Fix: Upgrade gopkg.in/yaml.v2 to gopkg.in/yaml.v3 due to security issue

From the security report: > An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash > when attempting to deserialize invalid input. While upgrading to version 3, there was some required changes: * Force the encoder to use 2 spaces for identation * Rewrite tests so lists are idented References: https://nvd.nist.gov/vuln/detail/CVE-2022-28948 go-yaml/yaml#666 GHSA-hp87-p4gw-j4gq
Teamwork · May 26, 2022 · 8cea7c5 · 8cea7c5
1 parent d062f3c
commit 8cea7c5
Show file tree

Hide file tree

Showing 60 changed files with 3,542 additions and 2,003 deletions.
diff --git a/docparse/jsonschema.go b/docparse/jsonschema.go
@@ -11,7 +11,7 @@ import (
 
 	"github.com/teamwork/utils/goutil"
 	"github.com/teamwork/utils/sliceutil"
-	yaml "gopkg.in/yaml.v2"
+	yaml "gopkg.in/yaml.v3"
 )
 
 // The Schema Object allows the definition of input and output data types.

diff --git a/go.mod b/go.mod
@@ -8,6 +8,7 @@ require (
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/teamwork/test v0.0.0-20181126061546-2ff8918eb6a4
 	github.com/teamwork/utils v0.0.0-20190114034940-d6a1f27ce92c
-	gopkg.in/yaml.v2 v2.2.2
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gopkg.in/yaml.v3 v3.0.0
 	zgo.at/sconfig v1.2.2-0.20211017232425-870f818a71b7
 )
diff --git a/go.sum b/go.sum
@@ -1,5 +1,3 @@
-arp242.net/sconfig v0.0.0-20180901013357-c014d3b7a101 h1:V6CYq+es2ncUeJ2jzJxWVviAs7iNW/jvPb4+3LHOXsE=
-arp242.net/sconfig v0.0.0-20180901013357-c014d3b7a101/go.mod h1:s7teWAlHUlC2xRICC2FKERk6kQBI9lREHKRfWIWF+lA=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/imdario/mergo v0.3.7 h1:Y+UAYTZ7gDEuOfhxKWy+dvb5dRQ6rJjFSdX2HZY1/gI=
@@ -12,7 +10,9 @@ github.com/teamwork/utils v0.0.0-20190114034940-d6a1f27ce92c h1:5/hkqtufOyLP25ta
 github.com/teamwork/utils v0.0.0-20190114034940-d6a1f27ce92c/go.mod h1:rmPaJUVv426LGg3QR31m1N0bfpCdCVyh3dCWsJTQeDA=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
-gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
+gopkg.in/yaml.v3 v3.0.0 h1:hjy8E9ON/egN1tAYqKb61G10WtihqetD4sz2H+8nIeA=
+gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 zgo.at/sconfig v1.2.2-0.20211017232425-870f818a71b7 h1:fw2yuIGMHzSRYrZUVOt/c1O/igkJIXorj/FNCg+tg2E=
 zgo.at/sconfig v1.2.2-0.20211017232425-870f818a71b7/go.mod h1:RXEBQABoIc7RnagqaT+7BHU81g1okqSLeND/YJLZiDE=
diff --git a/html/html.go b/html/html.go
@@ -9,7 +9,7 @@ import (
 	"os"
 
 	"github.com/teamwork/kommentaar/docparse"
-	yaml "gopkg.in/yaml.v2"
+	yaml "gopkg.in/yaml.v3"
 )
 
 var funcMap = template.FuncMap{

diff --git a/openapi2/openapi2.go b/openapi2/openapi2.go
@@ -5,6 +5,7 @@
 package openapi2 // import "github.com/teamwork/kommentaar/openapi2"
 
 import (
+	"bytes"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -14,7 +15,7 @@ import (
 	"github.com/imdario/mergo"
 	"github.com/teamwork/kommentaar/docparse"
 	"github.com/teamwork/utils/goutil"
-	yaml "gopkg.in/yaml.v2"
+	yaml "gopkg.in/yaml.v3"
 )
 
 type (
@@ -469,7 +470,11 @@ func write(outFormat string, w io.Writer, prog *docparse.Program) error {
 	case "json":
 		d, err = json.Marshal(&out)
 	case "yaml":
-		d, err = yaml.Marshal(&out)
+		var b bytes.Buffer
+		yamlEncoder := yaml.NewEncoder(&b)
+		yamlEncoder.SetIndent(2)
+		err = yamlEncoder.Encode(&out)
+		d = b.Bytes()
 	default:
 		err = fmt.Errorf("unknown format: %#v", outFormat)
 	}

diff --git a/testdata/openapi2/src/blank-line/want.yaml b/testdata/openapi2/src/blank-line/want.yaml
@@ -3,21 +3,21 @@ info:
   title: x
   version: x
 consumes:
-- application/json
+  - application/json
 produces:
-- application/json
+  - application/json
 tags:
-- name: tag
+  - name: tag
 paths:
   /path:
     post:
       operationId: POST_path
       tags:
-      - tag
+        - tag
       consumes:
-      - application/x-www-form-urlencoded
+        - application/x-www-form-urlencoded
       produces:
-      - application/json
+        - application/json
       responses:
         200:
           description: 200 OK (no data)

diff --git a/testdata/openapi2/src/description-print-var/want.yaml b/testdata/openapi2/src/description-print-var/want.yaml
@@ -3,9 +3,9 @@ info:
   title: x
   version: x
 consumes:
-- application/json
+  - application/json
 produces:
-- application/json
+  - application/json
 paths:
   /path:
     post:
@@ -39,7 +39,7 @@ paths:
 
         I'm escaped $foo
       produces:
-      - application/json
+        - application/json
       responses:
         200:
           description: 200 OK (no data)

diff --git a/testdata/openapi2/src/embedded-pointer/want.yaml b/testdata/openapi2/src/embedded-pointer/want.yaml
@@ -3,15 +3,15 @@ info:
   title: x
   version: x
 consumes:
-- application/json
+  - application/json
 produces:
-- application/json
+  - application/json
 paths:
   /path:
     post:
       operationId: POST_path
       produces:
-      - application/json
+        - application/json
       responses:
         200:
           description: 200 OK

diff --git a/testdata/openapi2/src/embedded-sometimes/want.yaml b/testdata/openapi2/src/embedded-sometimes/want.yaml
@@ -3,31 +3,31 @@ info:
   title: x
   version: x
 consumes:
-- application/json
+  - application/json
 produces:
-- application/json
+  - application/json
 tags:
-- name: foobar
+  - name: foobar
 paths:
   /foo/{id}:
     post:
       operationId: POST_foo_{id}
       tags:
-      - foobar
+        - foobar
       consumes:
-      - application/json
+        - application/json
       produces:
-      - application/json
+        - application/json
       parameters:
-      - name: id
-        in: path
-        type: integer
-        required: true
-      - name: embedded-sometimes.RequestObj
-        in: body
-        required: true
-        schema:
-          $ref: '#/definitions/embedded-sometimes.RequestObj'
+        - name: id
+          in: path
+          type: integer
+          required: true
+        - name: embedded-sometimes.RequestObj
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/embedded-sometimes.RequestObj'
       responses:
         200:
           description: 200 OK

diff --git a/testdata/openapi2/src/endpoint-extend/want.yaml b/testdata/openapi2/src/endpoint-extend/want.yaml
@@ -3,23 +3,23 @@ info:
   title: x
   version: x
 consumes:
-- application/json
+  - application/json
 produces:
-- application/json
+  - application/json
 paths:
   /path:
     post:
       consumes:
-      - application/xml
+        - application/xml
       operationId: POST_path
       parameters:
-      - in: body
-        name: endpoint-extend.reqRef
-        required: true
-        schema:
-          $ref: '#/definitions/endpoint-extend.reqRef'
+        - in: body
+          name: endpoint-extend.reqRef
+          required: true
+          schema:
+            $ref: '#/definitions/endpoint-extend.reqRef'
       produces:
-      - application/json
+        - application/json
       responses:
         "200":
           description: 200 OK (no data)

diff --git a/testdata/openapi2/src/export/want.yaml b/testdata/openapi2/src/export/want.yaml
@@ -3,26 +3,26 @@ info:
   title: x
   version: x
 consumes:
-- application/json
+  - application/json
 produces:
-- application/json
+  - application/json
 paths:
   /path:
     post:
       operationId: POST_path
       consumes:
-      - application/json
+        - application/json
       produces:
-      - application/json
+        - application/json
       parameters:
-      - name: exported
-        in: query
-        type: string
-      - name: export.ref2
-        in: body
-        required: true
-        schema:
-          $ref: '#/definitions/export.ref2'
+        - name: exported
+          in: query
+          type: string
+        - name: export.ref2
+          in: body
+          required: true
+          schema:
+            $ref: '#/definitions/export.ref2'
       responses:
         200:
           description: 200 OK (no data)

diff --git a/testdata/openapi2/src/field-whitelist/want.yaml b/testdata/openapi2/src/field-whitelist/want.yaml
@@ -3,15 +3,15 @@ info:
   title: x
   version: x
 consumes:
-- application/json
+  - application/json
 produces:
-- application/json
+  - application/json
 paths:
   /path:
     post:
       operationId: POST_path
       produces:
-      - application/json
+        - application/json
       responses:
         200:
           description: 200 OK

diff --git a/testdata/openapi2/src/interface/want.yaml b/testdata/openapi2/src/interface/want.yaml
@@ -3,15 +3,15 @@ info:
   title: x
   version: x
 consumes:
-- application/json
+  - application/json
 produces:
-- application/json
+  - application/json
 paths:
   /path:
     get:
       operationId: GET_path
       produces:
-      - application/json
+        - application/json
       responses:
         200:
           description: 200 OK