[jira] [Resolved] (NIFI-15653) DeleteSFTP fails security check when path flowfile attribute is "." due to Path.normalize() returning empty string

Fri, 22 May 2026 09:27:05 -0700 


     [ 
https://issues.apache.org/jira/browse/NIFI-15653?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Peter Turcsanyi resolved NIFI-15653.
------------------------------------
    Fix Version/s: 2.10.0
       Resolution: Fixed

> DeleteSFTP fails security check when path flowfile attribute is "." due to 
> Path.normalize() returning empty string
> ------------------------------------------------------------------------------------------------------------------
>
>                 Key: NIFI-15653
>                 URL: https://issues.apache.org/jira/browse/NIFI-15653
>             Project: Apache NiFi
>          Issue Type: Bug
>    Affects Versions: 2.3.0
>         Environment: MiNiFi 2.3.0, OpenJDK 21 (headless), Rocky Linux 9
>            Reporter: Hazal Yilmaz
>            Priority: Minor
>             Fix For: 2.10.0
>
>         Attachments: Screenshot 2026-02-27 130053-1.png, Screenshot 
> 2026-02-27 130116-1.png
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> {{DeleteSFTP}} routes to the {{failure}} relationship when the {{path}} 
> flowfile attribute is {{"."}} (a single dot), which is the value set by 
> {{ListSFTP}} when configured with {*}Remote Path = {{.}}{*}. {{ListSFTP}} and 
> {{FetchSFTP}} handle this value successfully; only {{DeleteSFTP}} fails, 
> making the behavior inconsistent across the SFTP processor family.
> *Steps to Reproduce*
>  # Configure {{ListSFTP}} with Remote Path = {{.}}
>  # Connect {{ListSFTP → FetchSFTP → DeleteSFTP}} (completion strategy: Delete 
> File)
>  # Set {{DeleteSFTP}} Directory Path = {{${path}}}
>  # Run the flow — {{DeleteSFTP}} routes to failure
> Error seen in logs
> *{{ERROR - DeleteSFTP: Attempting to delete file at path 'testfile.txt' which 
> is not a direct child of the directory ""}}*
> *Root Cause*
> {{java.nio.file.Paths.normalize()}} collapses {{"."}} to {{""}} (empty 
> string), while {{getParent()}} on a single-component path returns 
> {{{}null{}}}. The security check compares these two values and fails because 
> {{{}"" != null{}}}, causing the processor to incorrectly route to failure.
> "Note: the path shown in the error message ({{{}test-delete-777{}}}) is the 
> normalized result of {{{}./test-delete-777{}}}, not just the filename — this 
> is what makes the parent comparison fail."



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to