1ca89d7eae
full diffs: - https://github.com/protocolbuffers/protobuf-go/compare/v1.31.0...v1.33.0 - https://github.com/golang/protobuf/compare/v1.5.3...v1.5.4 From the Go security announcement list; > Version v1.33.0 of the google.golang.org/protobuf module fixes a bug in > the google.golang.org/protobuf/encoding/protojson package which could cause > the Unmarshal function to enter an infinite loop when handling some invalid > inputs. > > This condition could only occur when unmarshaling into a message which contains > a google.protobuf.Any value, or when the UnmarshalOptions.UnmarshalUnknown > option is set. Unmarshal now correctly returns an error when handling these > inputs. > > This is CVE-2024-24786. In a follow-up post; > A small correction: This vulnerability applies when the UnmarshalOptions.DiscardUnknown > option is set (as well as when unmarshaling into any message which contains a > google.protobuf.Any). There is no UnmarshalUnknown option. > > In addition, version 1.33.0 of google.golang.org/protobuf inadvertently > introduced an incompatibility with the older github.com/golang/protobuf > module. (https://github.com/golang/protobuf/issues/1596) Users of the older > module should update to github.com/golang/protobuf@v1.5.4. govulncheck results in our code: govulncheck ./... Scanning your code and 1221 packages across 204 dependent modules for known vulnerabilities... === Symbol Results === Vulnerability #1: GO-2024-2611 Infinite loop in JSON unmarshaling in google.golang.org/protobuf More info: https://pkg.go.dev/vuln/GO-2024-2611 Module: google.golang.org/protobuf Found in: google.golang.org/protobuf@v1.31.0 Fixed in: google.golang.org/protobuf@v1.33.0 Example traces found: #1: daemon/logger/gcplogs/gcplogging.go:154:18: gcplogs.New calls logging.Client.Ping, which eventually calls json.Decoder.Peek #2: daemon/logger/gcplogs/gcplogging.go:154:18: gcplogs.New calls logging.Client.Ping, which eventually calls json.Decoder.Read #3: daemon/logger/gcplogs/gcplogging.go:154:18: gcplogs.New calls logging.Client.Ping, which eventually calls protojson.Unmarshal Your code is affected by 1 vulnerability from 1 module. This scan found no other vulnerabilities in packages you import or modules you require. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
45 lines
1.4 KiB
Go
45 lines
1.4 KiB
Go
// Copyright 2018 The Go Authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
package proto
|
|
|
|
import (
|
|
"google.golang.org/protobuf/internal/errors"
|
|
"google.golang.org/protobuf/reflect/protoreflect"
|
|
)
|
|
|
|
// Message is the top-level interface that all messages must implement.
|
|
// It provides access to a reflective view of a message.
|
|
// Any implementation of this interface may be used with all functions in the
|
|
// protobuf module that accept a Message, except where otherwise specified.
|
|
//
|
|
// This is the v2 interface definition for protobuf messages.
|
|
// The v1 interface definition is [github.com/golang/protobuf/proto.Message].
|
|
//
|
|
// - To convert a v1 message to a v2 message,
|
|
// use [google.golang.org/protobuf/protoadapt.MessageV2Of].
|
|
// - To convert a v2 message to a v1 message,
|
|
// use [google.golang.org/protobuf/protoadapt.MessageV1Of].
|
|
type Message = protoreflect.ProtoMessage
|
|
|
|
// Error matches all errors produced by packages in the protobuf module
|
|
// according to [errors.Is].
|
|
//
|
|
// Example usage:
|
|
//
|
|
// if errors.Is(err, proto.Error) { ... }
|
|
var Error error
|
|
|
|
func init() {
|
|
Error = errors.Error
|
|
}
|
|
|
|
// MessageName returns the full name of m.
|
|
// If m is nil, it returns an empty string.
|
|
func MessageName(m Message) protoreflect.FullName {
|
|
if m == nil {
|
|
return ""
|
|
}
|
|
return m.ProtoReflect().Descriptor().FullName()
|
|
}
|