Skip to content

Commit

Permalink
CVE-2020-25614: Update xmlquery, jsonquery and xpath packages. (sonic…
Browse files Browse the repository at this point in the history
…-net#58)

Updated xmlquery version from 1.2.1 to 1.3.1
Updated jsonquery version from 1.1.0 to 1.1.4
Updated xpath version from 1.1.2 to 1.1.10

Updated patch files as package version are updated.
  • Loading branch information
maheshwari-mayank authored Apr 19, 2022
1 parent 5156527 commit ec32690
Show file tree
Hide file tree
Showing 5 changed files with 137 additions and 245 deletions.
7 changes: 4 additions & 3 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,12 @@ module github.com/Azure/sonic-mgmt-common

require (
github.com/Workiva/go-datastructures v1.0.50
github.com/antchfx/jsonquery v1.1.0
github.com/antchfx/xmlquery v1.2.1
github.com/antchfx/xpath v1.1.2
github.com/antchfx/jsonquery v1.1.4
github.com/antchfx/xmlquery v1.3.1
github.com/antchfx/xpath v1.1.10
github.com/go-redis/redis v6.15.6+incompatible
github.com/go-redis/redis/v7 v7.0.0-beta.3.0.20190824101152-d19aba07b476
github.com/godbus/dbus/v5 v5.1.0
github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b
github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e // indirect
github.com/openconfig/gnmi v0.0.0-20200617225440-d2b4e6a45802
Expand Down
20 changes: 14 additions & 6 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,13 @@ cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMT
github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
github.com/Workiva/go-datastructures v1.0.50 h1:slDmfW6KCHcC7U+LP3DDBbm4fqTwZGn1beOFPfGaLvo=
github.com/Workiva/go-datastructures v1.0.50/go.mod h1:Z+F2Rca0qCsVYDS8z7bAGm8f3UkzuWYS/oBZz5a7VVA=
github.com/antchfx/jsonquery v1.1.0 h1:ZeqeHheI8WsEN5blUqZXZ30w2jrbFvlQIq5B7X7Z86E=
github.com/antchfx/jsonquery v1.1.0/go.mod h1:h7950pvPrUZzJIflNqsELgDQovTpPNa0rAHf8NwjegY=
github.com/antchfx/xmlquery v1.2.1 h1:wE4xjHrqOScP440wdv23Xkg0Gr8JryW0ptqodPH+y2U=
github.com/antchfx/xmlquery v1.2.1/go.mod h1:/+CnyD/DzHRnv2eRxrVbieRU/FIF6N0C+7oTtyUtCKk=
github.com/antchfx/xpath v1.1.2 h1:YziPrtM0gEJBnhdUGxYcIVYXZ8FXbtbovxOi+UW/yWQ=
github.com/antchfx/xpath v1.1.2/go.mod h1:Yee4kTMuNiPYJ7nSNorELQMr1J33uOpXDMByNYhvtNk=
github.com/antchfx/jsonquery v1.1.4 h1:+OlFO3QS9wjU0MKx9MgHm5f6o6hdd4e9mUTp0wTjxlM=
github.com/antchfx/jsonquery v1.1.4/go.mod h1:cHs8r6Bymd8j6HI6Ej1IJbjahKvLBcIEh54dfmo+E9A=
github.com/antchfx/xmlquery v1.3.1 h1:nIKWdtnhrXtj0/IRUAAw2I7TfpHUa3zMnHvNmPXFg+w=
github.com/antchfx/xmlquery v1.3.1/go.mod h1:64w0Xesg2sTaawIdNqMB+7qaW/bSqkQm+ssPaCMWNnc=
github.com/antchfx/xpath v1.1.7/go.mod h1:Yee4kTMuNiPYJ7nSNorELQMr1J33uOpXDMByNYhvtNk=
github.com/antchfx/xpath v1.1.10 h1:cJ0pOvEdN/WvYXxvRrzQH9x5QWKpzHacYO8qzCcDYAg=
github.com/antchfx/xpath v1.1.10/go.mod h1:Yee4kTMuNiPYJ7nSNorELQMr1J33uOpXDMByNYhvtNk=
github.com/cenkalti/backoff/v4 v4.0.0/go.mod h1:eEew/i+1Q6OrCDZh3WiXYv3+nJwBASZ8Bog/87DQnVg=
github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
Expand All @@ -21,6 +22,8 @@ github.com/go-redis/redis v6.15.6+incompatible h1:H9evprGPLI8+ci7fxQx6WNZHJSb7be
github.com/go-redis/redis v6.15.6+incompatible/go.mod h1:NAIEuMOZ/fxfXJIrKDQDz8wamY7mA7PouImQ2Jvg6kA=
github.com/go-redis/redis/v7 v7.0.0-beta.3.0.20190824101152-d19aba07b476 h1:WNSiFp8Ww4ZP7XUzW56zDYv5roKQ4VfsdHCLoh8oDj4=
github.com/go-redis/redis/v7 v7.0.0-beta.3.0.20190824101152-d19aba07b476/go.mod h1:xhhSbUMTsleRPur+Vgx9sUHtyN33bdjxY+9/0n9Ig8s=
github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58=
github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e h1:1r7pUrabqp18hOBcwBwiTsbnFeTZHV9eER/QT5JVZxY=
Expand Down Expand Up @@ -74,6 +77,7 @@ github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZN
github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
Expand All @@ -87,6 +91,8 @@ golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20200301022130-244492dfa37a h1:GuSPYbZzB5/dcLNCwLQLsg3obCJtX9IJhpXkvY7kzk0=
golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20200813134508-3edf25e44fcc h1:zK/HqS5bZxDptfPJNq8v7vJfXtkU7r9TLIoSr1bXaP4=
golang.org/x/net v0.0.0-20200813134508-3edf25e44fcc/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
Expand All @@ -97,6 +103,8 @@ golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a h1:1BGLXjeY4akVXGgbC9HugT3Jv
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190412213103-97732733099d h1:+R4KGOnez64A81RvjARKc4UT5/tI9ujCIVX+P5KiHuI=
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd h1:xhmwyvizuTgC2qz7ZlMluP20uW+C3Rm0FD/WLDX8884=
golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
Expand Down
10 changes: 5 additions & 5 deletions patches/jsonquery.patch
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
diff --git a/node.go b/node.go
index 76032bb..f6103d9 100644
index 4b28b32..afeed80 100644
--- a/node.go
+++ b/node.go
@@ -8,6 +8,7 @@ import (
Expand All @@ -10,7 +10,7 @@ index 76032bb..f6103d9 100644
)

// A NodeType is the type of a Node.
@@ -110,6 +111,29 @@ func parseValue(x interface{}, top *Node, level int) {
@@ -143,6 +144,29 @@ func parseValue(x interface{}, top *Node, level int) {
addNode(n)
parseValue(vv, n, level+1)
}
Expand Down Expand Up @@ -40,7 +40,7 @@ index 76032bb..f6103d9 100644
case map[string]interface{}:
// The Go’s map iteration order is random.
// (https://blog.golang.org/go-maps-in-action#Iteration-order)
@@ -119,9 +143,21 @@ func parseValue(x interface{}, top *Node, level int) {
@@ -152,9 +176,21 @@ func parseValue(x interface{}, top *Node, level int) {
}
sort.Strings(keys)
for _, key := range keys {
Expand All @@ -64,7 +64,7 @@ index 76032bb..f6103d9 100644
}
case string:
n := &Node{Data: v, Type: TextNode, level: level}
@@ -155,3 +191,9 @@ func Parse(r io.Reader) (*Node, error) {
@@ -188,3 +224,9 @@ func Parse(r io.Reader) (*Node, error) {
}
return parse(b)
}
Expand All @@ -75,7 +75,7 @@ index 76032bb..f6103d9 100644
+ return doc, nil
+}
diff --git a/query.go b/query.go
index d105962..e8db1d6 100644
index 6421801..e3df27a 100644
--- a/query.go
+++ b/query.go
@@ -120,6 +120,14 @@ func (a *NodeNavigator) MoveToRoot() {
Expand Down
14 changes: 7 additions & 7 deletions patches/xmlquery.patch
Original file line number Diff line number Diff line change
@@ -1,17 +1,17 @@
diff --git a/node.go b/node.go
index e86c0c3..028867c 100644
index e053748..1c9a529 100644
--- a/node.go
+++ b/node.go
@@ -48,7 +48,7 @@ type Node struct {
@@ -45,7 +45,7 @@ type Node struct {

// InnerText returns the text between the start and end tags of the object.
func (n *Node) InnerText() string {
- var output func(*bytes.Buffer, *Node)
+ /*var output func(*bytes.Buffer, *Node)
output = func(buf *bytes.Buffer, n *Node) {
switch n.Type {
case TextNode:
@@ -64,7 +64,18 @@ func (n *Node) InnerText() string {
case TextNode, CharDataNode:
@@ -60,7 +60,18 @@ func (n *Node) InnerText() string {

var buf bytes.Buffer
output(&buf, n)
Expand All @@ -32,7 +32,7 @@ index e86c0c3..028867c 100644

func (n *Node) sanitizedData(preserveSpaces bool) string {
diff --git a/query.go b/query.go
index 146c2a4..f21b61b 100644
index c148e5f..4ac76af 100644
--- a/query.go
+++ b/query.go
@@ -49,6 +49,29 @@ func CreateXPathNavigator(top *Node) *NodeNavigator {
Expand Down Expand Up @@ -65,7 +65,7 @@ index 146c2a4..f21b61b 100644
func getCurrentNode(it *xpath.NodeIterator) *Node {
n := it.Current().(*NodeNavigator)
if n.NodeType() == xpath.AttributeNode {
@@ -145,7 +168,7 @@ func FindEachWithBreak(top *Node, expr string, cb func(int, *Node) bool) {
@@ -146,7 +169,7 @@ func FindEachWithBreak(top *Node, expr string, cb func(int, *Node) bool) {
}

type NodeNavigator struct {
Expand All @@ -74,7 +74,7 @@ index 146c2a4..f21b61b 100644
attr int
}

@@ -212,6 +235,17 @@ func (x *NodeNavigator) MoveToRoot() {
@@ -217,6 +240,17 @@ func (x *NodeNavigator) MoveToRoot() {
x.curr = x.root
}

Expand Down
Loading

0 comments on commit ec32690

Please sign in to comment.