[
https://issues.apache.org/jira/browse/NIFI-15653?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18082920#comment-18082920
]
ASF subversion and git services commented on NIFI-15653:
--------------------------------------------------------
Commit d7c74c7aeba36fa06cd2c7190054c8a003957248 in nifi's branch
refs/heads/main from Rakesh Kumar Singh
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=d7c74c7aeba ]
NIFI-15653 Fix DeleteSFTP security check for dot directory path
When the Remote Path property is set to '.' (as produced by ListSFTP),
Paths.get('.').normalize() returns an empty Path (''). Resolving a
filename against that empty path yields a single-component relative
path whose getParent() returns null, causing the directory-traversal
security check to fail incorrectly and route every FlowFile to the
failure relationship.
Fix: when fileParent is null (single-component relative path), substitute
Paths.get('') for the comparison. Both the empty normalized path and a
null parent represent the implicit current directory, so the check now
correctly passes. Path-traversal attempts (e.g. '../etc/passwd') still
produce a non-empty parent that does not equal the empty directoryPath,
so the security guard remains intact.
Add TestDeleteSFTP.deletesFileWhenDirectoryPathIsDot() to cover the
regression.
This closes #11266.
Signed-off-by: Peter Turcsanyi <[email protected]>
> DeleteSFTP fails security check when path flowfile attribute is "." due to
> Path.normalize() returning empty string
> ------------------------------------------------------------------------------------------------------------------
>
> Key: NIFI-15653
> URL: https://issues.apache.org/jira/browse/NIFI-15653
> Project: Apache NiFi
> Issue Type: Bug
> Affects Versions: 2.3.0
> Environment: MiNiFi 2.3.0, OpenJDK 21 (headless), Rocky Linux 9
> Reporter: Hazal Yilmaz
> Priority: Minor
> Attachments: Screenshot 2026-02-27 130053-1.png, Screenshot
> 2026-02-27 130116-1.png
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> {{DeleteSFTP}} routes to the {{failure}} relationship when the {{path}}
> flowfile attribute is {{"."}} (a single dot), which is the value set by
> {{ListSFTP}} when configured with {*}Remote Path = {{.}}{*}. {{ListSFTP}} and
> {{FetchSFTP}} handle this value successfully; only {{DeleteSFTP}} fails,
> making the behavior inconsistent across the SFTP processor family.
> *Steps to Reproduce*
> # Configure {{ListSFTP}} with Remote Path = {{.}}
> # Connect {{ListSFTP → FetchSFTP → DeleteSFTP}} (completion strategy: Delete
> File)
> # Set {{DeleteSFTP}} Directory Path = {{${path}}}
> # Run the flow — {{DeleteSFTP}} routes to failure
> Error seen in logs
> *{{ERROR - DeleteSFTP: Attempting to delete file at path 'testfile.txt' which
> is not a direct child of the directory ""}}*
> *Root Cause*
> {{java.nio.file.Paths.normalize()}} collapses {{"."}} to {{""}} (empty
> string), while {{getParent()}} on a single-component path returns
> {{{}null{}}}. The security check compares these two values and fails because
> {{{}"" != null{}}}, causing the processor to incorrectly route to failure.
> "Note: the path shown in the error message ({{{}test-delete-777{}}}) is the
> normalized result of {{{}./test-delete-777{}}}, not just the filename — this
> is what makes the parent comparison fail."
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
