Giters

knadh / koanf

Simple, extremely lightweight, extensible, configuration management library for Go. Support for JSON, TOML, YAML, env, command line, file, S3 etc. Alternative to viper.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Address critical vulnerability CVE-2022-3920

maumontesilva opened this issue · comments

commented

Describe the bug

Latest koanf version is vulnerable to CVE-2022-3920 . This issue is introduced by the following dependency.

Expected behavior

Update dependency to version 1.18.0

Please provide the following information):

  • Koanf Version v1.5.0

Additional context

I have a PR ready to fix this issue. Shall I submit it?

commented

Thank you for reporting this. Please do send the PR.

commented

@knadh I have submitted the following PR

#197

Please, let me know whether I need to do anything else/.

commented

@knadh I have just noticed that the test faild in the pipeline and seems that the changes require at least Go 1.17. Based on go,mod file koanf is using version 1.14, correct?

commented

imo such heavy weight dependencies should be externalized. cve in config parsing already shows that they don't belong in the core library:
s3,
vault,
consul,
etcd.

commented

@maumontesilva that's correct. Have maintained v1.14 to ensure backwards compatibility.

@jxsl13 indeed. This is already planned. Please see #180 (comment). Continuing this discussion there.

commented

@knadh So, the project direction is to externalize these dependencies in a different repo, correct? It means that my PR does not make sense or is this direction more north star (long term)?

Shall I close my PR?

commented

Since the PR involves an update that isn't compatible with koanf's Go v1.14 support, we can close it. Externalizing the dependencies is something we can do in the next few days so that the consul vulnerability can be addressed, and because it was pending anyway.

commented

@knadh I have just closed the PR. I will leave the defect open until the issue is fixed by the other PR. Does it make sense?

commented

@knadh Any news about the work to externalize the dependencies? Is there any way that I can help?

commented

https://github.com/knadh/koanf-test/

^ Almost done. Should be able to finish it today or tomorrow.

commented

#199

Ready to merge. Please test.

commented

@knadh First of all thanks!!

I will test it and report back

commented

@knadh I have tested v2 in my env and the changes look good.

commented

@knadh What are the next steps now? I mean, is there any deadline to publish a new official release ?

commented

#199

Ready to merge. Please test.

Tested and all's good

commented

@knadh I saw that the PR with v2 changes were merged. Is there any plan to create a new release for it?

commented

@knadh Thanks a lot!! Quick question, I noticed that the providers modules such as env kept the reference to koanf and not koanf/v2 (i.e github.com/knadh/koanf/providers/env instead of github.com/knadh/koanf/v2/providers/env). Is it intentional ?

commented

Yes, that's correct. The core module is now v2. The newly created independent provider/parser modules are not.