Referencing jinja path in parent directory with tpldir and ".." gives: "relative paths are prohibited"

[mkotsbak]

Description of Issue/Question

Referencing parent directory of sls file not working.

Setup

(Please provide relevant configs and/or SLS files (Be sure to remove sensitive info).)
This like on top of a sls file:

{%- from tpldir + "/../map.jinja" import postgres with context -%}

Steps to Reproduce Issue

(Include debug logs if possible and relevant.)

Run state.highstate. Then observe these log lines:

[WARNING ] Discarded template path 'formula/postgres/server/../map.jinja', relative paths are prohibited
[ERROR ] Rendering exception occurred: Jinja error: formula/postgres/server/../map.jinja

The path specified is correct from salt root directory.

Versions Report

(Provided by running salt --versions-report. Please also mention any differences in master/minion versions.)

Salt Version:
Salt: 2017.7.5

Dependency Versions:
cffi: 1.6.0
cherrypy: Not Installed
dateutil: 1.5
docker-py: Not Installed
gitdb: Not Installed
gitpython: Not Installed
ioflo: Not Installed
Jinja2: 2.7.2
libgit2: Not Installed
libnacl: Not Installed
M2Crypto: Not Installed
Mako: Not Installed
msgpack-pure: Not Installed
msgpack-python: 0.5.1
mysql-python: Not Installed
pycparser: 2.14
pycrypto: 2.6.1
pycryptodome: Not Installed
pygit2: Not Installed
Python: 2.7.5 (default, Aug 4 2017, 00:39:18)
python-gnupg: Not Installed
PyYAML: 3.11
PyZMQ: 15.3.0
RAET: Not Installed
smmap: Not Installed
timelib: Not Installed
Tornado: 4.2.1
ZMQ: 4.1.4

System Versions:
dist: centos 7.4.1708 Core
locale: UTF-8
machine: x86_64
release: 3.10.0-693.21.1.el7.x86_64
system: Linux
version: CentOS Linux 7.4.1708 Core

[gtmanfred]

This is by design

salt/salt/utils/jinja.py

Line 104 in e1e2bd3

'Discarded template path \'%s\', relative paths are '

to prevent people from being able to break out of the salt fileserver, and get to stuff on the salt master they shouldn't have access too.

If you want to go up a directory, get the dirname of the tpldir.

{{ from salt.file.dirname(tpldir) ~ 'map.jinja' import postgres with context }}

Daniel

[mkotsbak]

Ah thanks for the workaround, but this should be added to the documentation, Also ":." could be supported by proper check of the path if it is safe.

Btw, correct workaround is:

{{ from salt.file.dirname(tpldir) ~ '/map.jinja' import postgres with context }}

[gtmanfred]

We would be open if a pull request was submitted, but it would not be near the top of the list of stuff we are working on right now.

Daniel

[mkotsbak]

Ok, as long as there is a workaround it is a minor issue compared to #41195 preventing creating portable formulas.

[steverweber]

{%- from salt.file.normpath(tpldir + '/../vars.jinja') import parent_vars %}