mirror of https://github.com/knative/pkg.git
Add fix for CVE-2022-28948 (#2532)
Per https://github.com/go-yaml/yaml/issues/666, the recommendation is to bump to v3.0.1. I detected this as an indirect dependency that was flagged in net-istio.
This commit is contained in:
parent
7d607d643e
commit
1f01575cfd
2
go.mod
2
go.mod
|
@ -40,7 +40,7 @@ require (
|
||||||
google.golang.org/api v0.61.0
|
google.golang.org/api v0.61.0
|
||||||
google.golang.org/grpc v1.42.0
|
google.golang.org/grpc v1.42.0
|
||||||
google.golang.org/protobuf v1.27.1
|
google.golang.org/protobuf v1.27.1
|
||||||
gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b
|
gopkg.in/yaml.v3 v3.0.1
|
||||||
k8s.io/api v0.23.5
|
k8s.io/api v0.23.5
|
||||||
k8s.io/apiextensions-apiserver v0.23.4
|
k8s.io/apiextensions-apiserver v0.23.4
|
||||||
k8s.io/apimachinery v0.23.5
|
k8s.io/apimachinery v0.23.5
|
||||||
|
|
3
go.sum
3
go.sum
|
@ -1150,8 +1150,9 @@ gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
|
||||||
gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
|
gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
|
||||||
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
|
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
|
||||||
gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
|
gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
|
||||||
gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo=
|
|
||||||
gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
|
gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
|
||||||
|
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
|
||||||
|
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
|
||||||
gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk=
|
gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk=
|
||||||
gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8=
|
gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8=
|
||||||
honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
|
honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
|
||||||
|
|
|
@ -100,7 +100,10 @@ func (p *parser) peek() yaml_event_type_t {
|
||||||
if p.event.typ != yaml_NO_EVENT {
|
if p.event.typ != yaml_NO_EVENT {
|
||||||
return p.event.typ
|
return p.event.typ
|
||||||
}
|
}
|
||||||
if !yaml_parser_parse(&p.parser, &p.event) {
|
// It's curious choice from the underlying API to generally return a
|
||||||
|
// positive result on success, but on this case return true in an error
|
||||||
|
// scenario. This was the source of bugs in the past (issue #666).
|
||||||
|
if !yaml_parser_parse(&p.parser, &p.event) || p.parser.error != yaml_NO_ERROR {
|
||||||
p.fail()
|
p.fail()
|
||||||
}
|
}
|
||||||
return p.event.typ
|
return p.event.typ
|
||||||
|
@ -320,6 +323,8 @@ type decoder struct {
|
||||||
decodeCount int
|
decodeCount int
|
||||||
aliasCount int
|
aliasCount int
|
||||||
aliasDepth int
|
aliasDepth int
|
||||||
|
|
||||||
|
mergedFields map[interface{}]bool
|
||||||
}
|
}
|
||||||
|
|
||||||
var (
|
var (
|
||||||
|
@ -808,6 +813,11 @@ func (d *decoder) mapping(n *Node, out reflect.Value) (good bool) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
mergedFields := d.mergedFields
|
||||||
|
d.mergedFields = nil
|
||||||
|
|
||||||
|
var mergeNode *Node
|
||||||
|
|
||||||
mapIsNew := false
|
mapIsNew := false
|
||||||
if out.IsNil() {
|
if out.IsNil() {
|
||||||
out.Set(reflect.MakeMap(outt))
|
out.Set(reflect.MakeMap(outt))
|
||||||
|
@ -815,11 +825,18 @@ func (d *decoder) mapping(n *Node, out reflect.Value) (good bool) {
|
||||||
}
|
}
|
||||||
for i := 0; i < l; i += 2 {
|
for i := 0; i < l; i += 2 {
|
||||||
if isMerge(n.Content[i]) {
|
if isMerge(n.Content[i]) {
|
||||||
d.merge(n.Content[i+1], out)
|
mergeNode = n.Content[i+1]
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
k := reflect.New(kt).Elem()
|
k := reflect.New(kt).Elem()
|
||||||
if d.unmarshal(n.Content[i], k) {
|
if d.unmarshal(n.Content[i], k) {
|
||||||
|
if mergedFields != nil {
|
||||||
|
ki := k.Interface()
|
||||||
|
if mergedFields[ki] {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
mergedFields[ki] = true
|
||||||
|
}
|
||||||
kkind := k.Kind()
|
kkind := k.Kind()
|
||||||
if kkind == reflect.Interface {
|
if kkind == reflect.Interface {
|
||||||
kkind = k.Elem().Kind()
|
kkind = k.Elem().Kind()
|
||||||
|
@ -833,6 +850,12 @@ func (d *decoder) mapping(n *Node, out reflect.Value) (good bool) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
d.mergedFields = mergedFields
|
||||||
|
if mergeNode != nil {
|
||||||
|
d.merge(n, mergeNode, out)
|
||||||
|
}
|
||||||
|
|
||||||
d.stringMapType = stringMapType
|
d.stringMapType = stringMapType
|
||||||
d.generalMapType = generalMapType
|
d.generalMapType = generalMapType
|
||||||
return true
|
return true
|
||||||
|
@ -844,7 +867,8 @@ func isStringMap(n *Node) bool {
|
||||||
}
|
}
|
||||||
l := len(n.Content)
|
l := len(n.Content)
|
||||||
for i := 0; i < l; i += 2 {
|
for i := 0; i < l; i += 2 {
|
||||||
if n.Content[i].ShortTag() != strTag {
|
shortTag := n.Content[i].ShortTag()
|
||||||
|
if shortTag != strTag && shortTag != mergeTag {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -861,7 +885,6 @@ func (d *decoder) mappingStruct(n *Node, out reflect.Value) (good bool) {
|
||||||
var elemType reflect.Type
|
var elemType reflect.Type
|
||||||
if sinfo.InlineMap != -1 {
|
if sinfo.InlineMap != -1 {
|
||||||
inlineMap = out.Field(sinfo.InlineMap)
|
inlineMap = out.Field(sinfo.InlineMap)
|
||||||
inlineMap.Set(reflect.New(inlineMap.Type()).Elem())
|
|
||||||
elemType = inlineMap.Type().Elem()
|
elemType = inlineMap.Type().Elem()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -870,6 +893,9 @@ func (d *decoder) mappingStruct(n *Node, out reflect.Value) (good bool) {
|
||||||
d.prepare(n, field)
|
d.prepare(n, field)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
mergedFields := d.mergedFields
|
||||||
|
d.mergedFields = nil
|
||||||
|
var mergeNode *Node
|
||||||
var doneFields []bool
|
var doneFields []bool
|
||||||
if d.uniqueKeys {
|
if d.uniqueKeys {
|
||||||
doneFields = make([]bool, len(sinfo.FieldsList))
|
doneFields = make([]bool, len(sinfo.FieldsList))
|
||||||
|
@ -879,13 +905,20 @@ func (d *decoder) mappingStruct(n *Node, out reflect.Value) (good bool) {
|
||||||
for i := 0; i < l; i += 2 {
|
for i := 0; i < l; i += 2 {
|
||||||
ni := n.Content[i]
|
ni := n.Content[i]
|
||||||
if isMerge(ni) {
|
if isMerge(ni) {
|
||||||
d.merge(n.Content[i+1], out)
|
mergeNode = n.Content[i+1]
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
if !d.unmarshal(ni, name) {
|
if !d.unmarshal(ni, name) {
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
if info, ok := sinfo.FieldsMap[name.String()]; ok {
|
sname := name.String()
|
||||||
|
if mergedFields != nil {
|
||||||
|
if mergedFields[sname] {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
mergedFields[sname] = true
|
||||||
|
}
|
||||||
|
if info, ok := sinfo.FieldsMap[sname]; ok {
|
||||||
if d.uniqueKeys {
|
if d.uniqueKeys {
|
||||||
if doneFields[info.Id] {
|
if doneFields[info.Id] {
|
||||||
d.terrors = append(d.terrors, fmt.Sprintf("line %d: field %s already set in type %s", ni.Line, name.String(), out.Type()))
|
d.terrors = append(d.terrors, fmt.Sprintf("line %d: field %s already set in type %s", ni.Line, name.String(), out.Type()))
|
||||||
|
@ -911,6 +944,11 @@ func (d *decoder) mappingStruct(n *Node, out reflect.Value) (good bool) {
|
||||||
d.terrors = append(d.terrors, fmt.Sprintf("line %d: field %s not found in type %s", ni.Line, name.String(), out.Type()))
|
d.terrors = append(d.terrors, fmt.Sprintf("line %d: field %s not found in type %s", ni.Line, name.String(), out.Type()))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
d.mergedFields = mergedFields
|
||||||
|
if mergeNode != nil {
|
||||||
|
d.merge(n, mergeNode, out)
|
||||||
|
}
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -918,19 +956,29 @@ func failWantMap() {
|
||||||
failf("map merge requires map or sequence of maps as the value")
|
failf("map merge requires map or sequence of maps as the value")
|
||||||
}
|
}
|
||||||
|
|
||||||
func (d *decoder) merge(n *Node, out reflect.Value) {
|
func (d *decoder) merge(parent *Node, merge *Node, out reflect.Value) {
|
||||||
switch n.Kind {
|
mergedFields := d.mergedFields
|
||||||
|
if mergedFields == nil {
|
||||||
|
d.mergedFields = make(map[interface{}]bool)
|
||||||
|
for i := 0; i < len(parent.Content); i += 2 {
|
||||||
|
k := reflect.New(ifaceType).Elem()
|
||||||
|
if d.unmarshal(parent.Content[i], k) {
|
||||||
|
d.mergedFields[k.Interface()] = true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
switch merge.Kind {
|
||||||
case MappingNode:
|
case MappingNode:
|
||||||
d.unmarshal(n, out)
|
d.unmarshal(merge, out)
|
||||||
case AliasNode:
|
case AliasNode:
|
||||||
if n.Alias != nil && n.Alias.Kind != MappingNode {
|
if merge.Alias != nil && merge.Alias.Kind != MappingNode {
|
||||||
failWantMap()
|
failWantMap()
|
||||||
}
|
}
|
||||||
d.unmarshal(n, out)
|
d.unmarshal(merge, out)
|
||||||
case SequenceNode:
|
case SequenceNode:
|
||||||
// Step backwards as earlier nodes take precedence.
|
for i := 0; i < len(merge.Content); i++ {
|
||||||
for i := len(n.Content) - 1; i >= 0; i-- {
|
ni := merge.Content[i]
|
||||||
ni := n.Content[i]
|
|
||||||
if ni.Kind == AliasNode {
|
if ni.Kind == AliasNode {
|
||||||
if ni.Alias != nil && ni.Alias.Kind != MappingNode {
|
if ni.Alias != nil && ni.Alias.Kind != MappingNode {
|
||||||
failWantMap()
|
failWantMap()
|
||||||
|
@ -943,6 +991,8 @@ func (d *decoder) merge(n *Node, out reflect.Value) {
|
||||||
default:
|
default:
|
||||||
failWantMap()
|
failWantMap()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
d.mergedFields = mergedFields
|
||||||
}
|
}
|
||||||
|
|
||||||
func isMerge(n *Node) bool {
|
func isMerge(n *Node) bool {
|
||||||
|
|
|
@ -687,6 +687,9 @@ func yaml_parser_parse_node(parser *yaml_parser_t, event *yaml_event_t, block, i
|
||||||
func yaml_parser_parse_block_sequence_entry(parser *yaml_parser_t, event *yaml_event_t, first bool) bool {
|
func yaml_parser_parse_block_sequence_entry(parser *yaml_parser_t, event *yaml_event_t, first bool) bool {
|
||||||
if first {
|
if first {
|
||||||
token := peek_token(parser)
|
token := peek_token(parser)
|
||||||
|
if token == nil {
|
||||||
|
return false
|
||||||
|
}
|
||||||
parser.marks = append(parser.marks, token.start_mark)
|
parser.marks = append(parser.marks, token.start_mark)
|
||||||
skip_token(parser)
|
skip_token(parser)
|
||||||
}
|
}
|
||||||
|
@ -786,7 +789,7 @@ func yaml_parser_split_stem_comment(parser *yaml_parser_t, stem_len int) {
|
||||||
}
|
}
|
||||||
|
|
||||||
token := peek_token(parser)
|
token := peek_token(parser)
|
||||||
if token.typ != yaml_BLOCK_SEQUENCE_START_TOKEN && token.typ != yaml_BLOCK_MAPPING_START_TOKEN {
|
if token == nil || token.typ != yaml_BLOCK_SEQUENCE_START_TOKEN && token.typ != yaml_BLOCK_MAPPING_START_TOKEN {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -813,6 +816,9 @@ func yaml_parser_split_stem_comment(parser *yaml_parser_t, stem_len int) {
|
||||||
func yaml_parser_parse_block_mapping_key(parser *yaml_parser_t, event *yaml_event_t, first bool) bool {
|
func yaml_parser_parse_block_mapping_key(parser *yaml_parser_t, event *yaml_event_t, first bool) bool {
|
||||||
if first {
|
if first {
|
||||||
token := peek_token(parser)
|
token := peek_token(parser)
|
||||||
|
if token == nil {
|
||||||
|
return false
|
||||||
|
}
|
||||||
parser.marks = append(parser.marks, token.start_mark)
|
parser.marks = append(parser.marks, token.start_mark)
|
||||||
skip_token(parser)
|
skip_token(parser)
|
||||||
}
|
}
|
||||||
|
@ -922,6 +928,9 @@ func yaml_parser_parse_block_mapping_value(parser *yaml_parser_t, event *yaml_ev
|
||||||
func yaml_parser_parse_flow_sequence_entry(parser *yaml_parser_t, event *yaml_event_t, first bool) bool {
|
func yaml_parser_parse_flow_sequence_entry(parser *yaml_parser_t, event *yaml_event_t, first bool) bool {
|
||||||
if first {
|
if first {
|
||||||
token := peek_token(parser)
|
token := peek_token(parser)
|
||||||
|
if token == nil {
|
||||||
|
return false
|
||||||
|
}
|
||||||
parser.marks = append(parser.marks, token.start_mark)
|
parser.marks = append(parser.marks, token.start_mark)
|
||||||
skip_token(parser)
|
skip_token(parser)
|
||||||
}
|
}
|
||||||
|
|
|
@ -608,7 +608,7 @@ gopkg.in/inf.v0
|
||||||
# gopkg.in/yaml.v2 v2.4.0
|
# gopkg.in/yaml.v2 v2.4.0
|
||||||
## explicit; go 1.15
|
## explicit; go 1.15
|
||||||
gopkg.in/yaml.v2
|
gopkg.in/yaml.v2
|
||||||
# gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b
|
# gopkg.in/yaml.v3 v3.0.1
|
||||||
## explicit
|
## explicit
|
||||||
gopkg.in/yaml.v3
|
gopkg.in/yaml.v3
|
||||||
# k8s.io/api v0.23.5
|
# k8s.io/api v0.23.5
|
||||||
|
|
Loading…
Reference in New Issue