SOPS displacing comments and causing YAML-breaking invalid syntax error and data loss #1068
Comments
|
Adding to this issue, it can break a YAML file, by producing an invalid syntax. To reproduce, use this starting file this:
is:
an: example
# comment
someArray: []Again, run this:
is:
an: ENC[AES256_GCM,data:BVubel9Etw==,iv:eSU4vD0Gl+ArqJYXz601lTYCcpuXGfdMj5ViU2jGOaE=,tag:Du0JCAnjc+pGYBRBqpIg+w==,type:str]
someArray:
# comment
[]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1atpv5v2yrfuxxpe2gpddfq2n5g7vck89eg8fjqytrjrxy7plqfcs7l7788
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrUDRtTjRCaktvbnhFQVpq
ZGRyVm9rL2YrOUNYdnExOXVlQWhiczhZOVNvClFBVTZyWjh4ck53aE55cC9pZThv
NExTS3BpZFdpWG9tMFZOeUZ3dFNtYncKLS0tIFRBTmYwNzd3dXZGN3pOYlBraS9y
aklTbVpZNm54MjNVaXQ5bTRCQURkWU0KkoNrtSRxjGBjCGjAR8HRZqRH8tAZ432B
HP7spoDOqtsRUuZPhBqQpvV+mP50z9ztNqrw5f8MDIirXsiw1qvYyg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-05-31T16:21:18Z"
mac: ENC[AES256_GCM,data:BBYePXfdlh6EwLdvft7OncjUWpE2WrLdhtaKNONPZymdv7q23QEGJJxG3ktE02PcdS2aDsflwM3wSkPq5PPQSQXVZbtIMutKCdrKZGerEPUSF6KXy00CqiLn12kbO31JIisw5K+JvmhQ0vxopPAn0o4w0hABvy9Pt/ZKFt8pjkU=,iv:n+hzjCnrxQL986BmrTbToS3dWiWKPK8uRxdN+Dqc8xA=,tag:CGKCtco5LiZyhAbInkBaAQ==,type:str]
pgp: []
encrypted_regex: an
version: 3.7.3As you can see, |
lucabello
changed the title
|
Thanks for this report! I can confirm that this happens with the latest version. |
|
Interestingly I cannot reproduce this when removing the empty line after the comment... Then in both cases it works fine. But if there is an empty line after the comment, the error happens. |
|
#1069 should fix this issue. There is the other problem that if there is no newline, that the comment will be parsed as a foot comment for the innermost map entry ( |
|
I also noticed it can displace multiple comments into the sops metadata, as long as they are in consecutive lines after the But anyway, thanks for addressing it quickly! Hope it gets reviewed and merged soon :) |
|
Just wanted to add to this issue, as i think it might be the same problem. There is a helm chart values.yaml file for the kube-prometheus-stack located at https://github.com/prometheus-community/helm-charts/blob/main/charts/kube-prometheus-stack/values.yaml that also causes invalid syntax when you try to encrypt and decrypt the file. It also seems like the output of the encryption removes all blank lines that might have been present in the original file. In addition, some of the indention is also getting changed. For example the first entry, "defaultRules:" |
|
@BlackBsd indeed, there are more such bugs. A minimal reproducer for the issue you reported is a:
b:
c:
d: ""
# e
# f
g: {}
These are both normal and to be expected. Sops should produce semantically equivalent YAML files (including comments), not the original YAML file back. |
|
Meh. Now I tried to spend quite some time to figure out why this is still not fixed, only to realize that the fix merged (#1069) works fine, but hasn't been released yet. So well, this is already fixed on the develop branch since beginning of June... |
|
That is awesome, thank you. When do you foresee this making it into a new release? |
|
I wish I would know... @ajvb do you have any indication when a new (bugfix) release will happen? |
|
any update on this? |
|
There has not been a new release, so: no. Unfortunately not. :( |
|
This will be included in the upcoming release. |
|
In version 3.8.1 It is still displacing comments in YAML |
Hello everyone; I found a bug in the SOPS encryption, which you can replicate yourself.
Unencrypted file
test.yaml:I use age encryption, so I set up the SOPS_AGE_RECIPIENTS and SOPS_AGE_KEY_FILE variables, and then run
sops --encrypt --encrypted-regex an test.yaml, obtaining this:As you can see, the
# commentline is moved inside the sops metadata; whenever that file is decrypted, the comment will be gone (hence the data loss I mention in the title).The reason why this is important is because my team is using some comment "tags" to mark code blocks, and the last tag disappears after encrypting-and-decrypting a file.
I did some extra testing to try to understand when this was happening, and I gathered some conclusions: it only happens if the indentation is at least the one in my example file (so at least 3) and the if the comment is "less indented" than the last line.
Sorry if this is a known issue and I missed it! :)
The text was updated successfully, but these errors were encountered: