From 76a66e72d5dcba850471be2b350dc28aec8e9d45 Mon Sep 17 00:00:00 2001 From: Easton Crupper <65553218+ecrupper@users.noreply.github.com> Date: Mon, 26 Aug 2024 10:15:37 -0400 Subject: [PATCH] fix(yaml): remediate insecure/archived buildkite lib in favor of go-yaml v3 (#386) Co-authored-by: David May <49894298+wass3rw3rk@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 +-- library/string.go | 2 +- raw/map_test.go | 2 +- raw/slice_test.go | 2 +- yaml/build_test.go | 2 +- yaml/ruleset_test.go | 2 +- yaml/secret_test.go | 2 +- yaml/service_test.go | 2 +- yaml/stage.go | 61 ++++++++++++++++++++----------------------- yaml/stage_test.go | 11 ++++---- yaml/step_test.go | 2 +- yaml/template_test.go | 2 +- yaml/ulimit_test.go | 2 +- yaml/volume_test.go | 2 +- 15 files changed, 49 insertions(+), 51 deletions(-) diff --git a/go.mod b/go.mod index 496f3ce4..d4e14cab 100644 --- a/go.mod +++ b/go.mod @@ -4,11 +4,11 @@ go 1.21.9 require ( github.com/adhocore/gronx v1.8.1 - github.com/buildkite/yaml v0.0.0-20181016232759-0caa5f0796e3 github.com/drone/envsubst v1.0.3 github.com/ghodss/yaml v1.0.0 github.com/lib/pq v1.10.9 github.com/microcosm-cc/bluemonday v1.0.26 + gopkg.in/yaml.v3 v3.0.1 ) require ( diff --git a/go.sum b/go.sum index 037bfbec..2e7ec40d 100644 --- a/go.sum +++ b/go.sum @@ -2,8 +2,6 @@ github.com/adhocore/gronx v1.8.1 h1:F2mLTG5sB11z7vplwD4iydz3YCEjstSfYmCrdSm3t6A= github.com/adhocore/gronx v1.8.1/go.mod h1:7oUY1WAU8rEJWmAxXR2DN0JaO4gi9khSgKjiRypqteg= github.com/aymerick/douceur v0.2.0 h1:Mv+mAeH1Q+n9Fr+oyamOlAkUNPWPlA8PPGR0QAaYuPk= github.com/aymerick/douceur v0.2.0/go.mod h1:wlT5vV2O3h55X9m7iVYN0TBM0NH/MmbLnd30/FjWUq4= -github.com/buildkite/yaml v0.0.0-20181016232759-0caa5f0796e3 h1:q+sMKdA6L8LyGVudTkpGoC73h6ak2iWSPFiFo/pFOU8= -github.com/buildkite/yaml v0.0.0-20181016232759-0caa5f0796e3/go.mod h1:5hCug3EZaHXU3FdCA3gJm0YTNi+V+ooA2qNTiVpky4A= github.com/drone/envsubst v1.0.3 h1:PCIBwNDYjs50AsLZPYdfhSATKaRg/FJmDc2D6+C2x8g= github.com/drone/envsubst v1.0.3/go.mod h1:N2jZmlMufstn1KEqvbHjw40h1KyTmnVzHcSc9bFiJ2g= github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk= @@ -29,3 +27,5 @@ gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogR gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU= gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/library/string.go b/library/string.go index 79dac91d..d431f6ac 100644 --- a/library/string.go +++ b/library/string.go @@ -7,8 +7,8 @@ import ( "strconv" "strings" - "github.com/buildkite/yaml" json "github.com/ghodss/yaml" + "gopkg.in/yaml.v3" ) // ToString is a helper function to convert diff --git a/raw/map_test.go b/raw/map_test.go index 0494c8ed..918664a6 100644 --- a/raw/map_test.go +++ b/raw/map_test.go @@ -8,7 +8,7 @@ import ( "reflect" "testing" - "github.com/buildkite/yaml" + "gopkg.in/yaml.v3" ) func TestRaw_StringSliceMap_UnmarshalJSON(t *testing.T) { diff --git a/raw/slice_test.go b/raw/slice_test.go index 7a32bd3d..0ae76f9d 100644 --- a/raw/slice_test.go +++ b/raw/slice_test.go @@ -7,7 +7,7 @@ import ( "reflect" "testing" - "github.com/buildkite/yaml" + "gopkg.in/yaml.v3" ) func TestRaw_StringSlice_UnmarshalJSON(t *testing.T) { diff --git a/yaml/build_test.go b/yaml/build_test.go index dff6f171..8875d755 100644 --- a/yaml/build_test.go +++ b/yaml/build_test.go @@ -7,7 +7,7 @@ import ( "reflect" "testing" - "github.com/buildkite/yaml" + "gopkg.in/yaml.v3" "github.com/go-vela/types/library" "github.com/go-vela/types/raw" diff --git a/yaml/ruleset_test.go b/yaml/ruleset_test.go index 2d674c0f..2728c495 100644 --- a/yaml/ruleset_test.go +++ b/yaml/ruleset_test.go @@ -7,7 +7,7 @@ import ( "reflect" "testing" - "github.com/buildkite/yaml" + "gopkg.in/yaml.v3" "github.com/go-vela/types/pipeline" ) diff --git a/yaml/secret_test.go b/yaml/secret_test.go index 62ad3291..8825a819 100644 --- a/yaml/secret_test.go +++ b/yaml/secret_test.go @@ -7,7 +7,7 @@ import ( "reflect" "testing" - "github.com/buildkite/yaml" + "gopkg.in/yaml.v3" "github.com/go-vela/types/pipeline" ) diff --git a/yaml/service_test.go b/yaml/service_test.go index 1289095c..a4c8586c 100644 --- a/yaml/service_test.go +++ b/yaml/service_test.go @@ -7,7 +7,7 @@ import ( "reflect" "testing" - "github.com/buildkite/yaml" + "gopkg.in/yaml.v3" "github.com/go-vela/types/pipeline" "github.com/go-vela/types/raw" diff --git a/yaml/stage.go b/yaml/stage.go index 65943bd9..6cea7760 100644 --- a/yaml/stage.go +++ b/yaml/stage.go @@ -5,7 +5,7 @@ package yaml import ( "fmt" - "github.com/buildkite/yaml" + "gopkg.in/yaml.v3" "github.com/go-vela/types/pipeline" "github.com/go-vela/types/raw" @@ -50,33 +50,27 @@ func (s *StageSlice) ToPipeline() *pipeline.StageSlice { } // UnmarshalYAML implements the Unmarshaler interface for the StageSlice type. -func (s *StageSlice) UnmarshalYAML(unmarshal func(interface{}) error) error { - // map slice we try unmarshalling to - mapSlice := new(yaml.MapSlice) - - // attempt to unmarshal as a map slice type - err := unmarshal(mapSlice) - if err != nil { - return err +func (s *StageSlice) UnmarshalYAML(v *yaml.Node) error { + if v.Kind != yaml.MappingNode { + return fmt.Errorf("invalid yaml: expected map node for stage") } // iterate through each element in the map slice - for _, v := range *mapSlice { - // stage we try unmarshalling to - stage := new(Stage) + for i := 0; i < len(v.Content); i += 2 { + key := v.Content[i] + value := v.Content[i+1] - // marshal interface value from ordered map - out, _ := yaml.Marshal(v.Value) + stage := new(Stage) - // unmarshal interface value as stage - err = yaml.Unmarshal(out, stage) + // unmarshal value into stage + err := value.Decode(stage) if err != nil { return err } // implicitly set stage `name` if empty if len(stage.Name) == 0 { - stage.Name = fmt.Sprintf("%v", v.Key) + stage.Name = fmt.Sprintf("%v", key.Value) } // implicitly set the stage `needs` @@ -102,25 +96,28 @@ func (s *StageSlice) UnmarshalYAML(unmarshal func(interface{}) error) error { // MarshalYAML implements the marshaler interface for the StageSlice type. func (s StageSlice) MarshalYAML() (interface{}, error) { - // map slice to return as marshaled output - var output yaml.MapSlice + output := new(yaml.Node) + output.Kind = yaml.MappingNode - // loop over the input stages for _, inputStage := range s { - // create a new stage - outputStage := new(Stage) - - // add the existing needs to the new stage - outputStage.Needs = inputStage.Needs - - // add the existing dependent tag to the new stage - outputStage.Independent = inputStage.Independent + n := new(yaml.Node) + + // create new stage with existing properties + outputStage := &Stage{ + Name: inputStage.Name, + Needs: inputStage.Needs, + Independent: inputStage.Independent, + Steps: inputStage.Steps, + } - // add the existing steps to the new stage - outputStage.Steps = inputStage.Steps + err := n.Encode(outputStage) + if err != nil { + return nil, err + } - // append stage to MapSlice - output = append(output, yaml.MapItem{Key: inputStage.Name, Value: outputStage}) + // append stage to map output + output.Content = append(output.Content, &yaml.Node{Kind: yaml.ScalarNode, Value: inputStage.Name}) + output.Content = append(output.Content, n) } return output, nil diff --git a/yaml/stage_test.go b/yaml/stage_test.go index 5cad3cb7..698bfd3b 100644 --- a/yaml/stage_test.go +++ b/yaml/stage_test.go @@ -7,7 +7,8 @@ import ( "reflect" "testing" - "github.com/buildkite/yaml" + "github.com/google/go-cmp/cmp" + "gopkg.in/yaml.v3" "github.com/go-vela/types/pipeline" ) @@ -287,8 +288,8 @@ func TestYaml_StageSlice_UnmarshalYAML(t *testing.T) { t.Errorf("UnmarshalYAML returned err: %v", err) } - if !reflect.DeepEqual(got, test.want) { - t.Errorf("UnmarshalYAML is %v, want %v", got, test.want) + if diff := cmp.Diff(test.want, got); diff != "" { + t.Errorf("(Unmarshal mismatch: -want +got):\n%s", diff) } } } @@ -413,8 +414,8 @@ func TestYaml_StageSlice_MarshalYAML(t *testing.T) { t.Errorf("UnmarshalYAML returned err: %v", err) } - if !reflect.DeepEqual(got2, test.want) { - t.Errorf("MarshalYAML is %v, want %v", got2, test.want) + if diff := cmp.Diff(got2, test.want); diff != "" { + t.Errorf("(Marshal mismatch: -got +want):\n%s", diff) } } } diff --git a/yaml/step_test.go b/yaml/step_test.go index 686631a6..3ecc2240 100644 --- a/yaml/step_test.go +++ b/yaml/step_test.go @@ -7,7 +7,7 @@ import ( "reflect" "testing" - "github.com/buildkite/yaml" + "gopkg.in/yaml.v3" "github.com/go-vela/types/pipeline" "github.com/go-vela/types/raw" diff --git a/yaml/template_test.go b/yaml/template_test.go index e7f760cb..6599e2db 100644 --- a/yaml/template_test.go +++ b/yaml/template_test.go @@ -7,7 +7,7 @@ import ( "reflect" "testing" - "github.com/buildkite/yaml" + "gopkg.in/yaml.v3" "github.com/go-vela/types/library" ) diff --git a/yaml/ulimit_test.go b/yaml/ulimit_test.go index dc6fdac6..66a96c62 100644 --- a/yaml/ulimit_test.go +++ b/yaml/ulimit_test.go @@ -7,7 +7,7 @@ import ( "reflect" "testing" - "github.com/buildkite/yaml" + "gopkg.in/yaml.v3" "github.com/go-vela/types/pipeline" ) diff --git a/yaml/volume_test.go b/yaml/volume_test.go index 837703ad..3d711088 100644 --- a/yaml/volume_test.go +++ b/yaml/volume_test.go @@ -7,7 +7,7 @@ import ( "reflect" "testing" - "github.com/buildkite/yaml" + "gopkg.in/yaml.v3" "github.com/go-vela/types/pipeline" )