CVE-2025-22237: Salt's on demand pillar functionality vulnerable to arbitrary command injections

The vulnerability (CVE-2025-22237) allows for arbitrary command injection on the Salt master via the 'on-demand' pillar functionality. An attacker with access to a minion key can send a specially crafted git URL to the master when pillar data is requested.

The root cause lies in the insufficient validation of these git URLs before they are processed.

1. The salt.master.AESFuncs._pillar function is an entry point that receives pillar requests from minions. This request can include specifications for on-demand external pillars, such as those sourced from git repositories. This function takes the potentially malicious input (the crafted git URL) and passes it down for processing.
2. The salt.utils.gitfs.GitFS.init_remotes function is responsible for setting up these git remotes. Prior to the patch (commit 9445f496fed61b15dc4364818007e5b765b0746f), this function did not adequately sanitize or validate the provided git URLs. A crafted URL could therefore inject commands that would be executed by the underlying git client or shell with the privileges of the Salt master process.

The patch introduces a URLValidator in salt/utils/verify.py and applies this validation within salt.utils.gitfs.GitFS.init_remotes to ensure that only legitimate and safe URLs are processed. Additionally, salt.pillar.Pillar.__valid_on_demand_ext_pillar was hardened to better control which external pillars can be loaded on demand. For a security engineer, this means that any Salt master running a vulnerable version and configured to use on-demand git pillars could be compromised if a minion key is exposed, allowing an attacker to execute arbitrary commands on the master.