Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix: Upgrade gopkg.in/yaml.v2 to gopkg.in/yaml.v3 due to security issue #91

Merged
merged 3 commits into from
May 27, 2022

Conversation

rafaeljusto
Copy link
Contributor

@rafaeljusto rafaeljusto commented May 26, 2022

From the security report:

An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash
when attempting to deserialize invalid input.

While upgrading to version 3, there were some required changes:

  • Force the encoder to use 2 spaces for indentation
  • Rewrite tests so lists are indented

References:
https://nvd.nist.gov/vuln/detail/CVE-2022-28948
go-yaml/yaml#666
GHSA-hp87-p4gw-j4gq

@codecov
Copy link

codecov bot commented May 26, 2022

Codecov Report

Merging #91 (8d531be) into master (d062f3c) will increase coverage by 0.06%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##           master      #91      +/-   ##
==========================================
+ Coverage   74.11%   74.18%   +0.06%     
==========================================
  Files          10       10              
  Lines        1495     1499       +4     
==========================================
+ Hits         1108     1112       +4     
  Misses        279      279              
  Partials      108      108              
Impacted Files Coverage Δ
docparse/jsonschema.go 70.44% <ø> (ø)
html/html.go 29.72% <ø> (ø)
openapi2/openapi2.go 82.69% <100.00%> (+0.27%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update d062f3c...8d531be. Read the comment docs.

From the security report:
> An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash
> when attempting to deserialize invalid input.

While upgrading to version 3, there was some required changes:
* Force the encoder to use 2 spaces for identation
* Rewrite tests so lists are idented

References:
https://nvd.nist.gov/vuln/detail/CVE-2022-28948
go-yaml/yaml#666
GHSA-hp87-p4gw-j4gq
@rafaeljusto rafaeljusto force-pushed the fix/yaml-security-fix branch from c4fd45c to 8cea7c5 Compare May 26, 2022 12:16
@rafaeljusto rafaeljusto marked this pull request as ready for review May 26, 2022 12:20
@rafaeljusto rafaeljusto requested a review from a team May 26, 2022 12:20
@ripexz
Copy link
Member

ripexz commented May 26, 2022

Am I misreading the linked issues/reports or was the vulnerability only present in v3 and not v2 (which we're currently using)? Granted it's now fixed in v3 as well, but arguably this wasn't necessary unless we intend to use some v3 features 🤔

@rafaeljusto
Copy link
Contributor Author

Yep, you read it right 😄 , the biggest pain is that the Github Alert (for some strange reason) decided to annoy about anything before version 3.0.0:

image

So to get rid of the repository warning, we actually need to upgrade to version 3:
image

@ripexz
Copy link
Member

ripexz commented May 27, 2022

They just released 3.0.1, might as well go for that then 😅

@rafaeljusto
Copy link
Contributor Author

Thanks @ripexz ! Upgraded there now 🙂

go.mod Outdated Show resolved Hide resolved
This is required so all dependencies use yaml.v3.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants