Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix: Upgrade gopkg.in/yaml.v2 to gopkg.in/yaml.v3 due to security issue #91

Merged
merged 3 commits into from
May 27, 2022
Merged

Fix: Upgrade gopkg.in/yaml.v2 to gopkg.in/yaml.v3 due to security issue #91

merged 3 commits into from
May 27, 2022

Conversation

rafaeljusto
Copy link
Contributor

@rafaeljusto rafaeljusto commented May 26, 2022
edited
Loading

From the security report:

An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash
when attempting to deserialize invalid input.

While upgrading to version 3, there were some required changes:

  • Force the encoder to use 2 spaces for indentation
  • Rewrite tests so lists are indented

References:
https://nvd.nist.gov/vuln/detail/CVE-2022-28948
go-yaml/yaml#666
GHSA-hp87-p4gw-j4gq

@codecov
Copy link

codecov bot commented May 26, 2022
edited
Loading

Codecov Report

Merging #91 (8d531be) into master (d062f3c) will increase coverage by 0.06%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##           master      #91      +/-   ##
==========================================
+ Coverage   74.11%   74.18%   +0.06%     
==========================================
  Files          10       10              
  Lines        1495     1499       +4     
==========================================
+ Hits         1108     1112       +4     
  Misses        279      279              
  Partials      108      108
Impacted Files Coverage Δ
docparse/jsonschema.go 70.44% <ø> (ø)
html/html.go 29.72% <ø> (ø)
openapi2/openapi2.go 82.69% <100.00%> (+0.27%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update d062f3c...8d531be. Read the comment docs.

@rafaeljusto
Fix: Upgrade gopkg.in/yaml.v2 to gopkg.in/yaml.v3 due to security issue
8cea7c5 
From the security report:
> An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash
> when attempting to deserialize invalid input.

While upgrading to version 3, there was some required changes:
* Force the encoder to use 2 spaces for identation
* Rewrite tests so lists are idented

References:
https://nvd.nist.gov/vuln/detail/CVE-2022-28948
go-yaml/yaml#666
GHSA-hp87-p4gw-j4gq
@rafaeljusto rafaeljusto marked this pull request as ready for review May 26, 2022 12:20
@rafaeljusto rafaeljusto requested a review from a team May 26, 2022 12:20
@ripexz
Copy link
Member

ripexz commented May 26, 2022

Am I misreading the linked issues/reports or was the vulnerability only present in v3 and not v2 (which we're currently using)? Granted it's now fixed in v3 as well, but arguably this wasn't necessary unless we intend to use some v3 features 🤔

@rafaeljusto
Copy link
Contributor Author

Yep, you read it right 😄 , the biggest pain is that the Github Alert (for some strange reason) decided to annoy about anything before version 3.0.0:

image

So to get rid of the repository warning, we actually need to upgrade to version 3:
image

@ripexz
Copy link
Member

ripexz commented May 27, 2022

They just released 3.0.1, might as well go for that then 😅

@rafaeljusto
Copy link
Contributor Author

Thanks @ripexz ! Upgraded there now 🙂

ripexz
ripexz reviewed May 27, 2022
View reviewed changes
go.mod Outdated Show resolved Hide resolved
@rafaeljusto
Update github.com/imdario/mergo version
8d531be 
This is required so all dependencies use yaml.v3.
@rafaeljusto rafaeljusto merged commit 5bf1f9e into master May 27, 2022
@rafaeljusto rafaeljusto deleted the fix/yaml-security-fix branch May 27, 2022 09:35
@bwplotka bwplotka mentioned this pull request Aug 27, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shane-tw shane-tw shane-tw approved these changes

@ripexz ripexz ripexz approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rafaeljusto @ripexz @shane-tw