Merge pull request #346 from vdemeester/use-patched-yaml-package

Make docker/app not exposed to yaml bomb

Author: Vincent Demeester

Gopkg.lock

@@ -73,6 +73,13 @@ required = ["github.com/wadey/gocovmerge"]
   name = "google.golang.org/grpc"
   revision = "v1.3.0"
 
+# This is using a fork waiting for go-yaml/yaml#375 to be merged
+# This PR allows to set a max decoded value, thus not being exposed to yaml bombs
+[[override]]
+  name = "gopkg.in/yaml.v2"
+  source = "https://github.com/simonferquel/yaml"
+  revision="c86e64ed9581b7588e736f0c3e6ecc02cc22996e"
+
 [[constraint]]
   name = "github.com/spf13/pflag"
   branch = "master"

Gopkg.toml

@@ -6,13 +6,13 @@ import (
 
 	"github.com/docker/app/internal"
 	"github.com/docker/app/internal/packager"
+	"github.com/docker/app/internal/yaml"
 	"github.com/docker/app/render"
 	"github.com/docker/app/types"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	cliopts "github.com/docker/cli/opts"
 	"github.com/spf13/cobra"
-	"gopkg.in/yaml.v2"
 )
 
 var (

cmd/docker-app/render.go

@@ -7,7 +7,7 @@ import (
 	"strings"
 	"testing"
 
-	"gopkg.in/yaml.v2"
+	"github.com/docker/app/internal/yaml"
 	"gotest.tools/assert"
 )
 

e2e/render_test.go

@@ -15,6 +15,7 @@ import (
 	"github.com/docker/app/internal/helm/templatev1beta2"
 	"github.com/docker/app/internal/settings"
 	"github.com/docker/app/internal/slices"
+	"github.com/docker/app/internal/yaml"
 	"github.com/docker/app/render"
 	"github.com/docker/app/types"
 	"github.com/docker/app/types/metadata"
@@ -23,7 +24,6 @@ import (
 	"github.com/docker/cli/kubernetes/compose/v1beta1"
 	"github.com/docker/cli/kubernetes/compose/v1beta2"
 	"github.com/pkg/errors"
-	yaml "gopkg.in/yaml.v2"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 

internal/helm/helm.go

@@ -7,10 +7,10 @@ import (
 	"text/tabwriter"
 
 	"github.com/docker/app/internal/settings"
+	"github.com/docker/app/internal/yaml"
 	"github.com/docker/app/types"
 	"github.com/docker/app/types/metadata"
 	"github.com/pkg/errors"
-	yaml "gopkg.in/yaml.v2"
 )
 
 // Inspect dumps the metadata of an app

internal/inspect/inspect.go

@@ -9,10 +9,10 @@ import (
 	"strings"
 
 	"github.com/docker/app/internal"
+	"github.com/docker/app/internal/yaml"
 	"github.com/docker/app/types/metadata"
 	"github.com/pkg/errors"
 	log "github.com/sirupsen/logrus"
-	yaml "gopkg.in/yaml.v2"
 )
 
 // Fork pulls an application and creates a local fork for the user to modify

internal/packager/fork.go

@@ -13,6 +13,7 @@ import (
 
 	"github.com/docker/app/internal"
 	"github.com/docker/app/internal/compose"
+	"github.com/docker/app/internal/yaml"
 	"github.com/docker/app/loader"
 	"github.com/docker/app/render"
 	"github.com/docker/app/types"
@@ -22,7 +23,6 @@ import (
 	"github.com/docker/cli/opts"
 	"github.com/pkg/errors"
 	log "github.com/sirupsen/logrus"
-	"gopkg.in/yaml.v2"
 )
 
 func prependToFile(filename, text string) error {

internal/packager/init.go

@@ -12,11 +12,11 @@ import (
 	"strings"
 
 	"github.com/docker/app/internal"
+	"github.com/docker/app/internal/yaml"
 	"github.com/docker/app/types"
 	"github.com/docker/app/types/metadata"
 	"github.com/docker/distribution/reference"
 	"github.com/pkg/errors"
-	yaml "gopkg.in/yaml.v2"
 )
 
 // Save saves an app to docker and returns the image name.

internal/packager/registry.go

@@ -6,9 +6,9 @@ import (
 	"strings"
 
 	"github.com/docker/app/internal/renderer"
+	"github.com/docker/app/internal/yaml"
 	"github.com/docker/app/internal/yatee"
 	"github.com/pkg/errors"
-	yaml "gopkg.in/yaml.v2"
 )
 
 func init() {