Skip to content

Commit

Permalink
fix(yaml): remediate insecure/archived buildkite lib in favor of go-y…
Browse files Browse the repository at this point in the history
…aml v3 (#386)

Co-authored-by: David May <[email protected]>
  • Loading branch information
ecrupper and wass3rw3rk authored Aug 26, 2024
1 parent 772b29b commit 76a66e7
Show file tree
Hide file tree
Showing 15 changed files with 49 additions and 51 deletions.
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,11 @@ go 1.21.9

require (
github.com/adhocore/gronx v1.8.1
github.com/buildkite/yaml v0.0.0-20181016232759-0caa5f0796e3
github.com/drone/envsubst v1.0.3
github.com/ghodss/yaml v1.0.0
github.com/lib/pq v1.10.9
github.com/microcosm-cc/bluemonday v1.0.26
gopkg.in/yaml.v3 v3.0.1
)

require (
Expand Down
4 changes: 2 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,6 @@ github.com/adhocore/gronx v1.8.1 h1:F2mLTG5sB11z7vplwD4iydz3YCEjstSfYmCrdSm3t6A=
github.com/adhocore/gronx v1.8.1/go.mod h1:7oUY1WAU8rEJWmAxXR2DN0JaO4gi9khSgKjiRypqteg=
github.com/aymerick/douceur v0.2.0 h1:Mv+mAeH1Q+n9Fr+oyamOlAkUNPWPlA8PPGR0QAaYuPk=
github.com/aymerick/douceur v0.2.0/go.mod h1:wlT5vV2O3h55X9m7iVYN0TBM0NH/MmbLnd30/FjWUq4=
github.com/buildkite/yaml v0.0.0-20181016232759-0caa5f0796e3 h1:q+sMKdA6L8LyGVudTkpGoC73h6ak2iWSPFiFo/pFOU8=
github.com/buildkite/yaml v0.0.0-20181016232759-0caa5f0796e3/go.mod h1:5hCug3EZaHXU3FdCA3gJm0YTNi+V+ooA2qNTiVpky4A=
github.com/drone/envsubst v1.0.3 h1:PCIBwNDYjs50AsLZPYdfhSATKaRg/FJmDc2D6+C2x8g=
github.com/drone/envsubst v1.0.3/go.mod h1:N2jZmlMufstn1KEqvbHjw40h1KyTmnVzHcSc9bFiJ2g=
github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk=
Expand All @@ -29,3 +27,5 @@ gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogR
gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU=
gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
2 changes: 1 addition & 1 deletion library/string.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,8 @@ import (
"strconv"
"strings"

"github.com/buildkite/yaml"
json "github.com/ghodss/yaml"
"gopkg.in/yaml.v3"
)

// ToString is a helper function to convert
Expand Down
2 changes: 1 addition & 1 deletion raw/map_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ import (
"reflect"
"testing"

"github.com/buildkite/yaml"
"gopkg.in/yaml.v3"
)

func TestRaw_StringSliceMap_UnmarshalJSON(t *testing.T) {
Expand Down
2 changes: 1 addition & 1 deletion raw/slice_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ import (
"reflect"
"testing"

"github.com/buildkite/yaml"
"gopkg.in/yaml.v3"
)

func TestRaw_StringSlice_UnmarshalJSON(t *testing.T) {
Expand Down
2 changes: 1 addition & 1 deletion yaml/build_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ import (
"reflect"
"testing"

"github.com/buildkite/yaml"
"gopkg.in/yaml.v3"

"github.com/go-vela/types/library"
"github.com/go-vela/types/raw"
Expand Down
2 changes: 1 addition & 1 deletion yaml/ruleset_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ import (
"reflect"
"testing"

"github.com/buildkite/yaml"
"gopkg.in/yaml.v3"

"github.com/go-vela/types/pipeline"
)
Expand Down
2 changes: 1 addition & 1 deletion yaml/secret_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ import (
"reflect"
"testing"

"github.com/buildkite/yaml"
"gopkg.in/yaml.v3"

"github.com/go-vela/types/pipeline"
)
Expand Down
2 changes: 1 addition & 1 deletion yaml/service_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ import (
"reflect"
"testing"

"github.com/buildkite/yaml"
"gopkg.in/yaml.v3"

"github.com/go-vela/types/pipeline"
"github.com/go-vela/types/raw"
Expand Down
61 changes: 29 additions & 32 deletions yaml/stage.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ package yaml
import (
"fmt"

"github.com/buildkite/yaml"
"gopkg.in/yaml.v3"

"github.com/go-vela/types/pipeline"
"github.com/go-vela/types/raw"
Expand Down Expand Up @@ -50,33 +50,27 @@ func (s *StageSlice) ToPipeline() *pipeline.StageSlice {
}

// UnmarshalYAML implements the Unmarshaler interface for the StageSlice type.
func (s *StageSlice) UnmarshalYAML(unmarshal func(interface{}) error) error {
// map slice we try unmarshalling to
mapSlice := new(yaml.MapSlice)

// attempt to unmarshal as a map slice type
err := unmarshal(mapSlice)
if err != nil {
return err
func (s *StageSlice) UnmarshalYAML(v *yaml.Node) error {
if v.Kind != yaml.MappingNode {
return fmt.Errorf("invalid yaml: expected map node for stage")
}

// iterate through each element in the map slice
for _, v := range *mapSlice {
// stage we try unmarshalling to
stage := new(Stage)
for i := 0; i < len(v.Content); i += 2 {
key := v.Content[i]
value := v.Content[i+1]

// marshal interface value from ordered map
out, _ := yaml.Marshal(v.Value)
stage := new(Stage)

// unmarshal interface value as stage
err = yaml.Unmarshal(out, stage)
// unmarshal value into stage
err := value.Decode(stage)
if err != nil {
return err
}

// implicitly set stage `name` if empty
if len(stage.Name) == 0 {
stage.Name = fmt.Sprintf("%v", v.Key)
stage.Name = fmt.Sprintf("%v", key.Value)
}

// implicitly set the stage `needs`
Expand All @@ -102,25 +96,28 @@ func (s *StageSlice) UnmarshalYAML(unmarshal func(interface{}) error) error {

// MarshalYAML implements the marshaler interface for the StageSlice type.
func (s StageSlice) MarshalYAML() (interface{}, error) {
// map slice to return as marshaled output
var output yaml.MapSlice
output := new(yaml.Node)
output.Kind = yaml.MappingNode

// loop over the input stages
for _, inputStage := range s {
// create a new stage
outputStage := new(Stage)

// add the existing needs to the new stage
outputStage.Needs = inputStage.Needs

// add the existing dependent tag to the new stage
outputStage.Independent = inputStage.Independent
n := new(yaml.Node)

// create new stage with existing properties
outputStage := &Stage{
Name: inputStage.Name,
Needs: inputStage.Needs,
Independent: inputStage.Independent,
Steps: inputStage.Steps,
}

// add the existing steps to the new stage
outputStage.Steps = inputStage.Steps
err := n.Encode(outputStage)
if err != nil {
return nil, err
}

// append stage to MapSlice
output = append(output, yaml.MapItem{Key: inputStage.Name, Value: outputStage})
// append stage to map output
output.Content = append(output.Content, &yaml.Node{Kind: yaml.ScalarNode, Value: inputStage.Name})
output.Content = append(output.Content, n)
}

return output, nil
Expand Down
11 changes: 6 additions & 5 deletions yaml/stage_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,8 @@ import (
"reflect"
"testing"

"github.com/buildkite/yaml"
"github.com/google/go-cmp/cmp"
"gopkg.in/yaml.v3"

"github.com/go-vela/types/pipeline"
)
Expand Down Expand Up @@ -287,8 +288,8 @@ func TestYaml_StageSlice_UnmarshalYAML(t *testing.T) {
t.Errorf("UnmarshalYAML returned err: %v", err)
}

if !reflect.DeepEqual(got, test.want) {
t.Errorf("UnmarshalYAML is %v, want %v", got, test.want)
if diff := cmp.Diff(test.want, got); diff != "" {
t.Errorf("(Unmarshal mismatch: -want +got):\n%s", diff)
}
}
}
Expand Down Expand Up @@ -413,8 +414,8 @@ func TestYaml_StageSlice_MarshalYAML(t *testing.T) {
t.Errorf("UnmarshalYAML returned err: %v", err)
}

if !reflect.DeepEqual(got2, test.want) {
t.Errorf("MarshalYAML is %v, want %v", got2, test.want)
if diff := cmp.Diff(got2, test.want); diff != "" {
t.Errorf("(Marshal mismatch: -got +want):\n%s", diff)
}
}
}
Expand Down
2 changes: 1 addition & 1 deletion yaml/step_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ import (
"reflect"
"testing"

"github.com/buildkite/yaml"
"gopkg.in/yaml.v3"

"github.com/go-vela/types/pipeline"
"github.com/go-vela/types/raw"
Expand Down
2 changes: 1 addition & 1 deletion yaml/template_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ import (
"reflect"
"testing"

"github.com/buildkite/yaml"
"gopkg.in/yaml.v3"

"github.com/go-vela/types/library"
)
Expand Down
2 changes: 1 addition & 1 deletion yaml/ulimit_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ import (
"reflect"
"testing"

"github.com/buildkite/yaml"
"gopkg.in/yaml.v3"

"github.com/go-vela/types/pipeline"
)
Expand Down
2 changes: 1 addition & 1 deletion yaml/volume_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ import (
"reflect"
"testing"

"github.com/buildkite/yaml"
"gopkg.in/yaml.v3"

"github.com/go-vela/types/pipeline"
)
Expand Down

0 comments on commit 76a66e7

Please sign in to comment.