[Bug]: 3.008rc3: salt.utils.secret.mask_pillar not unset during pillar SLS rendering — all string values replaced with `**********`

[bchill]

What happened?

Bug: 3.008rc3: salt.utils.secret.mask_pillar not unset during pillar SLS rendering — all string values replaced with **********

Salt Version: 3008.0rc3
Severity: Critical — renders Salt pillar-driven configuration management non-functional

Summary

Salt 3008 introduces salt.utils.secret with a MaskedDict/MaskedList system to redact pillar values in output and logs. A ContextVar named mask_pillar defaults to True. The state/file template renderer in salt/utils/templates.py correctly sets mask_pillar=False before rendering, so states receive plain values. However, the pillar SLS renderer in salt/pillar/__init__.py:render_pillar() never sets mask_pillar=False. As a result, all string values in pillar SLS files that are rendered via Jinja produce ********** instead of their actual values when interpolated as strings (e.g. {{ my_list }}, {{ my_string }}).

Impact

Any pillar SLS file that uses Jinja to construct values and then renders them into YAML output via {{ variable }} will produce literal ********** strings in the compiled pillar. These values are then delivered to minions and written into configuration files, breaking any service that depends on pillar-derived configuration.

Root Cause

salt/utils/templates.py line 221 correctly unsets the mask for state rendering:

_token = salt.utils.secret.mask_pillar.set(False)

The equivalent call is absent from salt/pillar/__init__.py:render_pillar().

Reproduction

Any pillar SLS file using Jinja string interpolation of a list or string value:

my_key: {{ my_list }}

Produces:

my_key:
  - '**********'
  - '**********'

instead of actual values.

Fix

Add to render_pillar() in salt/pillar/__init__.py:

def render_pillar(self, matches, errors=None):
    _token = salt.utils.secret.mask_pillar.set(False)
    try:
        # existing code unchanged
    finally:
        salt.utils.secret.mask_pillar.reset(_token)

Verification

• pillar.get key unmask=True returns correct values — data is intact server-side
• pillar.get key returns ********** for all string values
• Downgrading to 3008rc2 resolves the issue entirely
• 3007.x is unaffected

Workaround

Downgrade to 3008rc2 or 3007.x.

Type of salt install

Official rpm

Major version

3007.x

What supported OS are you seeing the problem on? Can select multiple. (If bug appears on an unsupported OS, please open a GitHub Discussion instead)

rhel-9, rockylinux-9

salt --versions-report output

# salt --versions-report
Salt Version:
          Salt: 3008.0rc3

Python Version:
        Python: 3.14.5 (main, May 12 2026, 03:56:57) [GCC 11.2.0]

Dependency Versions:
          cffi: 2.0.0
      cherrypy: 18.10.0
  cryptography: 48.0.0
      dateutil: 2.9.0.post0
     docker-py: Not Installed
         gitdb: 4.0.12
     gitpython: 3.1.49
        Jinja2: 3.1.6
       libgit2: Not Installed
  looseversion: 1.3.0
      M2Crypto: Not Installed
          Mako: Not Installed
       msgpack: 1.1.2
  msgpack-pure: Not Installed
  mysql-python: Not Installed
     packaging: 24.0
     pycparser: 3.00
      pycrypto: Not Installed
  pycryptodome: 3.23.0
        pygit2: Not Installed
  python-gnupg: 0.5.6
        PyYAML: 6.0.3
         PyZMQ: 27.1.0
        relenv: 0.22.11
         smmap: 5.0.3
       timelib: 0.3.0
       Tornado: 6.5.5
           ZMQ: 4.3.5

Salt Extensions:
 saltext.mysql: 1.1.0
 saltext.vault: 1.5.0

Salt Package Information:
  Package Type: onedir

System Versions:
          dist: rocky 9.7 Blue Onyx
        locale: utf-8
       machine: x86_64
       release: 5.14.0-611.54.1.el9_7.0.1.x86_64
        system: Linux
       version: Rocky Linux 9.7 Blue Onyx


.... behavior is the same on Rocky 9, RHEL 9 and Fed 40 - same rpm (x86_64

[NdK73]

Pillar values still masked in 3008.0~rc4 :(