apache · mattyb149 · Apr 15, 2025
diff --git a/...ovyx-processors/src/main/java/org/apache/nifi/processors/groovyx/ExecuteGroovyScript.java b/...ovyx-processors/src/main/java/org/apache/nifi/processors/groovyx/ExecuteGroovyScript.java
@@ -85,10 +85,12 @@
         expressionLanguageScope = ExpressionLanguageScope.FLOWFILE_ATTRIBUTES,
         description = "Updates a script engine property specified by the Dynamic Property's key with the value specified by the Dynamic Property's value. "
                 + "Use `CTL.` to access any controller services, `SQL.` to access any DBCPServices, `RecordReader.` to access RecordReaderFactory instances, or "
-                + "`RecordWriter.` to access any RecordSetWriterFactory instances.")
+                + "`RecordWriter.` to access any RecordSetWriterFactory instances. Use `SENSITIVE.` to mark the property as sensitive.")
 public class ExecuteGroovyScript extends AbstractProcessor {
     public static final String GROOVY_CLASSPATH = "${groovy.classes.path}";
 
+    protected static final String SENSITIVE_PROPERTY_PREFIX = "SENSITIVE.";
+
     private static final String PRELOADS = "import org.apache.nifi.components.*;" + "import org.apache.nifi.flowfile.FlowFile;" + "import org.apache.nifi.processor.*;"
             + "import org.apache.nifi.processor.FlowFileFilter.FlowFileFilterResult;" + "import org.apache.nifi.processor.exception.*;" + "import org.apache.nifi.processor.io.*;"
             + "import org.apache.nifi.processor.util.*;" + "import org.apache.nifi.processors.script.*;" + "import org.apache.nifi.logging.ComponentLog;";
@@ -542,13 +544,19 @@ protected PropertyDescriptor getSupportedDynamicPropertyDescriptor(final String
                     .identifiesControllerService(RecordSetWriterFactory.class)
                     .build();
         }
-        return new PropertyDescriptor.Builder()
+
+        final PropertyDescriptor.Builder builder = new PropertyDescriptor.Builder()
                 .name(propertyDescriptorName)
                 .required(false)
                 .addValidator(StandardValidators.NON_EMPTY_VALIDATOR)
                 .expressionLanguageSupported(ExpressionLanguageScope.ENVIRONMENT)
-                .dynamic(true)
-                .build();
+                .dynamic(true);
+
+        if (propertyDescriptorName.startsWith(SENSITIVE_PROPERTY_PREFIX)) {
+            builder.sensitive(true);
+        }
+
+        return builder.build();
     }
 
     /** simple HashMap with exception on access of non-existent key */

diff --git a/...-processors/src/test/java/org/apache/nifi/processors/groovyx/ExecuteGroovyScriptTest.java b/...-processors/src/test/java/org/apache/nifi/processors/groovyx/ExecuteGroovyScriptTest.java
@@ -40,7 +40,6 @@
 import org.junit.jupiter.api.condition.DisabledOnOs;
 import org.junit.jupiter.api.condition.OS;
 import org.junit.jupiter.api.io.TempDir;
-
 import java.io.ByteArrayOutputStream;
 import java.io.File;
 import java.io.FileInputStream;
@@ -555,6 +554,15 @@ public void test_attribute_passed_to_SQL() {
         assertEquals("testDB", ((DBCPServiceSimpleImpl) dbcp).getDatabaseName());
     }
 
+    @Test
+    public void test_sensitive_dynamic_property() throws Exception {
+        runner.setProperty("SENSITIVE.password", "MyP@ssW0rd!");
+        runner.setProperty(ExecuteGroovyScript.SCRIPT_BODY,
+                "assert context.getProperties().find {k,v -> k.name == 'SENSITIVE.password'}.key.sensitive");
+        runner.assertValid();
+        runner.run();
+    }
+
 
     private HashMap<String, String> map(String key, String value) {
         HashMap<String, String> attrs = new HashMap<>();