vendor: Bump docker/cli

This allows us to rely on the upstream yaml.v2 library as it includes a mitigation for malicious YAML files (see: kubernetes/kubernetes#83253). Signed-off-by: Christopher Crone <christopher.crone@docker.com>
docker · Oct 1, 2019 · 90470cf · 90470cf
1 parent 93e0d2b
commit 90470cf
Show file tree

Hide file tree

Showing 9 changed files with 73 additions and 66 deletions.
diff --git a/Gopkg.lock b/Gopkg.lock
diff --git a/Gopkg.toml b/Gopkg.toml
@@ -37,7 +37,7 @@ required = ["github.com/wadey/gocovmerge"]
 
 [[override]]
   name = "github.com/docker/cli"
-  revision = "83751b978155dc889c35e0e49654f76e7cf8d951"
+  revision = "d83cd90464377d4164c8f70248d064b979e5ca98"
 
 [[override]]
   name = "github.com/deislabs/cnab-go"
@@ -96,13 +96,6 @@ required = ["github.com/wadey/gocovmerge"]
   name = "k8s.io/client-go"
   revision = "kubernetes-1.14.1"
 
-# This is using a fork waiting for go-yaml/yaml#375 to be merged
-# This PR allows to set a max decoded value, thus not being exposed to yaml bombs
-[[override]]
-  name = "gopkg.in/yaml.v2"
-  source = "https://github.com/simonferquel/yaml"
-  revision = "c86e64ed9581b7588e736f0c3e6ecc02cc22996e"
-
 [[override]]
   name = "github.com/opencontainers/runtime-spec"
   revision = "29686dbc5559d93fb1ef402eeda3e35c38d75af4"

diff --git a/internal/yaml/yaml.go b/internal/yaml/yaml.go
@@ -7,16 +7,12 @@ import (
 	"gopkg.in/yaml.v2"
 )
 
-const (
-	maxDecodedValues = 1000000
-)
-
 // Unmarshal decodes the first document found within the in byte slice
 // and assigns decoded values into the out value.
 //
 // See gopkg.in/yaml.v2 documentation
 func Unmarshal(in []byte, out interface{}) error {
-	d := yaml.NewDecoder(bytes.NewBuffer(in), yaml.WithLimitDecodedValuesCount(maxDecodedValues))
+	d := yaml.NewDecoder(bytes.NewBuffer(in))
 	err := d.Decode(out)
 	if err == io.EOF {
 		return nil
@@ -37,5 +33,5 @@ func Marshal(in interface{}) ([]byte, error) {
 //
 // See gopkg.in/yaml.v2 documentation
 func NewDecoder(r io.Reader) *yaml.Decoder {
-	return yaml.NewDecoder(r, yaml.WithLimitDecodedValuesCount(maxDecodedValues))
+	return yaml.NewDecoder(r)
 }
diff --git a/internal/yaml/yaml_test.go b/internal/yaml/yaml_test.go
@@ -21,7 +21,7 @@ h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g]
 i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h]`)
 	d := NewDecoder(bytes.NewBuffer(data))
 	err := d.Decode(&v)
-	assert.ErrorContains(t, err, "yaml: exceeded max number of decoded values (1000000)")
+	assert.ErrorContains(t, err, "yaml: document contains excessive aliasing")
 }
 
 func TestUnmarshalYamlBomb(t *testing.T) {
@@ -37,5 +37,5 @@ g: &g [*f,*f,*f,*f,*f,*f,*f,*f,*f]
 h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g]
 i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h]`)
 	err := Unmarshal(data, &v)
-	assert.ErrorContains(t, err, "yaml: exceeded max number of decoded values (1000000)")
+	assert.ErrorContains(t, err, "yaml: document contains excessive aliasing")
 }
diff --git a/vendor/github.com/docker/cli/cli/config/config.go b/vendor/github.com/docker/cli/cli/config/config.go
diff --git a/vendor/gopkg.in/yaml.v2/decode.go b/vendor/gopkg.in/yaml.v2/decode.go
diff --git a/vendor/gopkg.in/yaml.v2/encode.go b/vendor/gopkg.in/yaml.v2/encode.go
diff --git a/vendor/gopkg.in/yaml.v2/resolve.go b/vendor/gopkg.in/yaml.v2/resolve.go
diff --git a/vendor/gopkg.in/yaml.v2/yaml.go b/vendor/gopkg.in/yaml.v2/yaml.go