fix(deps): replace gopkg.in/yaml.v3 with github.com/goccy/go-yaml
CI / test (pull_request) Successful in 18s
CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 46s
CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 1m38s
CI / review (gpt-5, security, ., rodin/security-patterns, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 1m49s
CI / test (pull_request) Successful in 18s
CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 46s
CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 1m38s
CI / review (gpt-5, security, ., rodin/security-patterns, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 1m49s
Fixes #87. PR #58 incorrectly added gopkg.in/yaml.v3 (abandoned library) instead of github.com/goccy/go-yaml as required by issue #57. Changes: - Replace gopkg.in/yaml.v3 with github.com/goccy/go-yaml v1.19.2 - Update review/persona.go to use goccy/go-yaml API: - parser.ParseBytes for AST-based depth/node count checking - yaml.Strict() decoder option instead of KnownFields(true) - ast.Node types instead of yaml.Node for tree walking - Update review/persona_test.go to use ast types for cycle tests - Remove gopkg.in/yaml.v3 from go.mod and go.sum All existing YAML tests pass with the new library.
This commit is contained in:
claw
+29
-31
@@ -7,7 +7,7 @@ import (
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
"gopkg.in/yaml.v3"
|
||||
"github.com/goccy/go-yaml/ast"
|
||||
)
|
||||
|
||||
func TestLoadBuiltinPersona(t *testing.T) {
|
||||
@@ -459,7 +459,7 @@ func TestYAMLDeeplyNestedRejection(t *testing.T) {
|
||||
path := filepath.Join(dir, "deeply-nested.yaml")
|
||||
|
||||
// Build a deeply nested YAML structure that exceeds MaxYAMLDepth (20).
|
||||
// Each level adds 2 to the depth count (key + value mapping).
|
||||
// Each level adds to the depth count via mapping values.
|
||||
var sb strings.Builder
|
||||
sb.WriteString("name: test\nidentity: test\nnested:\n")
|
||||
indent := " "
|
||||
@@ -505,30 +505,29 @@ func TestYAMLFileSizeLimit(t *testing.T) {
|
||||
func TestYAMLAliasCycleDetection(t *testing.T) {
|
||||
// Test that our checkYAMLDepth function handles alias cycles gracefully
|
||||
// by using the seen map to prevent infinite recursion.
|
||||
// We test this directly because go-yaml's parser handles most cycles
|
||||
// at parse time, but we need to ensure our checker is robust.
|
||||
|
||||
// Create a node structure where an alias points to a parent node,
|
||||
// simulating what could happen with malicious input that bypasses
|
||||
// go-yaml's cycle detection.
|
||||
parent := &yaml.Node{
|
||||
Kind: yaml.MappingNode,
|
||||
Content: []*yaml.Node{
|
||||
{Kind: yaml.ScalarNode, Value: "name"},
|
||||
{Kind: yaml.ScalarNode, Value: "test"},
|
||||
{Kind: yaml.ScalarNode, Value: "nested"},
|
||||
// simulating what could happen with crafted input.
|
||||
parent := &ast.MappingNode{
|
||||
Values: []*ast.MappingValueNode{
|
||||
{
|
||||
Key: &ast.StringNode{Value: "name"},
|
||||
Value: &ast.StringNode{Value: "test"},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
// Create a child that aliases back to the parent (artificial cycle)
|
||||
aliasToParent := &yaml.Node{
|
||||
Kind: yaml.AliasNode,
|
||||
Alias: parent,
|
||||
aliasToParent := &ast.AliasNode{
|
||||
Value: parent,
|
||||
}
|
||||
parent.Content = append(parent.Content, aliasToParent)
|
||||
parent.Values = append(parent.Values, &ast.MappingValueNode{
|
||||
Key: &ast.StringNode{Value: "nested"},
|
||||
Value: aliasToParent,
|
||||
})
|
||||
|
||||
nodeCount := 0
|
||||
seen := make(map[*yaml.Node]struct{})
|
||||
seen := make(map[ast.Node]struct{})
|
||||
|
||||
// This should NOT hang or stack overflow - the seen map prevents infinite recursion
|
||||
err := checkYAMLDepth(parent, 0, MaxYAMLDepth, MaxYAMLNodes, seen, &nodeCount)
|
||||
@@ -594,27 +593,26 @@ func TestYAMLNodeCountLimit(t *testing.T) {
|
||||
func TestCheckYAMLDepthCycleDetectionDirect(t *testing.T) {
|
||||
// Direct test of cycle detection in checkYAMLDepth by creating
|
||||
// a node structure with an artificial cycle.
|
||||
// This tests the seen map logic independent of go-yaml's parsing.
|
||||
node := &yaml.Node{
|
||||
Kind: yaml.MappingNode,
|
||||
Content: []*yaml.Node{
|
||||
{Kind: yaml.ScalarNode, Value: "key"},
|
||||
{Kind: yaml.ScalarNode, Value: "value"},
|
||||
node := &ast.MappingNode{
|
||||
Values: []*ast.MappingValueNode{
|
||||
{
|
||||
Key: &ast.StringNode{Value: "key"},
|
||||
Value: &ast.StringNode{Value: "value"},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
// Create a cycle by making a child reference the parent
|
||||
cycleChild := &yaml.Node{
|
||||
Kind: yaml.AliasNode,
|
||||
Alias: node, // Points back to the parent
|
||||
cycleChild := &ast.AliasNode{
|
||||
Value: node, // Points back to the parent
|
||||
}
|
||||
node.Content = append(node.Content,
|
||||
&yaml.Node{Kind: yaml.ScalarNode, Value: "cyclic"},
|
||||
cycleChild,
|
||||
)
|
||||
node.Values = append(node.Values, &ast.MappingValueNode{
|
||||
Key: &ast.StringNode{Value: "cyclic"},
|
||||
Value: cycleChild,
|
||||
})
|
||||
|
||||
nodeCount := 0
|
||||
seen := make(map[*yaml.Node]struct{})
|
||||
seen := make(map[ast.Node]struct{})
|
||||
err := checkYAMLDepth(node, 0, MaxYAMLDepth, MaxYAMLNodes, seen, &nodeCount)
|
||||
|
||||
// Should complete without infinite recursion due to cycle detection
|
||||
|
||||
Reference in New Issue
Block a user