cmdmod enhancements for Windows #68156
Conversation
|
Hi there! Welcome to the Salt Community! Thank you for making your first contribution. We have a lengthy process for issues and PRs. Someone from the Core Team will follow up as soon as possible. In the meantime, here’s some information that may help as you continue your Salt journey. There are lots of ways to get involved in our community. Every month, there are around a dozen opportunities to meet with other contributors and the Salt Core team and collaborate in real time. The best way to keep track is by subscribing to the Salt Community Events Calendar. |
|
Got some pre-commit failures |
|
Missed that one, sorry. |
| new_cmd = [path, *args] if args else [path] | ||
| else: | ||
| cmd_path = _cmd_quote(path) | ||
| new_cmd = [path, str(args)] if args else [path] |
There was a problem hiding this comment.
This does not look correct. This appears to be taking a str of potentially multiple arguments and passing it as just the first argument.
Also the docstring only states that a str is even supported and not a list/tuple
:param str args: String of command line args to pass to the script. Only
used if no args are specified as part of the `name` argument. To pass a
string containing spaces in YAML, you will need to doubly-quote it.
There was a problem hiding this comment.
Thanks. This should be fixed with https://github.com/saltstack/salt/pull/68301/files#diff-700b7d75700c9eafa3ee48d01236e59f37b2ed81d998267136fbcc0224766497R3007 , althrough passing multiple arguments with a single string might be unreliable, especially on Windows.
There was a problem hiding this comment.
Nice. Thanks. I think these improvements are nice. It bothered me since starting to use salt that you could not pass lists like you could with the subprocess module to avoid escaping issues.
| # from the script. Otherwise, it will always return 1 on any non-zero | ||
| # exit code failure. Issue: #60884 | ||
| new_cmd.append(f'"& {cmd.strip()}; exit $LASTEXITCODE"') | ||
| new_cmd.append("-File") |
There was a problem hiding this comment.
@xsmile Assume C:\temp\test.ps1 with the following content:
[CmdLetBinding()]
Param([SecureString] $SecureString)
$Credential = New-Object System.Net.NetworkCredential("DummyId", $SecureString)
$Credential.Password
As noted in the comments, using -File does not work:
PS C:\src> powershell.exe -File C:\Temp\test.ps1 -SecureString (ConvertTo-SecureString -String "I like cheese" -AsPlainText -Force) -ErrorAction Stop
You must use -Command to evaluate powershell commands in arguments to a script:
PS C:\src> powershell.exe -Command "& { C:\Temp\test.ps1 -SecureString (ConvertTo-SecureString -String 'I like cheese' -AsPlainText -Force) -ErrorAction Stop }"
There was a problem hiding this comment.
@twangboy I would argue that by using -Command you are not directly executing a script but running a PowerShell command executing a script. This introduces issues like the need to carefully handle special characters, which is an impossible task since user input is not known in advance. Parameters can be evaluated as code, allowing for code injection without the need to know the script content.
IMHO the proper way to handle SecureString would be to use a dedicated module that takes care of encrypting such parameters and passing them to the final script.
Running PS C:\src> powershell.exe -Command "& { C:\Temp\test.ps1 -SecureString (ConvertTo-SecureString -String 'I like cheese' -AsPlainText -Force) -ErrorAction Stop }" probably defeats the purpose of SecureString since the password will be visible in plain text on the command line and can be logged.
There was a problem hiding this comment.
The password is just an example for evaluating powershell code as arguments. This was working before these changes. Now they aren't. If you can run it in a powershell prompt, you should be able to run it with Salt.
What does this PR do?
Change the behavior of the cmdmod execution module.
shell / python_shell
Respect user input for the
shellparameter. Same aspython_shell, it is disabled by default for all functions exceptcmd.shell. This prevents unnecessary calls to the shell and possibly unsafe command executions.cmd.runand other similar functions now requireshellto be specified explicitly if shell functionality is required.cmd._run
subprocess.list2cmdlineonly if required in case the shell is cmd.exe or if impersonating another user and passing the command string toCreateProcess.-Fileinstead of-Command. This makes it possible to pass arguments as a list and not having to worry about escaping characters. In contrast to the previous behavior with-Command, the arguments are not evaluated as commands. When PowerShell commands are a requirement,cmd.shellorcmd.powershellshould be used instead, e.g. Windows: Using inline powershell in args withcmd.scriptandshell: powershell#56195 .cmd.script
cmd.powershell
What issues does this PR fix or reference?
#56195
#68096
#68118
Merge requirements satisfied?
Commits signed with GPG?
No