chore(nifi): Add and patch 1.28.1

NickLarsenNZ · NickLarsenNZ · commit 1b70d1362452 · 2025-02-19T09:27:57.000+01:00
diff --git a/nifi/stackable/patches/1.28.1/0001-no-zip-assembly.patch b/nifi/stackable/patches/1.28.1/0001-no-zip-assembly.patch
@@ -0,0 +1,26 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Nick Larsen <nick.larsen@stackable.tech>
+Date: Mon, 17 Feb 2025 15:13:39 +0100
+Subject: no zip assembly
+
+---
+ nifi-assembly/pom.xml | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/nifi-assembly/pom.xml b/nifi-assembly/pom.xml
+index 27928cf67e..d00154626a 100644
+--- a/nifi-assembly/pom.xml
++++ b/nifi-assembly/pom.xml
+@@ -66,7 +66,6 @@ language governing permissions and limitations under the License. -->
+                             <tarLongFileMode>posix</tarLongFileMode>
+                             <formats>
+                                 <format>dir</format>
+-                                <format>zip</format>
+                             </formats>
+                         </configuration>
+                     </execution>
+
+base-commit: 883338fe28883733417d10f6ffa9319e75f5ea06
+-- 
+2.40.1
+
diff --git a/nifi/stackable/patches/1.28.1/0002-allow-bypassing-check-for-host-header.patch b/nifi/stackable/patches/1.28.1/0002-allow-bypassing-check-for-host-header.patch
@@ -0,0 +1,65 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Nick Larsen <nick.larsen@stackable.tech>
+Date: Mon, 17 Feb 2025 15:19:01 +0100
+Subject: allow bypassing check for host header
+
+NiFi has the configuration option 'nifi.web.proxy.host' which controls allowed
+values for the host header field in any incoming request for the web ui.
+
+This frequently causes issues when trying to expose the NiFi UI via for example
+an ingress, loadbalancer or any similar type of mechanism.
+
+NiFi does not allow to disable this behavior, so at the moment the nifi operator
+simply hardcodes all even remotely possible values into this field.
+But in order to allow putting for example in ingress in front of NiFi this means
+using config overrides to change the value of this option, copy all the values
+the operator put in there and add the extra value you need.
+
+This is less than ideal, the proper solution would probably be
+https://github.com/stackabletech/nifi-operator/issues/604
+
+But until that is merged this is a simple workaround that allows overriding the list of allowed
+hostnames by just setting it to "*" and this will effectively bypass the hostname check entirely if set.
+
+This allows us to keep the default behavior in place for those users where it works and not remove
+security features, but also enables users to disable this check if they know what they are doing.
+---
+ .../org/apache/nifi/web/server/HostHeaderHandler.java     | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/HostHeaderHandler.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/HostHeaderHandler.java
+index dd4bbf54c0..ea1b5b2da1 100644
+--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/HostHeaderHandler.java
++++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/HostHeaderHandler.java
+@@ -47,6 +47,7 @@ public class HostHeaderHandler extends ScopedHandler {
+     private final String serverName;
+     private final int serverPort;
+     private final List<String> validHosts;
++    private boolean allowAllHosts = false;
+ 
+     /**
+      * Instantiates a handler with a given server name and port 0.
+@@ -107,6 +108,11 @@ public class HostHeaderHandler extends ScopedHandler {
+         // The value(s) from nifi.web.proxy.host
+         hosts.addAll(parseCustomHostnames(niFiProperties));
+ 
++        // Check if the setting for allowed hosts has only the wildcard entry and
++        // if so store this in allowAllHost for later use
++        List<String> configuredHostNames = niFiProperties.getAllowedHostsAsList();
++        this.allowAllHosts = configuredHostNames.size() == 1 && configuredHostNames.contains("*");
++
+         // empty is ok here
+         hosts.add("");
+ 
+@@ -205,7 +211,7 @@ public class HostHeaderHandler extends ScopedHandler {
+     }
+ 
+     boolean hostHeaderIsValid(String hostHeader) {
+-        return validHosts.contains(hostHeader.toLowerCase().trim());
++        return this.allowAllHosts || validHosts.contains(hostHeader.toLowerCase().trim());
+     }
+ 
+     @Override
+-- 
+2.40.1
+
diff --git a/nifi/stackable/patches/1.28.1/0003-add-cyclonedx-plugin.patch b/nifi/stackable/patches/1.28.1/0003-add-cyclonedx-plugin.patch
@@ -0,0 +1,41 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Nick Larsen <nick.larsen@stackable.tech>
+Date: Mon, 17 Feb 2025 15:25:52 +0100
+Subject: add cyclonedx plugin
+
+---
+ pom.xml | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/pom.xml b/pom.xml
+index 672c023277..641d772286 100644
+--- a/pom.xml
++++ b/pom.xml
+@@ -1091,6 +1091,24 @@
+                     </excludes>
+                 </configuration>
+             </plugin>
++            <plugin>
++                <groupId>org.cyclonedx</groupId>
++                <artifactId>cyclonedx-maven-plugin</artifactId>
++                <version>2.8.0</version>
++                <configuration>
++                    <projectType>application</projectType>
++                    <schemaVersion>1.5</schemaVersion>
++                    <skipNotDeployed>false</skipNotDeployed>
++                </configuration>
++                <executions>
++                  <execution>
++                    <phase>package</phase>
++                    <goals>
++                      <goal>makeBom</goal>
++                    </goals>
++                  </execution>
++                </executions>
++            </plugin>
+         </plugins>
+     </build>
+     <profiles>
+-- 
+2.40.1
+
diff --git a/nifi/stackable/patches/1.28.1/0004-CVE-2024-36114-bump-aircompressor-to-0.27.patch b/nifi/stackable/patches/1.28.1/0004-CVE-2024-36114-bump-aircompressor-to-0.27.patch
@@ -0,0 +1,47 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Nick Larsen <nick.larsen@stackable.tech>
+Date: Mon, 17 Feb 2025 15:27:01 +0100
+Subject: CVE-2024-36114 bump aircompressor to 0.27
+
+see https://github.com/stackabletech/vulnerabilities/issues/834
+
+Aircompressor is a library with ports of the Snappy, LZO, LZ4, and
+Zstandard compression algorithms to Java. All decompressor
+implementations of Aircompressor (LZ4, LZO, Snappy, Zstandard) can crash
+the JVM for certain input, and in some cases also leak the content of
+other memory of the Java process (which could contain sensitive
+information). When decompressing certain data, the decompressors try to
+access memory outside the bounds of the given byte arrays or byte
+buffers. Because Aircompressor uses the JDK class sun.misc.Unsafe to
+speed up memory access, no additional bounds checks are performed and
+this has similar security consequences as out-of-bounds access in C or
+C++, namely it can lead to non-deterministic behavior or crash the JVM.
+Users should update to Aircompressor 0.27 or newer where these issues
+have been fixed. When decompressing data from untrusted users, this can
+be exploited for a denial-of-service attack by crashing the JVM, or to
+leak other sensitive information from the Java process. There are no
+known workarounds for this issue.
+---
+ nifi-assembly/pom.xml | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/nifi-assembly/pom.xml b/nifi-assembly/pom.xml
+index d00154626a..da38056c7a 100644
+--- a/nifi-assembly/pom.xml
++++ b/nifi-assembly/pom.xml
+@@ -97,6 +97,12 @@ language governing permissions and limitations under the License. -->
+         </plugins>
+     </build>
+     <dependencies>
++        <!-- Mitigate CVE-2024-36114: See https://github.com/stackabletech/vulnerabilities/issues/834 -->
++        <dependency>
++            <groupId>io.airlift</groupId>
++            <artifactId>aircompressor</artifactId>
++            <version>0.27</version>
++        </dependency>
+         <dependency> <!-- handling this explicitly  Must be in root lib -->
+             <groupId>javax.servlet</groupId>
+             <artifactId>javax.servlet-api</artifactId>
+-- 
+2.40.1
+
diff --git a/nifi/stackable/patches/1.28.1/patchable.toml b/nifi/stackable/patches/1.28.1/patchable.toml
@@ -0,0 +1,2 @@
+upstream = "https://github.com/apache/nifi"
+base = "883338fe28883733417d10f6ffa9319e75f5ea06"
diff --git a/nifi/versions.py b/nifi/versions.py
@@ -4,6 +4,11 @@
         "java-base": "11",
         "java-devel": "11",  # There is an error when trying to use the jdk 21 (since nifi 1.26.0)
     },
+    {
+        "product": "1.28.1",
+        "java-base": "11",
+        "java-devel": "11",
+    },
     {
         "product": "2.0.0",
         "java-base": "21",

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+upstream = "https://github.com/apache/nifi"`
	`2`	`+base = "883338fe28883733417d10f6ffa9319e75f5ea06"`