Re: [PR] NIFI-12297 Standardize File Path resolution in Persistence Providers [nifi]
markap14 commented on PR #7975: URL: https://github.com/apache/nifi/pull/7975#issuecomment-1792759105 Merged to `main` @exceptionfactory but it conflicts with the `support/nifi-1.x` branch. Jira targets that branch as well. If you'd like to have it merged to the support branch, do you mind pushing a new PR for that? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@nifi.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] NIFI-12297 Standardize File Path resolution in Persistence Providers [nifi]
markap14 merged PR #7975: URL: https://github.com/apache/nifi/pull/7975 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@nifi.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] NIFI-12297 Standardize File Path resolution in Persistence Providers [nifi]
markap14 commented on PR #7975: URL: https://github.com/apache/nifi/pull/7975#issuecomment-1792749955 Thanks for the cleanup here @exceptionfactory all looks good to me. +1 will merge. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@nifi.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] NIFI-12297 Standardize File Path resolution in Persistence Providers [nifi]
github-advanced-security[bot] commented on code in PR #7975:
URL: https://github.com/apache/nifi/pull/7975#discussion_r1380933669
##
nifi-registry/nifi-registry-core/nifi-registry-framework/src/main/java/org/apache/nifi/registry/provider/flow/FileSystemFlowPersistenceProvider.java:
##
@@ -174,13 +186,37 @@
}
if (LOGGER.isDebugEnabled()) {
-LOGGER.debug("Deleted snapshot at {}", new Object[]
{snapshotFile.getAbsolutePath()});
+LOGGER.debug("Deleted snapshot at {}",
snapshotFile.getAbsolutePath());
}
}
protected File getSnapshotFile(final String bucketId, final String flowId,
final int version) {
-final String snapshotFilename = bucketId + "/" + flowId + "/" +
version + "/" + version + SNAPSHOT_EXTENSION;
-return new File(flowStorageDir, snapshotFilename);
+final String versionExtension = version + SNAPSHOT_EXTENSION;
+final Path snapshotLocation = Paths.get(getNormalizedId(bucketId),
getNormalizedId(flowId), Integer.toString(version), versionExtension);
Review Comment:
## Uncontrolled data used in path expression
This path depends on a [user-provided value](1).
This path depends on a [user-provided value](2).
[Show more details](https://github.com/apache/nifi/security/code-scanning/59)
##
nifi-registry/nifi-registry-core/nifi-registry-framework/src/main/java/org/apache/nifi/registry/provider/extension/FileSystemBundlePersistenceProvider.java:
##
@@ -227,7 +237,11 @@
final String bundleFileExtension = getBundleFileExtension(bundleType);
final String bundleFilename = sanitize(artifactId) + "-" +
sanitize(version) + bundleFileExtension;
-return new File(parentDir, bundleFilename);
+return getChildLocation(parentDir, Paths.get(bundleFilename));
+}
+
+static Path getArtifactPath(final String bucketId, final String groupId,
final String artifactId) {
+return Paths.get(getNormalizedBucketId(bucketId), sanitize(groupId),
sanitize(artifactId)).normalize();
Review Comment:
## Uncontrolled data used in path expression
This path depends on a [user-provided value](1).
[Show more details](https://github.com/apache/nifi/security/code-scanning/64)
##
nifi-registry/nifi-registry-core/nifi-registry-framework/src/main/java/org/apache/nifi/registry/provider/flow/FileSystemFlowPersistenceProvider.java:
##
@@ -174,13 +186,37 @@
}
if (LOGGER.isDebugEnabled()) {
-LOGGER.debug("Deleted snapshot at {}", new Object[]
{snapshotFile.getAbsolutePath()});
+LOGGER.debug("Deleted snapshot at {}",
snapshotFile.getAbsolutePath());
}
}
protected File getSnapshotFile(final String bucketId, final String flowId,
final int version) {
-final String snapshotFilename = bucketId + "/" + flowId + "/" +
version + "/" + version + SNAPSHOT_EXTENSION;
-return new File(flowStorageDir, snapshotFilename);
+final String versionExtension = version + SNAPSHOT_EXTENSION;
+final Path snapshotLocation = Paths.get(getNormalizedId(bucketId),
getNormalizedId(flowId), Integer.toString(version), versionExtension);
+return getChildLocation(flowStorageDir, snapshotLocation);
+}
+
+private File getChildLocation(final File parentDir, final Path
childLocation) {
+final Path parentPath = parentDir.toPath().normalize();
+final Path childPathNormalized = childLocation.normalize();
+final Path childPath = parentPath.resolve(childPathNormalized);
+if (childPath.startsWith(parentPath)) {
+return childPath.toFile();
+}
+throw new IllegalArgumentException(String.format("Child location not
valid [%s]", childLocation));
}
+private Path getNormalizedIdPath(final String id) {
+final String normalizedId = getNormalizedId(id);
+return Paths.get(normalizedId).normalize();
Review Comment:
## Uncontrolled data used in path expression
This path depends on a [user-provided value](1).
This path depends on a [user-provided value](2).
This path depends on a [user-provided value](3).
This path depends on a [user-provided value](4).
This path depends on a [user-provided value](5).
[Show more details](https://github.com/apache/nifi/security/code-scanning/65)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscr...@nifi.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
[PR] NIFI-12297 Standardize File Path resolution in Persistence Providers [nifi]
exceptionfactory opened a new pull request, #7975: URL: https://github.com/apache/nifi/pull/7975 # Summary [NIFI-12297](https://issues.apache.org/jira/browse/NIFI-12297) Standardizes file path resolution in the NiFi Registry File System Bundle and Flow Persistence Providers, as well as the file-backed Registry client for system tests. These changes replace string concatenation and related strategies with a standard approach using Java NIO Paths. Using Paths ensures consistent directory separator handling and path normalization. Additional changes include updating related unit tests to reuse shared identifier values. # Tracking Please complete the following tracking steps prior to pull request creation. ### Issue Tracking - [X] [Apache NiFi Jira](https://issues.apache.org/jira/browse/NIFI) issue created ### Pull Request Tracking - [X] Pull Request title starts with Apache NiFi Jira issue number, such as `NIFI-0` - [X] Pull Request commit message starts with Apache NiFi Jira issue number, as such `NIFI-0` ### Pull Request Formatting - [X] Pull Request based on current revision of the `main` branch - [X] Pull Request refers to a feature branch with one commit containing changes # Verification Please indicate the verification steps performed prior to pull request creation. ### Build - [X] Build completed using `mvn clean install -P contrib-check` - [X] JDK 21 ### Licensing - [ ] New dependencies are compatible with the [Apache License 2.0](https://apache.org/licenses/LICENSE-2.0) according to the [License Policy](https://www.apache.org/legal/resolved.html) - [ ] New dependencies are documented in applicable `LICENSE` and `NOTICE` files ### Documentation - [ ] Documentation formatting appears as expected in rendered files -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@nifi.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] NIFI-12297 Standardize File Path resolution in Persistence Providers [nifi]
exceptionfactory closed pull request #7968: NIFI-12297 Standardize File Path resolution in Persistence Providers URL: https://github.com/apache/nifi/pull/7968 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@nifi.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] NIFI-12297 Standardize File Path resolution in Persistence Providers [nifi]
github-advanced-security[bot] commented on code in PR #7968:
URL: https://github.com/apache/nifi/pull/7968#discussion_r1379146462
##
nifi-registry/nifi-registry-core/nifi-registry-framework/src/main/java/org/apache/nifi/registry/provider/extension/FileSystemBundlePersistenceProvider.java:
##
@@ -227,7 +231,11 @@
final String bundleFileExtension = getBundleFileExtension(bundleType);
final String bundleFilename = sanitize(artifactId) + "-" +
sanitize(version) + bundleFileExtension;
-return new File(parentDir, bundleFilename);
+return getChildLocation(parentDir, Paths.get(bundleFilename));
+}
+
+static Path getArtifactPath(final String bucketId, final String groupId,
final String artifactId) {
+return Paths.get(sanitize(bucketId), sanitize(groupId),
sanitize(artifactId)).normalize();
Review Comment:
## Uncontrolled data used in path expression
This path depends on a [user-provided value](1).
[Show more details](https://github.com/apache/nifi/security/code-scanning/60)
##
nifi-system-tests/nifi-system-test-extensions-bundle/nifi-system-test-extensions/src/main/java/org/apache/nifi/flow/registry/FileSystemFlowRegistryClient.java:
##
@@ -393,4 +380,24 @@
.max();
return greatestValue.orElse(-1);
}
+
+private File getFlowDirectory(final FlowRegistryClientConfigurationContext
context, final String bucketId, final String flowId) {
+final File rootDir = getRootDirectory(context);
+final File bucketDir = getChildLocation(rootDir,
getNormalizedIdPath(bucketId));
+return getChildLocation(bucketDir, getNormalizedIdPath(flowId));
+}
+
+private Path getNormalizedIdPath(final String id) {
+final String normalizedId = id.replaceAll("\\.", "").replaceAll("/",
"").trim();
+return Paths.get(normalizedId).normalize();
Review Comment:
## Uncontrolled data used in path expression
This path depends on a [user-provided value](1).
This path depends on a [user-provided value](2).
This path depends on a [user-provided value](3).
This path depends on a [user-provided value](4).
This path depends on a [user-provided value](5).
This path depends on a [user-provided value](6).
This path depends on a [user-provided value](7).
This path depends on a [user-provided value](8).
This path depends on a [user-provided value](9).
[Show more details](https://github.com/apache/nifi/security/code-scanning/62)
##
nifi-registry/nifi-registry-core/nifi-registry-framework/src/main/java/org/apache/nifi/registry/provider/flow/FileSystemFlowPersistenceProvider.java:
##
@@ -174,13 +180,32 @@
}
if (LOGGER.isDebugEnabled()) {
-LOGGER.debug("Deleted snapshot at {}", new Object[]
{snapshotFile.getAbsolutePath()});
+LOGGER.debug("Deleted snapshot at {}",
snapshotFile.getAbsolutePath());
}
}
protected File getSnapshotFile(final String bucketId, final String flowId,
final int version) {
-final String snapshotFilename = bucketId + "/" + flowId + "/" +
version + "/" + version + SNAPSHOT_EXTENSION;
-return new File(flowStorageDir, snapshotFilename);
+final String versionExtension = version + SNAPSHOT_EXTENSION;
+final Path snapshotLocation = Paths.get(getNormalizedId(bucketId),
getNormalizedId(flowId), Integer.toString(version), versionExtension);
+return getChildLocation(flowStorageDir, snapshotLocation);
}
+private File getChildLocation(final File parentDir, final Path
childLocation) {
+final Path parentPath = parentDir.toPath().normalize();
+final Path childPathNormalized = childLocation.normalize();
+final Path childPath = parentPath.resolve(childPathNormalized);
+if (childPath.startsWith(parentPath)) {
+return childPath.toFile();
+}
+throw new IllegalArgumentException(String.format("Child location not
valid [%s]", childLocation));
+}
+
+private Path getNormalizedIdPath(final String id) {
+final String normalizedId = getNormalizedId(id);
+return Paths.get(normalizedId).normalize();
Review Comment:
## Uncontrolled data used in path expression
This path depends on a [user-provided value](1).
This path depends on a [user-provided value](2).
This path depends on a [user-provided value](3).
This path depends on a [user-provided value](4).
This path depends on a [user-provided value](5).
[Show more details](https://github.com/apache/nifi/security/code-scanning/61)
##
nifi-registry/nifi-registry-core/nifi-registry-framework/src/main/java/org/apache/nifi/registry/provider/flow/FileSystemFlowPersistenceProvider.java:
##
@@ -174,13 +180,32 @@
}
if (LOGGER.isDebugEnabled()) {
-LOGGER.debug("Deleted snapshot at {}", new Object[]
{snapshotFile.
[PR] NIFI-12297 Standardize File Path resolution in Persistence Providers [nifi]
exceptionfactory opened a new pull request, #7968: URL: https://github.com/apache/nifi/pull/7968 # Summary [NIFI-12297](https://issues.apache.org/jira/browse/NIFI-12297) Standardizes file path resolution in the NiFi Registry File System Bundle and Flow Persistence Providers, as well as the file-backed client for system tests. These changes replace string concatenation and related strategies with a standard approach using Java NIO Paths. Using Paths ensures consistent directory separator handling and path normalization. Additional changes include updating related unit tests to reuse shared identifier values. # Tracking Please complete the following tracking steps prior to pull request creation. ### Issue Tracking - [X] [Apache NiFi Jira](https://issues.apache.org/jira/browse/NIFI) issue created ### Pull Request Tracking - [X] Pull Request title starts with Apache NiFi Jira issue number, such as `NIFI-0` - [X] Pull Request commit message starts with Apache NiFi Jira issue number, as such `NIFI-0` ### Pull Request Formatting - [X] Pull Request based on current revision of the `main` branch - [X] Pull Request refers to a feature branch with one commit containing changes # Verification Please indicate the verification steps performed prior to pull request creation. ### Build - [X] Build completed using `mvn clean install -P contrib-check` - [X] JDK 21 ### Licensing - [ ] New dependencies are compatible with the [Apache License 2.0](https://apache.org/licenses/LICENSE-2.0) according to the [License Policy](https://www.apache.org/legal/resolved.html) - [ ] New dependencies are documented in applicable `LICENSE` and `NOTICE` files ### Documentation - [ ] Documentation formatting appears as expected in rendered files -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@nifi.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
