Upgrade gopkg.in/yaml to v3

Fixes vulnerability: GHSA-hp87-p4gw-j4gq YAML v3 deserializes maps as map[string]interface{} so we handle this in MapImportSource now. Signed-off-by: Jesse Szwedko <jesse@szwedko.me>
urfave · Jun 18, 2022 · ee07560 · ee07560
1 parent e576ba4
commit ee07560
Show file tree

Hide file tree

Showing 5 changed files with 16 additions and 8 deletions.
diff --git a/altsrc/map_input_source.go b/altsrc/map_input_source.go
@@ -32,11 +32,19 @@ func nestedVal(name string, tree map[interface{}]interface{}) (interface{}, bool
 			if !ok {
 				return nil, false
 			}
-			ctype, ok := child.(map[interface{}]interface{})
-			if !ok {
+
+			switch child := child.(type) {
+			case map[string]interface{}:
+				m := make(map[interface{}]interface{}, len(child))
+				for k, v := range child {
+					m[k] = v
+				}
+				node = m
+			case map[interface{}]interface{}:
+				node = child
+			default:
 				return nil, false
 			}
-			node = ctype
 		}
 		if val, ok := node[sections[len(sections)-1]]; ok {
 			return val, true

diff --git a/altsrc/yaml_file_loader.go b/altsrc/yaml_file_loader.go
@@ -11,7 +11,7 @@ import (
 
 	"github.com/urfave/cli/v2"
 
-	"gopkg.in/yaml.v2"
+	"gopkg.in/yaml.v3"
 )
 
 type yamlSourceContext struct {

diff --git a/go.mod b/go.mod
@@ -7,7 +7,7 @@ require (
 	github.com/cpuguy83/go-md2man/v2 v2.0.1
 	github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673
 	golang.org/x/text v0.3.7
-	gopkg.in/yaml.v2 v2.4.0
+	gopkg.in/yaml.v3 v3.0.1
 )
 
 require github.com/russross/blackfriday/v2 v2.1.0 // indirect
diff --git a/go.sum b/go.sum
@@ -12,5 +12,5 @@ golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e h1:FDhOuMEY4JVRztM/gsbk+IK
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
-gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
diff --git a/internal/genflags/cmd/genflags/main.go b/internal/genflags/cmd/genflags/main.go
@@ -15,7 +15,7 @@ import (
 
 	"github.com/urfave/cli/v2"
 	"github.com/urfave/cli/v2/internal/genflags"
-	"gopkg.in/yaml.v2"
+	"gopkg.in/yaml.v3"
 )
 
 const (