PowerStig icon indicating copy to clipboard operation
PowerStig copied to clipboard

Published 20 hours ago verified publisher icon microsoft

OrganizationalSetting ValueData for V-220922 (WindowsClient-10-2.5) does not respect newlines

Open demianmnave-pti opened this issue 2 years ago • 1 comments

Describe the bug PR #1125 introduces support for setting the LegalNoticeText registry entry (V-220921) with an organization default. However, delineating line breaks in the ValueData string with file-level newlines (LF or CRLF), escaped newlines (backslash-n), or PowerShell newline sequences (backtick-n) does not result in a properly formatted string in the MOF, leading to incorrect formatting when displayed at logon.

On the other hand, overriding V-220921 by exception and using file-level newlines (LF) or the PowerShell newline sequence (backtick-n) to delineate line breaks in the ValueData string produces the expected MOF output with line breaks represented by escaped newlines (backslash-n). This properly retains the line break formatting when displayed at logon.

To Reproduce

  • Install PowerStig 4.15
  • Copy WindowsClient-10-2.5.org.default.xml as WindowsClient.values.xml and set the organizational ValueData for V-220921 to any string having line breaks delineated by file-level newlines (LF or CRLF), backslash-n, or backtick-n
  • Create a DSC configuration that contains a WindowsClient block for OsVersion='10', StigVersion='2.5', and OrgSettings set to the path of the edited WindowsClient.values.xml
  • Execute the configuration to produce an MOF with incorrect line breaks in the LegalNoticeText ValueData string.

Expected behavior The registry string for LegalNoticeText in the resulting MOF should have line breaks delineated by backslash-n.

Examples

  • Using file-level newlines (LF or CRLF) results in a string delineated by one or more spaces rather than by backslash-n.
  • With backtick-n as the line break delineation; e.g. "This is a line using`nbacktick-n for line breaks.": 
    ValueData = {
     " This is a line using`nbacktick-n for line breaks.
};
  • With backslash-n as the line break delineation; e.g. "This is a line using\nbackslash-n for line breaks." 
    ValueData = {
     " This is a line using\\nbackslash-n for line breaks.
};

Additional context

  • The workaround is to use an Exception entry for V-220921 with backtick-n for line breaks, which is how I've worked around the lack of an OrganizationalSetting for LegalNoticeText for prior versions of PowerStig. File-level line breaks (LF) within the ValueData string also work.
  • Resulting MSFT_RegistryResource instance with backtick-n for line breaks, and with some identifying values redacted: 
    instance of MSFT_RegistryResource as $MSFT_RegistryResource12ref
{
ResourceID = "[Registry][V-220921][medium][SRG-OS-000023-GPOS-00006]::[WindowsClient]Baseline";
 ValueName = "LegalNoticeText";
 Key = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System";
 Ensure = "Present";
 Force = True;
 SourceInfo = "C:\\ ... \\DSCResources\\Resources\\windows.Registry.ps1::71::17::Registry";
 ValueType = "String";
 ModuleName = "PSDscResources";
 ValueData = {
    " You are accessing a U.S. Government (USG) Information System (IS). Use of this`nUSG IS constitutes: ..."
};
 ModuleVersion = "2.12.0.0";

 ConfigurationName = "Windows10-Standalone-Baseline";
};
  • Resulting MSFT_RegistryResource instance with backslash-n for line breaks, and with some identifying values redacted: 
    instance of MSFT_RegistryResource as $MSFT_RegistryResource12ref
{
ResourceID = "[Registry][V-220921][medium][SRG-OS-000023-GPOS-00006]::[WindowsClient]Baseline";
 ValueName = "LegalNoticeText";
 Key = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System";
 Ensure = "Present";
 Force = True;
 SourceInfo = "C:\\ ... \\DSCResources\\Resources\\windows.Registry.ps1::71::17::Registry";
 ValueType = "String";
 ModuleName = "PSDscResources";
 ValueData = {
    " You are accessing a U.S. Government (USG) Information System (IS). Use of this\\nUSG IS constitutes: ..."
};
 ModuleVersion = "2.12.0.0";

 ConfigurationName = "Windows10-Standalone-Baseline";
};
  • Resulting MSFT_RegistryResource instance with either LF or CRLF for line breaks, and with some identifying values redacted: 
    instance of MSFT_RegistryResource as $MSFT_RegistryResource12ref
{
ResourceID = "[Registry][V-220921][medium][SRG-OS-000023-GPOS-00006]::[WindowsClient]Baseline";
 ValueName = "LegalNoticeText";
 Key = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System";
 Ensure = "Present";
 Force = True;
 SourceInfo = "C:\\ ... \\DSCResources\\Resources\\windows.Registry.ps1::71::17::Registry";
 ValueType = "String";
 ModuleName = "PSDscResources";
 ValueData = {
    " You are accessing a U.S. Government (USG) Information System (IS). Use of this  USG IS constitutes: ..."
};
 ModuleVersion = "2.12.0.0";

 ConfigurationName = "Windows10-Standalone-Baseline";
};
  • Resulting MSFT_RegistryResource instance using the Exception entry and file line breaks (LF) or backtick-n for line breaks, and with some identifying values redacted: 
    instance of MSFT_RegistryResource as $MSFT_RegistryResource12ref
{
ResourceID = "[Registry][V-220921][medium][SRG-OS-000023-GPOS-00006]::[WindowsClient]Baseline";
 ValueName = "LegalNoticeText";
 Key = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System";
 Ensure = "Present";
 Force = True;
 SourceInfo = "C:\\ ... \\DSCResources\\Resources\\windows.Registry.ps1::71::17::Registry";
 ValueType = "String";
 ModuleName = "PSDscResources";
 ValueData = {
    " You are accessing a U.S. Government (USG) Information System (IS). Use of this\nUSG IS constitutes: ..."
};
 ModuleVersion = "2.12.0.0";

 ConfigurationName = "Windows10-Standalone-Baseline";
};

demianmnave-pti avatar Feb 02 '23 04:02 demianmnave-pti

I discovered that encoding CRLF as XML character entities (
) produces the desired result in the MOF. For example:

  <OrganizationalSetting id="V-220921" ValueData="This is the first line&#xD;&#xA;This is the second line" />

Results in:

ValueData = {
    "This is the first line\nThis is the second line"
};

I would say that this makes my original issue description inaccurate, and so I could reword it to request support for the simpler "\n" newline syntax as an alternative to the XML character entities.

If this is more desirable than just closing the issue, please let me know.

@erjenkin

demianmnave-pti avatar Feb 06 '23 22:02 demianmnave-pti

@erjenkin Using XML entities works fine, so this issue is resolved as far as I am concerned.

demianmnave-pti avatar Jun 17 '24 15:06 demianmnave-pti