Page MenuHomeVyOS Platform
Create Task
Maniphest T7605

Vyconfd cannot parse quoted strings with escaped characters
Closed, ResolvedPublic
Actions

Description

I found that my vyconfd.service kept crashing with the following error:

Fatal error: exception Failure("lexing: empty token")

I tried to find which config entry in my config.boot caused it and narrowed it down by running:

vyos@vyos# OCAMLRUNPARAM=b /usr/libexec/vyos/vyconf/vyconfd --no-daemon --legacy-config-path
Fatal error: exception Failure("lexing: empty token")
Raised by primitive operation at Stdlib__Lexing.engine in file "lexing.ml", line 65, characters 15-37
Called from Vyos1x__Vyos1x_lexer.__ocaml_lex_read_double_quoted_string_rec in file "src/vyos1x_lexer.ml", line 240, characters 8-65
Called from Vyos1x__Vyos1x_lexer.token in file "src/vyos1x_lexer.ml" (inlined), line 171, characters 3-48
Called from Vyos1x__Parser.parse in file "src/parser.ml", line 9, characters 34-74
Called from Vyos1x__Config_file.load_config in file "src/config_file.ml", line 19, characters 21-41
Called from Vyconfd_config__Startup.load_config_failsafe in file "src/startup.ml", line 83, characters 14-49
Called from Dune__exe__Vyconfd in file "src/vyconfd.ml", line 385, characters 6-65

I could then find it was in a double quoted string, and found the culprit. In one of my OpenVPN configs I have:

set interfaces openvpn vtun3 openvpn-option '--static-challenge Enter\ TOTP\ Code 1'

this resulted in the following config.boot entry:

openvpn vtun0 { 
   ...
    openvpn-option "--static-challenge Enter\ TOTP\ Code 1"
    ...
}

As a workaround I just changed the message to Enter_TOTP_Code as it's only for the client to display this message.
But the --static-challenge option is meant to be something like this: --static-challenge "Enter Google Authenticator Code" 1 but VyOS does not allow any single or double quotes within your value so the escaped space was a good working workaround.

The OpenVPN config option is not the point of this bug though, it's mainly that an escaped space in a double quoted string crashes vyconfd. Actually any escaped character will crash it.

I made a simple reproducible test case for testing:

# stop vyconfd as we will try to execute it manually for testing purposes
systemctl stop vyconfd

# configure and save the quoted string with escaped character (eg: space, but any character will trigger the crash)
configure
set interfaces ethernet eth0 description "Hello\ World"
commit
save

# run vyconfd
vyos@vyos# /usr/libexec/vyos/vyconf/vyconfd --no-daemon --legacy-config-path
Fatal error: exception Failure("lexing: empty token")

Details

Version
vyoS 1.5-rolling-20250619
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

yun created this task.Jul 1 2025, 10:00 PM
yun created this object in space S1 VyOS Public.
jestabro subscribed.EditedJul 1 2025, 11:46 PM

Thanks, @yun , this is a known issue, as the sanitization functions have not yet been moved from the python module, for direct loads by vyconfd:
https://github.com/vyos/vyos-1x/blob/current/python/vyos/configtree.py#L38-L47
It's on the short term list to do.

jestabro claimed this task.Jul 1 2025, 11:46 PM
pasik subscribed.Jul 2 2025, 6:36 AM
yun added a comment.Jul 2 2025, 12:31 PM

good to know!

jestabro added a comment.Jul 18 2025, 11:54 PM

PR:
https://github.com/vyos/vyos1x-config/pull/48
This will be present in rolling after merge and the corresponding update to the libvyosconfig commit hash and vyos-1x submodule.

jestabro raised the priority of this task from Low to Normal.Jul 18 2025, 11:54 PM
jestabro mentioned this in rVYOSONEX515080bdfd3a: T7637: T7605: update git submodule for typo and escape backslash.Jul 22 2025, 2:23 PM
Restricted Repository Identity mentioned this in rVYOSONEX7a88b0b5b3af: Merge pull request #4614 from jestabro/debug-smoketests.Jul 22 2025, 2:23 PM
jestabro closed this task as Resolved.Jul 30 2025, 3:49 PM
jestabro moved this task from Need Triage to Completed on the VyOS Rolling board.
jestabro mentioned this in rVYOSONEX88bfc47e7bf8: T7637: T7605: update commit hashes for typo and escape backslash.Sep 10 2025, 1:16 PM
Restricted Repository Identity mentioned this in rVYOSONEX6da131348730: Merge pull request #45 from jestabro/debug-smoketests.Sep 10 2025, 1:16 PM
c-po mentioned this in rVYOSONEX6ad118257738: Merge https://github.com/vyos/libvyosconfig into integrate-libvyosconfig.Sep 10 2025, 1:16 PM