1ca89d7eae
full diffs: - https://github.com/protocolbuffers/protobuf-go/compare/v1.31.0...v1.33.0 - https://github.com/golang/protobuf/compare/v1.5.3...v1.5.4 From the Go security announcement list; > Version v1.33.0 of the google.golang.org/protobuf module fixes a bug in > the google.golang.org/protobuf/encoding/protojson package which could cause > the Unmarshal function to enter an infinite loop when handling some invalid > inputs. > > This condition could only occur when unmarshaling into a message which contains > a google.protobuf.Any value, or when the UnmarshalOptions.UnmarshalUnknown > option is set. Unmarshal now correctly returns an error when handling these > inputs. > > This is CVE-2024-24786. In a follow-up post; > A small correction: This vulnerability applies when the UnmarshalOptions.DiscardUnknown > option is set (as well as when unmarshaling into any message which contains a > google.protobuf.Any). There is no UnmarshalUnknown option. > > In addition, version 1.33.0 of google.golang.org/protobuf inadvertently > introduced an incompatibility with the older github.com/golang/protobuf > module. (https://github.com/golang/protobuf/issues/1596) Users of the older > module should update to github.com/golang/protobuf@v1.5.4. govulncheck results in our code: govulncheck ./... Scanning your code and 1221 packages across 204 dependent modules for known vulnerabilities... === Symbol Results === Vulnerability #1: GO-2024-2611 Infinite loop in JSON unmarshaling in google.golang.org/protobuf More info: https://pkg.go.dev/vuln/GO-2024-2611 Module: google.golang.org/protobuf Found in: google.golang.org/protobuf@v1.31.0 Fixed in: google.golang.org/protobuf@v1.33.0 Example traces found: #1: daemon/logger/gcplogs/gcplogging.go:154:18: gcplogs.New calls logging.Client.Ping, which eventually calls json.Decoder.Peek #2: daemon/logger/gcplogs/gcplogging.go:154:18: gcplogs.New calls logging.Client.Ping, which eventually calls json.Decoder.Read #3: daemon/logger/gcplogs/gcplogging.go:154:18: gcplogs.New calls logging.Client.Ping, which eventually calls protojson.Unmarshal Your code is affected by 1 vulnerability from 1 module. This scan found no other vulnerabilities in packages you import or modules you require. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
86 lines
3.2 KiB
Go
86 lines
3.2 KiB
Go
// Copyright 2019 The Go Authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
// Package proto provides functions operating on protocol buffer messages.
|
|
//
|
|
// For documentation on protocol buffers in general, see:
|
|
// https://protobuf.dev.
|
|
//
|
|
// For a tutorial on using protocol buffers with Go, see:
|
|
// https://protobuf.dev/getting-started/gotutorial.
|
|
//
|
|
// For a guide to generated Go protocol buffer code, see:
|
|
// https://protobuf.dev/reference/go/go-generated.
|
|
//
|
|
// # Binary serialization
|
|
//
|
|
// This package contains functions to convert to and from the wire format,
|
|
// an efficient binary serialization of protocol buffers.
|
|
//
|
|
// - [Size] reports the size of a message in the wire format.
|
|
//
|
|
// - [Marshal] converts a message to the wire format.
|
|
// The [MarshalOptions] type provides more control over wire marshaling.
|
|
//
|
|
// - [Unmarshal] converts a message from the wire format.
|
|
// The [UnmarshalOptions] type provides more control over wire unmarshaling.
|
|
//
|
|
// # Basic message operations
|
|
//
|
|
// - [Clone] makes a deep copy of a message.
|
|
//
|
|
// - [Merge] merges the content of a message into another.
|
|
//
|
|
// - [Equal] compares two messages. For more control over comparisons
|
|
// and detailed reporting of differences, see package
|
|
// [google.golang.org/protobuf/testing/protocmp].
|
|
//
|
|
// - [Reset] clears the content of a message.
|
|
//
|
|
// - [CheckInitialized] reports whether all required fields in a message are set.
|
|
//
|
|
// # Optional scalar constructors
|
|
//
|
|
// The API for some generated messages represents optional scalar fields
|
|
// as pointers to a value. For example, an optional string field has the
|
|
// Go type *string.
|
|
//
|
|
// - [Bool], [Int32], [Int64], [Uint32], [Uint64], [Float32], [Float64], and [String]
|
|
// take a value and return a pointer to a new instance of it,
|
|
// to simplify construction of optional field values.
|
|
//
|
|
// Generated enum types usually have an Enum method which performs the
|
|
// same operation.
|
|
//
|
|
// Optional scalar fields are only supported in proto2.
|
|
//
|
|
// # Extension accessors
|
|
//
|
|
// - [HasExtension], [GetExtension], [SetExtension], and [ClearExtension]
|
|
// access extension field values in a protocol buffer message.
|
|
//
|
|
// Extension fields are only supported in proto2.
|
|
//
|
|
// # Related packages
|
|
//
|
|
// - Package [google.golang.org/protobuf/encoding/protojson] converts messages to
|
|
// and from JSON.
|
|
//
|
|
// - Package [google.golang.org/protobuf/encoding/prototext] converts messages to
|
|
// and from the text format.
|
|
//
|
|
// - Package [google.golang.org/protobuf/reflect/protoreflect] provides a
|
|
// reflection interface for protocol buffer data types.
|
|
//
|
|
// - Package [google.golang.org/protobuf/testing/protocmp] provides features
|
|
// to compare protocol buffer messages with the [github.com/google/go-cmp/cmp]
|
|
// package.
|
|
//
|
|
// - Package [google.golang.org/protobuf/types/dynamicpb] provides a dynamic
|
|
// message type, suitable for working with messages where the protocol buffer
|
|
// type is only known at runtime.
|
|
//
|
|
// This module contains additional packages for more specialized use cases.
|
|
// Consult the individual package documentation for details.
|
|
package proto
|