diff --git a/CHANGELOG.md b/CHANGELOG.md index 1aad3e819..be778a0dd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -27,7 +27,8 @@ All notable changes to this project will be documented in this file. - trino-cli: Add version 470 ([#999]). - trino-storage-connector: Add version 470 ([#999]). - superset: Add version `4.1.1` ([#991]). -- Added Patchable patch management tool ([#1003]). +- Add Patchable patch management tool ([#1003]). +- nifi: Add 1.28.1, 2.2.0 ([#1006]). ### Changed @@ -44,6 +45,7 @@ All notable changes to this project will be documented in this file. - trino: Remove 469 ([#999]). - trino-cli: Remove version 469 ([#999]). - trino-storage-connector: Remove version 469 ([#999]). +- nifi: Remove 2.0.0 ([#1006]). ### Fixed @@ -74,6 +76,7 @@ All notable changes to this project will be documented in this file. [#999]: https://github.com/stackabletech/docker-images/pull/999 [#1000]: https://github.com/stackabletech/docker-images/pull/1000 [#1003]: https://github.com/stackabletech/docker-images/pull/1003 +[#1006]: https://github.com/stackabletech/docker-images/pull/1006 ## [24.11.1] - 2025-01-14 diff --git a/nifi/stackable/patches/1.28.1/0001-no-zip-assembly.patch b/nifi/stackable/patches/1.28.1/0001-no-zip-assembly.patch new file mode 100644 index 000000000..d98d0559b --- /dev/null +++ b/nifi/stackable/patches/1.28.1/0001-no-zip-assembly.patch @@ -0,0 +1,26 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Nick Larsen +Date: Mon, 17 Feb 2025 15:13:39 +0100 +Subject: no zip assembly + +--- + nifi-assembly/pom.xml | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/nifi-assembly/pom.xml b/nifi-assembly/pom.xml +index 27928cf67e..d00154626a 100644 +--- a/nifi-assembly/pom.xml ++++ b/nifi-assembly/pom.xml +@@ -66,7 +66,6 @@ language governing permissions and limitations under the License. --> + posix + + dir +- zip + + + + +base-commit: 883338fe28883733417d10f6ffa9319e75f5ea06 +-- +2.40.1 + diff --git a/nifi/stackable/patches/1.28.1/0002-allow-bypassing-check-for-host-header.patch b/nifi/stackable/patches/1.28.1/0002-allow-bypassing-check-for-host-header.patch new file mode 100644 index 000000000..ea042b522 --- /dev/null +++ b/nifi/stackable/patches/1.28.1/0002-allow-bypassing-check-for-host-header.patch @@ -0,0 +1,65 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Nick Larsen +Date: Mon, 17 Feb 2025 15:19:01 +0100 +Subject: allow bypassing check for host header + +NiFi has the configuration option 'nifi.web.proxy.host' which controls allowed +values for the host header field in any incoming request for the web ui. + +This frequently causes issues when trying to expose the NiFi UI via for example +an ingress, loadbalancer or any similar type of mechanism. + +NiFi does not allow to disable this behavior, so at the moment the nifi operator +simply hardcodes all even remotely possible values into this field. +But in order to allow putting for example in ingress in front of NiFi this means +using config overrides to change the value of this option, copy all the values +the operator put in there and add the extra value you need. + +This is less than ideal, the proper solution would probably be +https://github.com/stackabletech/nifi-operator/issues/604 + +But until that is merged this is a simple workaround that allows overriding the list of allowed +hostnames by just setting it to "*" and this will effectively bypass the hostname check entirely if set. + +This allows us to keep the default behavior in place for those users where it works and not remove +security features, but also enables users to disable this check if they know what they are doing. +--- + .../org/apache/nifi/web/server/HostHeaderHandler.java | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/HostHeaderHandler.java b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/HostHeaderHandler.java +index dd4bbf54c0..ea1b5b2da1 100644 +--- a/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/HostHeaderHandler.java ++++ b/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/HostHeaderHandler.java +@@ -47,6 +47,7 @@ public class HostHeaderHandler extends ScopedHandler { + private final String serverName; + private final int serverPort; + private final List validHosts; ++ private boolean allowAllHosts = false; + + /** + * Instantiates a handler with a given server name and port 0. +@@ -107,6 +108,11 @@ public class HostHeaderHandler extends ScopedHandler { + // The value(s) from nifi.web.proxy.host + hosts.addAll(parseCustomHostnames(niFiProperties)); + ++ // Check if the setting for allowed hosts has only the wildcard entry and ++ // if so store this in allowAllHost for later use ++ List configuredHostNames = niFiProperties.getAllowedHostsAsList(); ++ this.allowAllHosts = configuredHostNames.size() == 1 && configuredHostNames.contains("*"); ++ + // empty is ok here + hosts.add(""); + +@@ -205,7 +211,7 @@ public class HostHeaderHandler extends ScopedHandler { + } + + boolean hostHeaderIsValid(String hostHeader) { +- return validHosts.contains(hostHeader.toLowerCase().trim()); ++ return this.allowAllHosts || validHosts.contains(hostHeader.toLowerCase().trim()); + } + + @Override +-- +2.40.1 + diff --git a/nifi/stackable/patches/1.28.1/0003-add-cyclonedx-plugin.patch b/nifi/stackable/patches/1.28.1/0003-add-cyclonedx-plugin.patch new file mode 100644 index 000000000..fabb944f1 --- /dev/null +++ b/nifi/stackable/patches/1.28.1/0003-add-cyclonedx-plugin.patch @@ -0,0 +1,41 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Nick Larsen +Date: Mon, 17 Feb 2025 15:25:52 +0100 +Subject: add cyclonedx plugin + +--- + pom.xml | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/pom.xml b/pom.xml +index 672c023277..641d772286 100644 +--- a/pom.xml ++++ b/pom.xml +@@ -1091,6 +1091,24 @@ + + + ++ ++ org.cyclonedx ++ cyclonedx-maven-plugin ++ 2.8.0 ++ ++ application ++ 1.5 ++ false ++ ++ ++ ++ package ++ ++ makeBom ++ ++ ++ ++ + + + +-- +2.40.1 + diff --git a/nifi/stackable/patches/2.0.0/004-CVE-2024-36114-bump-aircompressor-0-27.patch b/nifi/stackable/patches/1.28.1/0004-CVE-2024-36114-bump-aircompressor-to-0.27.patch similarity index 73% rename from nifi/stackable/patches/2.0.0/004-CVE-2024-36114-bump-aircompressor-0-27.patch rename to nifi/stackable/patches/1.28.1/0004-CVE-2024-36114-bump-aircompressor-to-0.27.patch index 5415c0556..fc3404c91 100644 --- a/nifi/stackable/patches/2.0.0/004-CVE-2024-36114-bump-aircompressor-0-27.patch +++ b/nifi/stackable/patches/1.28.1/0004-CVE-2024-36114-bump-aircompressor-to-0.27.patch @@ -1,4 +1,8 @@ -Fix CVE-2024-36114 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Nick Larsen +Date: Mon, 17 Feb 2025 15:27:01 +0100 +Subject: CVE-2024-36114 bump aircompressor to 0.27 + see https://github.com/stackabletech/vulnerabilities/issues/834 Aircompressor is a library with ports of the Snappy, LZO, LZ4, and @@ -17,12 +21,15 @@ have been fixed. When decompressing data from untrusted users, this can be exploited for a denial-of-service attack by crashing the JVM, or to leak other sensitive information from the Java process. There are no known workarounds for this issue. +--- + nifi-assembly/pom.xml | 6 ++++++ + 1 file changed, 6 insertions(+) diff --git a/nifi-assembly/pom.xml b/nifi-assembly/pom.xml -index e980e507c6..01eb16795d 100644 +index d00154626a..da38056c7a 100644 --- a/nifi-assembly/pom.xml +++ b/nifi-assembly/pom.xml -@@ -98,6 +98,12 @@ language governing permissions and limitations under the License. --> +@@ -97,6 +97,12 @@ language governing permissions and limitations under the License. --> @@ -32,6 +39,9 @@ index e980e507c6..01eb16795d 100644 + aircompressor + 0.27 + - - ch.qos.logback - logback-classic + + javax.servlet + javax.servlet-api +-- +2.40.1 + diff --git a/nifi/stackable/patches/1.28.1/patchable.toml b/nifi/stackable/patches/1.28.1/patchable.toml new file mode 100644 index 000000000..d0d1eb71f --- /dev/null +++ b/nifi/stackable/patches/1.28.1/patchable.toml @@ -0,0 +1,2 @@ +upstream = "https://github.com/apache/nifi" +base = "883338fe28883733417d10f6ffa9319e75f5ea06" diff --git a/nifi/stackable/patches/2.0.0/003-patch-cyclonedx-plugin.patch b/nifi/stackable/patches/2.0.0/003-patch-cyclonedx-plugin.patch deleted file mode 100644 index 244cf94b2..000000000 --- a/nifi/stackable/patches/2.0.0/003-patch-cyclonedx-plugin.patch +++ /dev/null @@ -1,29 +0,0 @@ -diff --git a/pom.xml b/pom.xml -index 3190206e88..7e754f691d 100644 ---- a/pom.xml -+++ b/pom.xml -@@ -974,6 +974,24 @@ - - - -+ -+ org.cyclonedx -+ cyclonedx-maven-plugin -+ 2.8.0 -+ -+ application -+ 1.5 -+ false -+ -+ -+ -+ package -+ -+ makeBom -+ -+ -+ -+ - - - diff --git a/nifi/stackable/patches/2.0.0/001-NIFI-no-zip-assembly-2.0.0.patch b/nifi/stackable/patches/2.2.0/0001-no-zip-assembly.patch similarity index 65% rename from nifi/stackable/patches/2.0.0/001-NIFI-no-zip-assembly-2.0.0.patch rename to nifi/stackable/patches/2.2.0/0001-no-zip-assembly.patch index f3e059e4e..b3e4f708e 100644 --- a/nifi/stackable/patches/2.0.0/001-NIFI-no-zip-assembly-2.0.0.patch +++ b/nifi/stackable/patches/2.2.0/0001-no-zip-assembly.patch @@ -1,5 +1,14 @@ +From afe4e4583747c2972d2590e9c1bd7de8b48aa300 Mon Sep 17 00:00:00 2001 +From: Nick Larsen +Date: Mon, 17 Feb 2025 17:26:20 +0100 +Subject: no zip assembly + +--- + nifi-assembly/pom.xml | 1 - + 1 file changed, 1 deletion(-) + diff --git a/nifi-assembly/pom.xml b/nifi-assembly/pom.xml -index e980e507c6..cb19c89367 100644 +index c04e1c8650..adcecd6206 100644 --- a/nifi-assembly/pom.xml +++ b/nifi-assembly/pom.xml @@ -66,7 +66,6 @@ language governing permissions and limitations under the License. --> diff --git a/nifi/stackable/patches/2.0.0/002-NIFI-no-host-header-check-2.0.0.patch b/nifi/stackable/patches/2.2.0/0002-allow-bypassing-check-for-host-header.patch similarity index 89% rename from nifi/stackable/patches/2.0.0/002-NIFI-no-host-header-check-2.0.0.patch rename to nifi/stackable/patches/2.2.0/0002-allow-bypassing-check-for-host-header.patch index e41ec137c..e9acc70c7 100644 --- a/nifi/stackable/patches/2.0.0/002-NIFI-no-host-header-check-2.0.0.patch +++ b/nifi/stackable/patches/2.2.0/0002-allow-bypassing-check-for-host-header.patch @@ -1,4 +1,8 @@ -Subject: [PATCH] Allow bypassing check for host header. +From f6888b73bf6c8b2889f8f7241cdce6714cd6a776 Mon Sep 17 00:00:00 2001 +From: Nick Larsen +Date: Mon, 17 Feb 2025 17:28:46 +0100 +Subject: allow bypassing check for host header + NiFi has the configuration option 'nifi.web.proxy.host' which controls allowed values for the host header field in any incoming request for the web ui. @@ -20,11 +24,9 @@ hostnames by just setting it to "*" and this will effectively bypass the hostnam This allows us to keep the default behavior in place for those users where it works and not remove security features, but also enables users to disable this check if they know what they are doing. --- -Index: nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/HostHeaderHandler.java -IDEA additional info: -Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP -<+>UTF-8 -=================================================================== + .../org/apache/nifi/web/server/HostHeaderHandler.java | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + diff --git a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/HostHeaderHandler.java b/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/HostHeaderHandler.java index 97337d63e2..12ce1d8646 100644 --- a/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/src/main/java/org/apache/nifi/web/server/HostHeaderHandler.java diff --git a/nifi/stackable/patches/2.2.0/0003-add-cyclonedx-plugin.patch b/nifi/stackable/patches/2.2.0/0003-add-cyclonedx-plugin.patch new file mode 100644 index 000000000..76ddb2bd5 --- /dev/null +++ b/nifi/stackable/patches/2.2.0/0003-add-cyclonedx-plugin.patch @@ -0,0 +1,38 @@ +From fbf66d408aefd995a2ac4a2b213b25a12cb9e96c Mon Sep 17 00:00:00 2001 +From: Nick Larsen +Date: Mon, 17 Feb 2025 17:31:17 +0100 +Subject: add cyclonedx plugin + +--- + pom.xml | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/pom.xml b/pom.xml +index 7885e6c208..07e03e66cd 100644 +--- a/pom.xml ++++ b/pom.xml +@@ -1007,6 +1007,24 @@ + + + ++ ++ org.cyclonedx ++ cyclonedx-maven-plugin ++ 2.8.0 ++ ++ application ++ 1.5 ++ false ++ ++ ++ ++ package ++ ++ makeBom ++ ++ ++ ++ + + + diff --git a/nifi/stackable/patches/2.2.0/patchable.toml b/nifi/stackable/patches/2.2.0/patchable.toml new file mode 100644 index 000000000..7d7ff6a40 --- /dev/null +++ b/nifi/stackable/patches/2.2.0/patchable.toml @@ -0,0 +1,2 @@ +upstream = "https://github.com/apache/nifi" +base = "b33ffac8aa10992482f7fa54e6cfccc46a5e8e27" diff --git a/nifi/versions.py b/nifi/versions.py index 1500ef3ed..d4f63a92e 100644 --- a/nifi/versions.py +++ b/nifi/versions.py @@ -5,7 +5,12 @@ "java-devel": "11", # There is an error when trying to use the jdk 21 (since nifi 1.26.0) }, { - "product": "2.0.0", + "product": "1.28.1", + "java-base": "11", + "java-devel": "11", + }, + { + "product": "2.2.0", "java-base": "21", "java-devel": "21", },