From ee0756044cbcbc6360f9210d340eedd2a5dbd842 Mon Sep 17 00:00:00 2001 From: Jesse Szwedko Date: Sat, 18 Jun 2022 11:02:36 -0700 Subject: [PATCH 1/2] Upgrade gopkg.in/yaml to v3 Fixes vulnerability: https://github.com/advisories/GHSA-hp87-p4gw-j4gq YAML v3 deserializes maps as map[string]interface{} so we handle this in MapImportSource now. Signed-off-by: Jesse Szwedko --- altsrc/map_input_source.go | 14 +++++++++++--- altsrc/yaml_file_loader.go | 2 +- go.mod | 2 +- go.sum | 4 ++-- internal/genflags/cmd/genflags/main.go | 2 +- 5 files changed, 16 insertions(+), 8 deletions(-) diff --git a/altsrc/map_input_source.go b/altsrc/map_input_source.go index e065c7c..49a3c51 100644 --- a/altsrc/map_input_source.go +++ b/altsrc/map_input_source.go @@ -32,11 +32,19 @@ func nestedVal(name string, tree map[interface{}]interface{}) (interface{}, bool if !ok { return nil, false } - ctype, ok := child.(map[interface{}]interface{}) - if !ok { + + switch child := child.(type) { + case map[string]interface{}: + m := make(map[interface{}]interface{}, len(child)) + for k, v := range child { + m[k] = v + } + node = m + case map[interface{}]interface{}: + node = child + default: return nil, false } - node = ctype } if val, ok := node[sections[len(sections)-1]]; ok { return val, true diff --git a/altsrc/yaml_file_loader.go b/altsrc/yaml_file_loader.go index 4ace1f2..315db18 100644 --- a/altsrc/yaml_file_loader.go +++ b/altsrc/yaml_file_loader.go @@ -11,7 +11,7 @@ import ( "github.com/urfave/cli/v2" - "gopkg.in/yaml.v2" + "gopkg.in/yaml.v3" ) type yamlSourceContext struct { diff --git a/go.mod b/go.mod index 6343421..965da5c 100644 --- a/go.mod +++ b/go.mod @@ -7,7 +7,7 @@ require ( github.com/cpuguy83/go-md2man/v2 v2.0.1 github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 golang.org/x/text v0.3.7 - gopkg.in/yaml.v2 v2.4.0 + gopkg.in/yaml.v3 v3.0.1 ) require github.com/russross/blackfriday/v2 v2.1.0 // indirect diff --git a/go.sum b/go.sum index 8521fc3..3c7df2e 100644 --- a/go.sum +++ b/go.sum @@ -12,5 +12,5 @@ golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e h1:FDhOuMEY4JVRztM/gsbk+IK golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= -gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/internal/genflags/cmd/genflags/main.go b/internal/genflags/cmd/genflags/main.go index cad2508..4212e60 100644 --- a/internal/genflags/cmd/genflags/main.go +++ b/internal/genflags/cmd/genflags/main.go @@ -15,7 +15,7 @@ import ( "github.com/urfave/cli/v2" "github.com/urfave/cli/v2/internal/genflags" - "gopkg.in/yaml.v2" + "gopkg.in/yaml.v3" ) const ( From 72dc91db747008d0554dba4056f11f98bf1e2bd4 Mon Sep 17 00:00:00 2001 From: Jesse Szwedko Date: Sat, 18 Jun 2022 13:38:22 -0700 Subject: [PATCH 2/2] Re-use `node` variable Signed-off-by: Jesse Szwedko --- altsrc/map_input_source.go | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/altsrc/map_input_source.go b/altsrc/map_input_source.go index 49a3c51..07de00f 100644 --- a/altsrc/map_input_source.go +++ b/altsrc/map_input_source.go @@ -35,11 +35,10 @@ func nestedVal(name string, tree map[interface{}]interface{}) (interface{}, bool switch child := child.(type) { case map[string]interface{}: - m := make(map[interface{}]interface{}, len(child)) + node = make(map[interface{}]interface{}, len(child)) for k, v := range child { - m[k] = v + node[k] = v } - node = m case map[interface{}]interface{}: node = child default: