From a8e6b26406485fe4a856cf6f7979a68722987d71 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 8 Jul 2022 17:07:24 -0400 Subject: [PATCH 1/2] Remove Jinja from yaml files before parsing --- salt/common/tools/sbin/so-firewall | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-firewall b/salt/common/tools/sbin/so-firewall index 409a09fd2..10c773b44 100755 --- a/salt/common/tools/sbin/so-firewall +++ b/salt/common/tools/sbin/so-firewall @@ -16,6 +16,7 @@ # along with this program. If not, see . import os +import re import subprocess import sys import time @@ -71,7 +72,14 @@ def checkApplyOption(options): def loadYaml(filename): file = open(filename, "r") - return yaml.safe_load(file.read()) + content = file.read() + + # Remove Jinja templating + content = content.replace("{{ ssh_port }}", "22") + pattern = r'.*({%|{{|}}|%}).*' + content = re.sub(pattern, "", content) + + return yaml.safe_load(content) def writeYaml(filename, content): file = open(filename, "w") From 4f8bb6049b1b269b8649134deea0bf71d0592214 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 8 Jul 2022 17:30:00 -0400 Subject: [PATCH 2/2] Future proof the jinja check to ensure the script does not silently overwrite jinja templates --- salt/common/tools/sbin/so-firewall | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/salt/common/tools/sbin/so-firewall b/salt/common/tools/sbin/so-firewall index 10c773b44..2a394fdff 100755 --- a/salt/common/tools/sbin/so-firewall +++ b/salt/common/tools/sbin/so-firewall @@ -27,6 +27,7 @@ hostgroupsFilename = "/opt/so/saltstack/local/salt/firewall/hostgroups.local.yam portgroupsFilename = "/opt/so/saltstack/local/salt/firewall/portgroups.local.yaml" defaultPortgroupsFilename = "/opt/so/saltstack/default/salt/firewall/portgroups.yaml" supportedProtocols = ['tcp', 'udp'] +readonly = False def showUsage(options, args): print('Usage: {} [OPTIONS] [ARGS...]'.format(sys.argv[0])) @@ -71,17 +72,26 @@ def checkApplyOption(options): return apply(None, None) def loadYaml(filename): + global readonly + file = open(filename, "r") content = file.read() - # Remove Jinja templating - content = content.replace("{{ ssh_port }}", "22") - pattern = r'.*({%|{{|}}|%}).*' - content = re.sub(pattern, "", content) + # Remove Jinja templating (for read-only operations) + if "{%" in content or "{{" in content: + content = content.replace("{{ ssh_port }}", "22") + pattern = r'.*({%|{{|}}|%}).*' + content = re.sub(pattern, "", content) + readonly = True return yaml.safe_load(content) def writeYaml(filename, content): + global readonly + + if readonly: + raise Exception("Cannot write yaml file that has been flagged as read-only") + file = open(filename, "w") return yaml.dump(content, file)