From 95e9d5130f7b20677af0fd8b23b8fb2ad0900d5b Mon Sep 17 00:00:00 2001 From: Martin Preisler Date: Tue, 26 Jun 2018 13:28:20 -0400 Subject: [PATCH] To be on the safe side, force ansible XCCDFs to be interpreted as strings Avoid quotes though because that enables all sorts of escaping rules that we would have to work around. --- ssg/build_remediations.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/shared/utils/combine-remediations.py index ece3765d56..5f61982750 100644 --- a/shared/utils/combine-remediations.py +++ b/shared/utils/combine-remediations.py @@ -190,11 +190,15 @@ def expand_xccdf_subs(fix, remediation_type, remediation_functions): "substituting directly." ) + # we use the horrid "!!str |-" syntax to force strings without using + # quotes. quotes enable yaml escaping rules so we'd have to escape all + # the backslashes and at this point we don't know if there are any. fix_text = re.sub( r"- \(xccdf-var\s+(\S+)\)", r"- name: XCCDF Value \1 # promote to variable\n" r" set_fact:\n" - r' \1: "(ansible-populate \1)"\n' + r" \1: !!str |-\n" + r" (ansible-populate \1)\n" r" tags:\n" r" - always", fix_text