RemotePillar raises an exception on bad data

If the master returns a bad pillar data response the pillar client should raise an exception. This changes RemotePillar and AsyncRemotePillar classes to use the same logic for validating pillar data from the master. Fixes CVE-2024-37088 by causing salt-call to fail with a non zero exit code rather than continuing to execute a state when pillar data rendering fails on the master.
2025-04-16 09:40:20 +00:00 · 2024-07-12 15:13:37 -07:00 · 2024-07-12 15:13:37 -07:00 · a504c4cd73
commit a504c4cd73
parent b8a2e80c4d
1 changed files with 11 additions and 16 deletions
--- a/salt/pillar/init.py
+++ b/salt/pillar/init.py
@ -196,6 +196,15 @@ class RemotePillarMixin:
        log.trace("ext_pillar_extra_data = %s", extra_data)
        return extra_data

+    def validate_return(self, data):
+        if not isinstance(data, dict):
+            msg = "Got a bad pillar from master, type {}, expecting dict: {}".format(
+                type(data).__name__, data
+            )
+            log.error(msg)
+            # raise an exception! Pillar isn't empty, we can't sync it!
+            raise SaltClientError(msg)
+

 class AsyncRemotePillar(RemotePillarMixin):
    """
@ -275,14 +284,7 @@ class AsyncRemotePillar(RemotePillarMixin):
        except Exception:  # pylint: disable=broad-except
            log.exception("Exception getting pillar:")
            raise SaltClientError("Exception getting pillar.")
-
-        if not isinstance(ret_pillar, dict):
-            msg = "Got a bad pillar from master, type {}, expecting dict: {}".format(
-                type(ret_pillar).__name__, ret_pillar
-            )
-            log.error(msg)
-            # raise an exception! Pillar isn't empty, we can't sync it!
-            raise SaltClientError(msg)
+        self.validate_return(ret_pillar)
        raise salt.ext.tornado.gen.Return(ret_pillar)

    def destroy(self):
@ -373,14 +375,7 @@ class RemotePillar(RemotePillarMixin):
        except Exception:  # pylint: disable=broad-except
            log.exception("Exception getting pillar:")
            raise SaltClientError("Exception getting pillar.")
-
-        if not isinstance(ret_pillar, dict):
-            log.error(
-                "Got a bad pillar from master, type %s, expecting dict: %s",
-                type(ret_pillar).__name__,
-                ret_pillar,
-            )
-            return {}
+        self.validate_return(ret_pillar)
        return ret_pillar

    def destroy(self):