Skip to content

ENT-3417: Added allow_non_convergent to pattern_matching promise in edit_line#6025

Open
victormlg wants to merge 2 commits intocfengine:masterfrom
victormlg:replace_pattern
Open

ENT-3417: Added allow_non_convergent to pattern_matching promise in edit_line#6025
victormlg wants to merge 2 commits intocfengine:masterfrom
victormlg:replace_pattern

Conversation

@victormlg
Copy link
Contributor

@victormlg victormlg commented Jan 26, 2026
edited
Loading

Added a new attribute allow_non_convergent in replace_pattern promise to allow for idempotent non-convergent regex.

bundle agent __main__
{
  files:
      "/tmp/example.txt"
        content => "bash PORT=23 echo";

      "/tmp/example.txt"
        edit_line => regex_replace( "PORT=[0-9]+", "PORT=22" );

}
# From the stdlib:
bundle edit_line regex_replace(find,replace)
# @brief Find exactly a regular expression and replace exactly the match with a string.
# You can think of this like a PCRE powered sed.
# @param find The regular expression
# @param replace The replacement string
{
  replace_patterns:

      "$(find)"
        replace_with => value("$(replace)"),
        comment => "Search and replace string",
        allow_non_convergent => "true";
}

body replace_with value(x)
# @brief Replace matching lines
# @param x The replacement string
{
        replace_value => "$(x)";
        occurrences => "all";
}

I am a bit ensure on the implementation, but the idea is that we don't want to allow destructive non-convergent regex, such as:

bundle agent __main__
{
  files:
      "/tmp/example.txt"
        content => "PORT=23";

      "/tmp/example.txt"
        edit_line => regex_replace( "PORT=[0-9]+", "PORT=22 #Some comment" );

}

This will replace and rematch the same line indefinitely:
PORT=22 #Some comment #Some comment #Some comment [...]

So the idea was to let cfengine match and expand the pattern N times (as before), then we match and expand one more time (N+1), and if the total length of the line is greater, this means that the non-convergent regex is destructive and thus we need to error.

@victormlg victormlg requested a review from larsewi January 26, 2026 17:49
@victormlg victormlg changed the title ENT-3417: Added use_non_convergent to pattern_matching promise in edit_line ENT-3417: Added allow_non_convergent to pattern_matching promise in edit_line Jan 27, 2026
larsewi
larsewi reviewed Jan 29, 2026
View reviewed changes
Copy link
Contributor

@larsewi larsewi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add an acceptance test :)

@larsewi larsewi requested a review from nickanderson January 29, 2026 11:46
@larsewi
Copy link
Contributor

larsewi commented Jan 29, 2026

@nickanderson can you address the questions @victormlg posted in the PR description?

@victormlg victormlg requested a review from larsewi February 2, 2026 12:23
larsewi
larsewi reviewed Feb 4, 2026
View reviewed changes
cf-agent/files_editline.c Outdated
Comment on lines 1337 to 1338
strlcpy(line_buff_cp, line_buff, sizeof(line_buff_cp));
strlcpy(after, line_buff_cp + end_off, sizeof(after));
Copy link
Contributor

@larsewi larsewi Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please check for truncation

Copy link
Contributor

@larsewi larsewi Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not resolved

tests/acceptance/10_files/replace_patterns/allow_non_convergent.cf

######################################################

bundle agent test
Copy link
Contributor

@larsewi larsewi Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since you are including default.cf.sub you can add the meta data with ticket number and description

@nickanderson
Copy link
Member

nickanderson commented Feb 4, 2026
edited
Loading

@larsewi

@nickanderson can you address the questions @victormlg posted in the PR description?

Sorry, I had responded to @victormlg directly via slack.

I don't love the name use_non_convergent. Maybe allow_non_convergent? Semantically it's something we are allowing not a thing we are using.

I am unsure about the non-descructive thing.

Maybe it should be boxed in more specifically ... the use case is for the pattern similar to:

sed -i 's/PORT=.*/PORT=22/'

Basically, I don't know what is there now, but it should be PORT=22

@victormlg
Added allow_non_convergent to pattern_matching promise in edit_line
12b5eba 
Ticket: ENT-3417
Signed-off-by: Victor Moene <victor.moene@northern.tech>
@victormlg victormlg force-pushed the replace_pattern branch 2 times, most recently from 2bb8035 to 56aac28 Compare February 9, 2026 09:59
@victormlg victormlg requested a review from larsewi February 9, 2026 14:29
larsewi
larsewi requested changes Feb 10, 2026
View reviewed changes
cf-agent/files_editline.c Outdated
Comment on lines 1337 to 1338
strlcpy(line_buff_cp, line_buff, sizeof(line_buff_cp));
strlcpy(after, line_buff_cp + end_off, sizeof(after));
Copy link
Contributor

@larsewi larsewi Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not resolved

@victormlg
Added acceptance test for allow_non_convergent option in replace_pattern
b48e42a 
Signed-off-by: Victor Moene <victor.moene@northern.tech>
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 13, 2026
View reviewed changes
cf-agent/files_editline.c
{
int needed;
// Save portion of line after substitution:
needed = strlcpy(after, line_buff + end_off, sizeof(after));

Check failure

Code scanning / CodeQL

Suspicious 'sizeof' use High

This evaluates to the size of the pointer type, which may not be what you want.
cf-agent/files_editline.c
int needed;
// Save portion of line after substitution:
needed = strlcpy(after, line_buff + end_off, sizeof(after));
if (needed >= sizeof(after))

Check failure

Code scanning / CodeQL

Suspicious 'sizeof' use High

This evaluates to the size of the pointer type, which may not be what you want.
cf-agent/files_editline.c
{
return false;
}
needed = snprintf(line_buff + start_off, sizeof(line_buff) - start_off,

Check failure

Code scanning / CodeQL

Suspicious 'sizeof' use High

This evaluates to the size of the pointer type, which may not be what you want.
cf-agent/files_editline.c
}
needed = snprintf(line_buff + start_off, sizeof(line_buff) - start_off,
"%s%s", BufferData(replace), after);
if (needed < 0 || (size_t) needed >= (sizeof(line_buff) - start_off))

Check failure

Code scanning / CodeQL

Suspicious 'sizeof' use High

This evaluates to the size of the pointer type, which may not be what you want.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@larsewi larsewi larsewi requested changes

@nickanderson nickanderson Awaiting requested review from nickanderson

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@victormlg @larsewi @nickanderson