[BUG] win_lgpo does not account for spaces in XMLNS URLs #66992
Comments
|
Hi there! Welcome to the Salt Community! Thank you for making your first contribution. We have a lengthy process for issues and PRs. Someone from the Core Team will follow up as soon as possible. In the meantime, here’s some information that may help as you continue your Salt journey.
There are lots of ways to get involved in our community. Every month, there are around a dozen opportunities to meet with other contributors and the Salt Core team and collaborate in real time. The best way to keep track is by subscribing to the Salt Community Events Calendar. |
|
Just in case: Also happens on Server 2025, with Salt 3006.7. |
|
The patched module per @willchenmark didn't correct the problem during testing - returned output is the same. |
|
@bharrison-it did you make the change on the minion or the master? Re-reading my issue, I failed to clarify that I made the change on the minion side. |
|
@willchenmark specifically I copied win_lgpo.py from /opt/saltstack/salt/lib/python3.10/site-packages/salt/modules (debian location) to /srv/salt/_modules, patched per the comment then synced the modules back to the minion with saltutil.sync_modules. I confirmed the minion is indeed running the patched module, indicated by the execution path under 'extmods', but the same error occurs during the state run as with the vanilla win_lgpo mod.
I did also confirm the copy of win_lgpo.py under extmods on the minion does contain the patched code. Not sure what's going on as your function appears sound to me. |
|
@willchenmark My issue was pushing the patched win_lgpo.py to the minion and calling it without having removed the incorrectly parsed adml files from minion cache first. For any minions which have run the un-patched module, saltutil.clear_cache (or, i assume, manual deletion of the affected adml file) can be utilized to clear the previously cached contents of the lgpo policy_defs folder and old, incorrectly parsed adml files. A subsequent run of saltutil.sync_all resynced the patched win_lgpo module, and finally and a state call to lgpo.set prompted the patched win_lgpo module to parse the adml files and completed substitution as expected. State calls to lgpo.set now work as expected. |
|
@willchenmark Would you be able to make a PR for this? |
|
An xmlns must be a URI and spaces are not valid in URIs (https://www.rfc-editor.org/rfc/rfc3986?form=MG0AV3) so lxml is correctly failing to parse that document. The correct solution is to correct the invalid adml document (https://github.com/microsoft/mdatp-devicecontrol/blob/main/windows/WindowsDefender.adml) with a pull request to change the space to a %20 |
|
While I agree that lxml is correctly failing to parse, and that the change should be made upstream (and I see you've already reported the issue, thank you), we should still include this patch to the lgpo module. It is not the only place where we are massaging the content of Microsoft's policy documents. https://github.com/saltstack/salt/blob/master/salt/modules/win_lgpo.py#L5028-L5061 Escaping the string is a small additional check that aligns with that existing functionality, and it allows win.lgpo to actually apply the GPO policy affected by what is an obvious error. Otherwise we are at the whim of Microsoft to correct their mistake, and any version of Windows that uses the invalid policy document will fail to correctly apply GPOs through Salt. When Microsoft corrects the issue the function could be patched out if so desired, but leaving it would prevent similar issues from arising in the future. |
Description
The win_lgpo module used does not currently attempt to escape spaces found in xmlns definitions.
Setup
Steps to Reproduce the behavior
On a fresh Windows 11 24H2 system, attempt to apply any GPO that references the WindowsDefender-D0DE2C.adml definition, such as this user policy.
The result will be an invalid URI error from lxml.
That invalid URI error is caused by this adml file in the policy_defs cache:
C:\ProgramData\Salt Project\Salt\var\cache\salt\minion\lgpo\policy_defs\WindowsDefender-D0DE2C.adml
Specifically the
Policysecurity intelligenceon the first line.https://github.com/microsoft/mdatp-devicecontrol/blob/main/windows/WindowsDefender.adml#L1
Expected behavior
The state should apply correctly, this would be the expected output.
More specifically any spaces that appear in xmlns urls should be escaped with '%20'. Such that
<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/Policysecurity intelligence">becomes
<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/Policysecurity%20intelligence">Versions Report
salt --versions-report
This is from the minion, as the issue is specific to the Windows salt-minion.
Additional context
This might not be the best way to handle this, but I was able to correct the error by adding an additional function to modules/win_lgpo.py to escape those spaces, and then added it to the for line iterator in _parse_xml.
The text was updated successfully, but these errors were encountered: