-4274?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Pierre Villard resolved NIFI-4274.
----------------------------------
       Resolution: Fixed
    Fix Version/s: 1.4.0

> SSLContextService keystore and truststore location property descriptors 
> incorrectly attempt to evaluate EL
> ----------------------------------------------------------------------------------------------------------
>
>                 Key: NIFI-4274
>                 URL: https://issues.apache.org/jira/browse/NIFI-4274
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Core Framework
>    Affects Versions: 1.3.0
>            Reporter: Andy LoPresto
>            Assignee: Andy LoPresto
>              Labels: expression-language, security, tls, truststore
>             Fix For: 1.4.0
>
>
> As reported on [Stack Overflow|https://stackoverflow.com/q/45561985/70465], 
> the {{StandardSSLContextService}} truststore location property descriptor 
> would not evaluate an environment variable containing the location of the 
> truststore file. The reporter said that by adding a space prior to the EL 
> expression, it would evaluate, but result in an invalid path because it 
> started with a space. 
> Bryan Bende pointed out that this field does not support Expression Language. 
> While I could not reproduce this behavior, I did verify using a remote 
> debugger that while the field does not support EL, the [custom file validator 
> incorrectly attempts to evaluate 
> EL|https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-standard-services/nifi-ssl-context-bundle/nifi-ssl-context-service/src/main/java/org/apache/nifi/ssl/StandardSSLContextService.java#L183-L183],
>  which is counter-indicated by the documentation and will cause issues. This 
> line follows immediately after comments explaining the existence of the 
> custom validator is because the default evaluates EL, which is not desired 
> here. 
> While personally, I do not believe these fields should support EL (security 
> risk of the sensitive location being changed outside of NiFi with no 
> visibility), the documentation and actual behavior should at least agree. 
> The custom validator should not evaluate EL. Follow on discussion on this 
> ticket or the mailing list may lead to new requirements to handle EL, but 
> this can be implemented correctly and consistently at such time. 



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to