rakesh-rsky opened a new pull request, #11266:
URL: https://github.com/apache/nifi/pull/11266
### Summary
When the **Remote Path** property is configured as . (dot) — the default
produced by **ListSFTP** — DeleteSFTP incorrectly routes every FlowFile to the �
ailure relationship instead of deleting the file.
### Root Cause
`java
final Path directoryPath = Paths.get(directoryPathProperty).normalize(); //
"." → ""
final Path filePath = directoryPath.resolve(filename).normalize(); //
"" + "test.txt" → "test.txt"
if (!directoryPath.equals(filePath.getParent())) { // "".equals(null) →
false ← bug
`
Paths.get(".").normalize() returns an empty Path (""). Resolving a filename
against that path yields a single-component relative path whose getParent()
returns
ull. The check Paths.get("").equals(null) is always �alse, so the security
guard fires incorrectly for every valid file.
### Fix
`java
final Path fileParent = filePath.getParent();
if (!directoryPath.equals(fileParent == null ? Paths.get("") : fileParent)) {
`
When �ileParent is
ull (single-component relative path), substitute Paths.get("") — the same
empty-path value that directoryPath holds. Both represent the implicit current
directory, so the check now passes correctly.
Path-traversal attempts (e.g. ../etc/passwd) still produce a non-empty
parent that does not equal the empty directoryPath, so the security guard
remains fully intact.
### Testing
Added TestDeleteSFTP.deletesFileWhenDirectoryPathIsDot() using the existing
embedded SSH server to confirm that a file in the root of the SFTP server is
successfully deleted when the directory property is set to ..
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
