GeneXus SFTP Module

Unofficial Content
This documentation is valid for:

Warning! This module is not recommended for end-user public applications. Do not add this module to your application unless it is strictly necessary.

GeneXus SFTP Module is an independent module that implements the SSH File Transfer Protocol  - SFTP (aka Secure File Transfer Protocol) defined in this draft

This module is based on SSH.Net implementation using fixes from Neon.SSH.NET to overcome Linux problems and bugs for .Net implementations and Jsch for Java implementation.

Detail

The module is organized in one folder containing the Sftp Client implementation and the SDT SftpOptions for connection configuration.

Requires Net Framework >= 4.7 

Dependencies

GeneXus

  • SecurityAPICommons Module

.Net

Java

Install

You have to install SecurityAPICommons and GeneXusSftp modules using the Manage Module References dialog from the Knowledge Manager option (located in the GeneXus IDE toolbar).  

Availability

GeneXus 16 Upgrade 8

Scope

Java, .Net Framework Web (server-side module)

SFTP in a nutshell

It is the FTP protocol but using SSH as a secure channel, and it also provides mutual authentication capabilities.

Therefore, it provides file access, file transfer, and file management over a reliable data stream provided by SSH.

It provides two authentication methods:

  • With username and password - This method uses a username and password to authenticate to the server, which is the same username and password used to establish an SSH session.
  • With a known pre-registered private key (recommended) - This method uses a given user's private key that is registered on the server to establish the SFTP channel. The user must also be added to the connection parameters.

Also, the protocol provides a way to use mutual authentication (the client identifies to the server and vice-versa) exchanging keys in the early stages of the connection intent. In this case, the user sends his credentials (username and password or username and private key), and the server sends to the client its key fingerprint that should match a known_hosts file registry known by the client. This way, the client knows he is connecting to a known server and avoids man-in-the-middle type of attacks.

Security Tips

Do not trust user inputs!!!

This module could have path manipulation vulnerabilities if not used carefully. 

  • This module does not sanitize paths or file names. Do not trust user inputs.
  • This module allows you to upload to and download from the server any kind of file. Use a whitelist to filter file types.
  • This module allows you to upload to and download from the server any directory on which the user has permissions. Fix/sanitize allowed paths and files.

Do not add this module to an application if it is not necessary.

Take security measures on deploy if external users are not allowed.