Skip to content
This repository has been archived by the owner on Feb 12, 2024. It is now read-only.

[cetic/nifi] Credential leakage in logs #304

Open
emrge-michaeld opened this issue Jun 9, 2023 · 0 comments
Open

[cetic/nifi] Credential leakage in logs #304

emrge-michaeld opened this issue Jun 9, 2023 · 0 comments
Labels
bug Something isn't working

Comments

@emrge-michaeld
Copy link
Contributor

emrge-michaeld commented Jun 9, 2023

Describe the bug
Due to a cat command, security credentials are output into logs, which then get stored in plaintext on the local k8s node logs, as well as remote logging servers, and backups.

This is due to the following code:

          for f in "${NIFI_HOME}/conf/authorizers.xml" "${NIFI_HOME}/conf/login-identity-providers.xml" ${NIFI_HOME}/conf/nifi.properties
          do
            echo === $f ===
            cat $f
          done
          echo === end of files ===

https://github.com/cetic/helm-nifi/blob/db835032b6e860a2c7a84bbc9ca3ddb74f270453/templates/statefulset.yaml#LL286C1-L291C36

This kind of code is totally unnecessary. You can create a shell in the pod and look at the file yourself if need be.

Version of Helm, Kubernetes and the Nifi chart:
Chart 1.1.4

What happened:
The container 'server' outputs to its logs the whole authorizers.xml file which includes for example:

...
# OpenId Connect SSO Properties #
nifi.security.user.oidc.discovery.url=https://keycloak.big.com/realms/sso-prd/.well-known/openid-configuration
nifi.security.user.oidc.connect.timeout=5 secs
nifi.security.user.oidc.read.timeout=5 secs
nifi.security.user.oidc.client.id=nifi
nifi.security.user.oidc.client.secret=S90fiyzZvbr
...

What you expected to happen:
No credential leakage.

How to reproduce it (as minimally and precisely as possible):
Use the helm chart to deploy the app.

@banzo banzo added the bug Something isn't working label Jun 9, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants