Fix: Upgrade gopkg.in/yaml.v2 to gopkg.in/yaml.v3 due to security issue

An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid input. https://nvd.nist.gov/vuln/detail/CVE-2022-28948 go-yaml/yaml#666
Teamwork · May 26, 2022 · cf184d7 · cf184d7
1 parent d062f3c
commit cf184d7
Show file tree

Hide file tree

Showing 28 changed files with 3,203 additions and 1,669 deletions.
diff --git a/docparse/jsonschema.go b/docparse/jsonschema.go
@@ -11,7 +11,7 @@ import (
 
 	"github.com/teamwork/utils/goutil"
 	"github.com/teamwork/utils/sliceutil"
-	yaml "gopkg.in/yaml.v2"
+	yaml "gopkg.in/yaml.v3"
 )
 
 // The Schema Object allows the definition of input and output data types.

diff --git a/go.mod b/go.mod
@@ -8,6 +8,7 @@ require (
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/teamwork/test v0.0.0-20181126061546-2ff8918eb6a4
 	github.com/teamwork/utils v0.0.0-20190114034940-d6a1f27ce92c
-	gopkg.in/yaml.v2 v2.2.2
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gopkg.in/yaml.v3 v3.0.0
 	zgo.at/sconfig v1.2.2-0.20211017232425-870f818a71b7
 )
diff --git a/go.sum b/go.sum
@@ -1,5 +1,3 @@
-arp242.net/sconfig v0.0.0-20180901013357-c014d3b7a101 h1:V6CYq+es2ncUeJ2jzJxWVviAs7iNW/jvPb4+3LHOXsE=
-arp242.net/sconfig v0.0.0-20180901013357-c014d3b7a101/go.mod h1:s7teWAlHUlC2xRICC2FKERk6kQBI9lREHKRfWIWF+lA=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/imdario/mergo v0.3.7 h1:Y+UAYTZ7gDEuOfhxKWy+dvb5dRQ6rJjFSdX2HZY1/gI=
@@ -12,7 +10,9 @@ github.com/teamwork/utils v0.0.0-20190114034940-d6a1f27ce92c h1:5/hkqtufOyLP25ta
 github.com/teamwork/utils v0.0.0-20190114034940-d6a1f27ce92c/go.mod h1:rmPaJUVv426LGg3QR31m1N0bfpCdCVyh3dCWsJTQeDA=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
-gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
+gopkg.in/yaml.v3 v3.0.0 h1:hjy8E9ON/egN1tAYqKb61G10WtihqetD4sz2H+8nIeA=
+gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 zgo.at/sconfig v1.2.2-0.20211017232425-870f818a71b7 h1:fw2yuIGMHzSRYrZUVOt/c1O/igkJIXorj/FNCg+tg2E=
 zgo.at/sconfig v1.2.2-0.20211017232425-870f818a71b7/go.mod h1:RXEBQABoIc7RnagqaT+7BHU81g1okqSLeND/YJLZiDE=
diff --git a/html/html.go b/html/html.go
@@ -9,7 +9,7 @@ import (
 	"os"
 
 	"github.com/teamwork/kommentaar/docparse"
-	yaml "gopkg.in/yaml.v2"
+	yaml "gopkg.in/yaml.v3"
 )
 
 var funcMap = template.FuncMap{

diff --git a/openapi2/openapi2.go b/openapi2/openapi2.go
@@ -14,7 +14,7 @@ import (
 	"github.com/imdario/mergo"
 	"github.com/teamwork/kommentaar/docparse"
 	"github.com/teamwork/utils/goutil"
-	yaml "gopkg.in/yaml.v2"
+	yaml "gopkg.in/yaml.v3"
 )
 
 type (

diff --git a/vendor/gopkg.in/yaml.v2/.travis.yml b/vendor/gopkg.in/yaml.v2/.travis.yml
diff --git a/vendor/gopkg.in/yaml.v2/LICENSE b/vendor/gopkg.in/yaml.v2/LICENSE