Is this a critical security issue?
Describe the Bug
This is the same issue as in the (old) Puppetlabs server:
puppetlabs/puppet#9483
Basically, our moderately complex node definition regexes fail with current openvox-server, for example:
node /^(db01)\.(?!hosts).*$/ {
The match fails in a way that simply causes the node not to be found.
A patch exists; see below.
Expected Behavior
The node should be found.
Steps to Reproduce
Use a complex regex to match node names, possibly with negative lookaheads.
Environment
Version openvox-server8-8.12.1_1, openvox-agent8-8.25.0
Platform FreeBSD 15
NOTE: While the file in question is from the agent, the problem only manifests and only needs to be patched on the server instance.
NOTE 2: An issue since puppetserver 8.x and in all versions of openvox-server/agent.
Additional Context
The following patch reverses the original commit which caused the issue:
--- /usr/local/lib/ruby/site_ruby/3.4/puppet/resource/type.rb.orig 2026-02-17 06:59:38.000000000 +0000
+++ /usr/local/lib/ruby/site_ruby/3.4/puppet/resource/type.rb 2026-05-29 11:30:54.123728000 +0000
@@ -32,16 +32,6 @@
NODES = 'nodes'
DOUBLE_COLON = '::'
EMPTY_ARRAY = [].freeze
-
- LOOKAROUND_OPERATORS = {
- "(" => 'LP',
- "?" => "QU",
- "<" => "LT",
- ">" => "GT",
- "!" => "EX",
- "=" => "EQ",
- ")" => 'RP'
- }.freeze
attr_accessor :file, :line, :doc, :code, :parent, :resource_type_collection, :override
attr_reader :namespace, :arguments, :behaves_like, :module_name
@@ -206,11 +196,7 @@
def name
if type == :node && name_is_regex?
- # Normalize lookarround regex patthern
- internal_name = @name.source.downcase.gsub(/\(\?[^)]*\)/) do |str|
- str.gsub(/./) { |ch| LOOKAROUND_OPERATORS[ch] || ch }
- end
- "__node_regexp__#{internal_name.gsub(/[^-\w:.]/, '').sub(/^\.+/, '')}"
+ "__node_regexp__#{@name.source.downcase.gsub(/[^-\w:.]/, '').sub(/^\.+/, '')}"
else
@name
endRelevant log output
Is this a critical security issue?
Describe the Bug
This is the same issue as in the (old) Puppetlabs server:
puppetlabs/puppet#9483
Basically, our moderately complex node definition regexes fail with current openvox-server, for example:
node /^(db01)\.(?!hosts).*$/ {The match fails in a way that simply causes the node not to be found.
A patch exists; see below.
Expected Behavior
The node should be found.
Steps to Reproduce
Use a complex regex to match node names, possibly with negative lookaheads.
Environment
Version openvox-server8-8.12.1_1, openvox-agent8-8.25.0
Platform FreeBSD 15
NOTE: While the file in question is from the agent, the problem only manifests and only needs to be patched on the server instance.
NOTE 2: An issue since puppetserver 8.x and in all versions of openvox-server/agent.
Additional Context
The following patch reverses the original commit which caused the issue:
Relevant log output