Address review feedback

apache · Aug 6, 2024 · 41c2958 · 41c2958
1 parent c11242a
commit 41c2958
Show file tree

Hide file tree

Showing 5 changed files with 18 additions and 10 deletions.
diff --git a/nifi-commons/nifi-utils/src/main/java/org/apache/nifi/util/file/FileUtils.java b/nifi-commons/nifi-utils/src/main/java/org/apache/nifi/util/file/FileUtils.java
@@ -597,7 +597,7 @@ public static long getContainerUsableSpace(final Path path) {
      * @param filename The filename to clean
      * @return sanitized filename
      */
-    public static String sanitizeFilename(String filename) {
+    public static String getSanitizedFilename(String filename) {
         if (filename == null) {
             return null;
         }

diff --git a/...nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ParameterContextResource.java b/...nifi-web/nifi-web-api/src/main/java/org/apache/nifi/web/api/ParameterContextResource.java
@@ -132,6 +132,7 @@ public class ParameterContextResource extends AbstractParameterResource {
     private static final String FILENAME_HEADER = "Filename";
     private static final String CONTENT_TYPE_HEADER = "Content-Type";
     private static final String UPLOAD_CONTENT_TYPE = "application/octet-stream";
+    private static final long MAX_ASSET_SIZE_BYTES = (long) DataUnit.GB.toB(1);
 
     private NiFiServiceFacade serviceFacade;
     private Authorizer authorizer;
@@ -395,6 +396,11 @@ public Response createAsset(
             throw new IllegalArgumentException("Asset contents must be specified.");
         }
 
+        final String sanitizedAssetName = FileUtils.getSanitizedFilename(assetName);
+        if (!assetName.equals(sanitizedAssetName)) {
+            throw new IllegalArgumentException(FILENAME_HEADER + " header contains an invalid file name");
+        }
+
         // If clustered and not all nodes are connected, do not allow creating an asset.
         // Generally, we allow the flow to be modified when nodes are disconnected, but we do not allow creating an asset because
         // the cluster has no mechanism for synchronizing those assets after the upload.
@@ -430,16 +436,16 @@ public Response createAsset(
         // different request for each of the two phases.
 
         final long startTime = System.currentTimeMillis();
-        final InputStream maxLengthInputStream = new MaxLengthInputStream(assetContents, (long) DataUnit.GB.toB(1));
+        final InputStream maxLengthInputStream = new MaxLengthInputStream(assetContents, MAX_ASSET_SIZE_BYTES);
 
         final AssetEntity assetEntity;
         if (isReplicateRequest()) {
             final UploadRequest<AssetEntity> uploadRequest = new UploadRequest.Builder<AssetEntity>()
                     .user(NiFiUserUtils.getNiFiUser())
-                    .filename(assetName)
+                    .filename(sanitizedAssetName)
                     .identifier(UUID.randomUUID().toString())
                     .contents(maxLengthInputStream)
-                    .header(FILENAME_HEADER, assetName)
+                    .header(FILENAME_HEADER, sanitizedAssetName)
                     .header(CONTENT_TYPE_HEADER, UPLOAD_CONTENT_TYPE)
                     .exampleRequestUri(getAbsolutePath())
                     .responseClass(AssetEntity.class)
@@ -448,7 +454,6 @@ public Response createAsset(
             assetEntity = uploadRequestReplicator.upload(uploadRequest);
         } else {
             final String existingContextId = contextEntity.getId();
-            final String sanitizedAssetName = FileUtils.sanitizeFilename(assetName);
             final Asset asset = assetManager.createAsset(existingContextId, sanitizedAssetName, maxLengthInputStream);
             assetEntity = dtoFactory.createAssetEntity(asset);
         }

diff --git a/...it-cli/src/main/java/org/apache/nifi/toolkit/cli/impl/client/nifi/ParamContextClient.java b/...it-cli/src/main/java/org/apache/nifi/toolkit/cli/impl/client/nifi/ParamContextClient.java
@@ -24,6 +24,7 @@
 
 import java.io.File;
 import java.io.IOException;
+import java.nio.file.Path;
 
 public interface ParamContextClient {
 
@@ -47,7 +48,7 @@ public interface ParamContextClient {
 
     AssetsEntity getAssets(String contextId) throws NiFiClientException, IOException;
 
-    File getAssetContent(String contextId, String assetId, File outputDirectory) throws NiFiClientException, IOException;
+    Path getAssetContent(String contextId, String assetId, File outputDirectory) throws NiFiClientException, IOException;
 
     AssetEntity deleteAsset(String contextId, String assetId) throws NiFiClientException, IOException;
 

diff --git a/...main/java/org/apache/nifi/toolkit/cli/impl/client/nifi/impl/JerseyParamContextClient.java b/...main/java/org/apache/nifi/toolkit/cli/impl/client/nifi/impl/JerseyParamContextClient.java
@@ -36,6 +36,7 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.nio.file.Files;
+import java.nio.file.Path;
 import java.nio.file.StandardCopyOption;
 
 public class JerseyParamContextClient extends AbstractJerseyClient implements ParamContextClient {
@@ -217,7 +218,7 @@ public AssetsEntity getAssets(final String contextId) throws NiFiClientException
     }
 
     @Override
-    public File getAssetContent(final String contextId, final String assetId, final File outputDirectory)
+    public Path getAssetContent(final String contextId, final String assetId, final File outputDirectory)
             throws NiFiClientException, IOException {
         if (StringUtils.isBlank(contextId)) {
             throw new IllegalArgumentException("Parameter context id cannot be null or blank");
@@ -239,7 +240,7 @@ public File getAssetContent(final String contextId, final String assetId, final
 
             try (final InputStream responseInputStream = response.readEntity(InputStream.class)) {
                 Files.copy(responseInputStream, assetFile.toPath(), StandardCopyOption.REPLACE_EXISTING);
-                return assetFile;
+                return assetFile.toPath();
             }
         });
     }

diff --git a/...lkit-cli/src/main/java/org/apache/nifi/toolkit/cli/impl/command/nifi/params/GetAsset.java b/...lkit-cli/src/main/java/org/apache/nifi/toolkit/cli/impl/command/nifi/params/GetAsset.java
@@ -28,6 +28,7 @@
 
 import java.io.File;
 import java.io.IOException;
+import java.nio.file.Path;
 import java.util.Properties;
 
 public class GetAsset extends AbstractNiFiCommand<VoidResult> {
@@ -55,9 +56,9 @@ public VoidResult doExecute(final NiFiClient client, final Properties properties
         final String paramContextId = getRequiredArg(properties, CommandOption.PARAM_CONTEXT_ID);
         final String assetId = getRequiredArg(properties, CommandOption.ASSET_ID);
         final File outputDir = new File(getRequiredArg(properties, CommandOption.OUTPUT_DIR));
-        final File assetFile = client.getParamContextClient().getAssetContent(paramContextId, assetId, outputDir);
+        final Path assetFile = client.getParamContextClient().getAssetContent(paramContextId, assetId, outputDir);
         if (isInteractive()) {
-            println(assetFile.getAbsolutePath());
+            println(assetFile.toFile().getAbsolutePath());
         }
         return VoidResult.getInstance();
     }