chore(deps): update module github.com/oapi-codegen/oapi-codegen/v2 to v2.7.2 #118

Open
renovate-bot wants to merge 1 commit from renovate/github.com-oapi-codegen-oapi-codegen-v2-2.x into master
Collaborator

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/oapi-codegen/oapi-codegen/v2 v2.7.1v2.7.2 age adoption passing confidence

Release Notes

oapi-codegen/oapi-codegen (github.com/oapi-codegen/oapi-codegen/v2)

v2.7.2: More fixes for code injection issues

Compare Source

String escaping fixes due to more code injection issues

We've had two more code injection issues reported in oapi-codegen, thanks @​Gal3M, @​mrostamipoor for these findings.

These specific issues are now patches in the main branch and in this v2.7.2 release.

You shouldn't blindly trust OpenAPI specs

This code wasn't originally written assuming code generation from random specs from the internet, and it never took any measures to protect itself from malicious specifications, the assumption being that you control your specification, and that you actually look over generated code.

For example, all these RCE exploits rely on using the package init() function in the generated code to run some malicious code at package startup. A way to test for this is to see whether an init() function is emitted, which we currently don't do.

When working with OpenAPI specifications, especially specs you find on remote servers, you should download the spec locally, run some kind of spec validator on it, like openapi-spec-validator, and only then feed it into oapi-codegen. We're very permissive in accepting broken specifications, intentionally, since people feed a lot of garbage input, but this flexibility also makes us weak to these kinds of attacks. There are hundreds of injection sites in oapi-codegen based on my survey.

For the next minor release, v2.8.0, we're going to validate the spec before code generation (#​2435), however, since this introduces a new set of failure modes, I don't want to include it in a maintenance release version. The future release is resilient against many forms of injection, and the spec validation has the added benefit that it can generate meaningful error messages for garbage input, where currently, we generate non-compiling code.

Until then, please do sanity checks on your input specifications, on the generated output, and don't fetch specs from the internet in your build, commit both the spec locally into your source control, and go through code review. In our repo, we've hooked up Greptile to catch issues like this, and you should also use some code quality tool. We can't possibly protect against every kind of attack with simple heuristics.

Sponsors

We would like to thank our sponsors for their support during this release.

DevZero logo

Cybozu logo

We'd also like to thank Greptile for allowing our project to use their code review system.

Greptile logo


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Adoption](https://docs.renovatebot.com/merge-confidence/) | [Passing](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---|---|---| | [github.com/oapi-codegen/oapi-codegen/v2](https://github.com/oapi-codegen/oapi-codegen) | `v2.7.1` → `v2.7.2` | ![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2foapi-codegen%2foapi-codegen%2fv2/v2.7.2?slim=true) | ![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2foapi-codegen%2foapi-codegen%2fv2/v2.7.2?slim=true) | ![passing](https://developer.mend.io/api/mc/badges/compatibility/go/github.com%2foapi-codegen%2foapi-codegen%2fv2/v2.7.1/v2.7.2?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2foapi-codegen%2foapi-codegen%2fv2/v2.7.1/v2.7.2?slim=true) | --- ### Release Notes <details> <summary>oapi-codegen/oapi-codegen (github.com/oapi-codegen/oapi-codegen/v2)</summary> ### [`v2.7.2`](https://github.com/oapi-codegen/oapi-codegen/releases/tag/v2.7.2): More fixes for code injection issues [Compare Source](https://github.com/oapi-codegen/oapi-codegen/compare/v2.7.1...v2.7.2) ### String escaping fixes due to more code injection issues We've had two more code injection issues reported in `oapi-codegen`, thanks [@&#8203;Gal3M](https://github.com/Gal3M), [@&#8203;mrostamipoor](https://github.com/mrostamipoor) for these findings. - <https://github.com/oapi-codegen/oapi-codegen/security/advisories/GHSA-jwgf-6xff-4hvp> - <https://github.com/oapi-codegen/oapi-codegen/security/advisories/GHSA-xrqw-w576-xgj2> These specific issues are now patches in the main branch and in this v2.7.2 release. #### You shouldn't blindly trust OpenAPI specs This code wasn't originally written assuming code generation from random specs from the internet, and it never took any measures to protect itself from malicious specifications, the assumption being that you control your specification, and that you actually look over generated code. For example, all these RCE exploits rely on using the package `init()` function in the generated code to run some malicious code at package startup. A way to test for this is to see whether an `init()` function is emitted, which we currently don't do. When working with OpenAPI specifications, especially specs you find on remote servers, you should download the spec locally, run some kind of spec validator on it, like [openapi-spec-validator](https://openapi-spec-validator.readthedocs.io/en/latest/), and only then feed it into oapi-codegen. We're very permissive in accepting broken specifications, intentionally, since people feed a lot of garbage input, but this flexibility also makes us weak to these kinds of attacks. There are hundreds of injection sites in `oapi-codegen` based on my survey. For the next minor release, `v2.8.0`, we're going to validate the spec before code generation ([#&#8203;2435](https://github.com/oapi-codegen/oapi-codegen/pull/2435)), however, since this introduces a new set of failure modes, I don't want to include it in a maintenance release version. The future release is resilient against many forms of injection, and the spec validation has the added benefit that it can generate meaningful error messages for garbage input, where currently, we generate non-compiling code. Until then, please do sanity checks on your input specifications, on the generated output, and don't fetch specs from the internet in your build, commit both the spec locally into your source control, and go through code review. In our repo, we've hooked up [Greptile](https://www.greptile.com/) to catch issues like this, and you should also use some code quality tool. We can't possibly protect against every kind of attack with simple heuristics. #### Sponsors We would like to thank our sponsors for their support during this release. <p align="center"> <a href="https://www.devzero.io/lp/dev-environment?utm_campaign=github&utm_source=oapi-codegen%20repo&utm_medium=github%20sponsorship"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/oapi-codegen/oapi-codegen/v2.6.0/.github/sponsors/devzero-light.svg"> <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/oapi-codegen/oapi-codegen/v2.6.0/.github/sponsors/devzero-dark.svg"> <img alt="DevZero logo" src="https://raw.githubusercontent.com/oapi-codegen/oapi-codegen/v2.6.0/.github/sponsors/devzero-dark.svg" height="100px"> </picture> </a> </p> <p align="center"> <a href="https://cybozu.co.jp/?utm_source=oapi-codegen+repo&utm_medium=github+sponsorship"> <img alt="Cybozu logo" src="https://raw.githubusercontent.com/oapi-codegen/oapi-codegen/v2.6.0/.github/sponsors/cybozu.svg" height="100px"> </a> </p> We'd also like to thank Greptile for allowing our project to use their code review system. <p align="center"> <a href="https://www.greptile.com"> <img alt="Greptile logo" src="https://github.com/oapi-codegen/oapi-codegen/blob/main/.github/sponsors/greptile-wordmark-light.svg" height="75px"> </a> </p> </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMDQuMSIsInVwZGF0ZWRJblZlciI6IjQzLjIwNC4xIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbXX0=-->
chore(deps): update module github.com/oapi-codegen/oapi-codegen/v2 to v2.7.2
Some checks failed
renovate/artifacts Artifact file update failure
73b3c50a54
Author
Collaborator

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum
Command failed: go get -t ./...
go: git.happydns.org/happyDeliver/internal/api imports
	git.happydns.org/happyDeliver/internal/model: cannot find module providing package git.happydns.org/happyDeliver/internal/model

### ⚠️ Artifact update problem Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is. ♻ Renovate will retry this branch, including artifacts, only when one of the following happens: - any of the package files in this branch needs updating, or - the branch becomes conflicted, or - you click the rebase/retry checkbox if found above, or - you rename this PR's title to start with "rebase!" to trigger it manually The artifact failure details are included below: ##### File name: go.sum ``` Command failed: go get -t ./... go: git.happydns.org/happyDeliver/internal/api imports git.happydns.org/happyDeliver/internal/model: cannot find module providing package git.happydns.org/happyDeliver/internal/model ```
Some checks failed
renovate/artifacts Artifact file update failure
This pull request can be merged automatically.
You are not authorized to merge this pull request.
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u origin renovate/github.com-oapi-codegen-oapi-codegen-v2-2.x:renovate/github.com-oapi-codegen-oapi-codegen-v2-2.x
git switch renovate/github.com-oapi-codegen-oapi-codegen-v2-2.x

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git switch master
git merge --no-ff renovate/github.com-oapi-codegen-oapi-codegen-v2-2.x
git switch renovate/github.com-oapi-codegen-oapi-codegen-v2-2.x
git rebase master
git switch master
git merge --ff-only renovate/github.com-oapi-codegen-oapi-codegen-v2-2.x
git switch renovate/github.com-oapi-codegen-oapi-codegen-v2-2.x
git rebase master
git switch master
git merge --no-ff renovate/github.com-oapi-codegen-oapi-codegen-v2-2.x
git switch master
git merge --squash renovate/github.com-oapi-codegen-oapi-codegen-v2-2.x
git switch master
git merge --ff-only renovate/github.com-oapi-codegen-oapi-codegen-v2-2.x
git switch master
git merge renovate/github.com-oapi-codegen-oapi-codegen-v2-2.x
git push origin master
Sign in to join this conversation.
No reviewers
No labels
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
happyDomain/happyDeliver!118
No description provided.