Merge pull request #8263 from Security-Onion-Solutions/kilo

Remove Jinja from yaml files before parsing
2025-12-06 01:02:46 +01:00 · 2022-07-08 20:32:22 -04:00
parent 2903bdbc7e 4f8bb6049b
commit f28c6d590a
1 changed files with 19 additions and 1 deletions
--- a/salt/common/tools/sbin/so-firewall
+++ b/salt/common/tools/sbin/so-firewall
@@ -16,6 +16,7 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.

 import os
+import re
 import subprocess
 import sys
 import time
@@ -26,6 +27,7 @@ hostgroupsFilename = "/opt/so/saltstack/local/salt/firewall/hostgroups.local.yam
 portgroupsFilename = "/opt/so/saltstack/local/salt/firewall/portgroups.local.yaml"
 defaultPortgroupsFilename = "/opt/so/saltstack/default/salt/firewall/portgroups.yaml"
 supportedProtocols = ['tcp', 'udp']
+readonly = False

 def showUsage(options, args):
  print('Usage: {} [OPTIONS] <COMMAND> [ARGS...]'.format(sys.argv[0]))
@@ -70,10 +72,26 @@ def checkApplyOption(options):
    return apply(None, None)

 def loadYaml(filename):
+  global readonly
+
  file = open(filename, "r")
-  return yaml.safe_load(file.read())
+  content = file.read()
+
+  # Remove Jinja templating (for read-only operations)
+  if "{%" in content or "{{" in content:
+    content = content.replace("{{ ssh_port }}", "22")
+    pattern = r'.*({%|{{|}}|%}).*'
+    content = re.sub(pattern, "", content)
+    readonly = True
+
+  return yaml.safe_load(content)

 def writeYaml(filename, content):
+  global readonly
+
+  if readonly:
+    raise Exception("Cannot write yaml file that has been flagged as read-only")  
+
  file = open(filename, "w")
  return yaml.dump(content, file)