Skip to content

Commit 3ed0054

Browse files
committed
fix(serializer): disable MsgpackSerializer and remove shamaton/msgpack dependency
Disable Marshal and Unmarshal in MsgpackSerializer by converting them into stubs that return errors. This addresses a security concern in the upstream shamaton/msgpack library (ref: shamaton/msgpack#60). The type is marked deprecated and will be removed in a future release. - Remove github.com/shamaton/msgpack/v3 from go.mod - Bump github.com/hyp3rd/ewrap from v1.3.8 to v1.3.9
1 parent 87a1384 commit 3ed0054

3 files changed

Lines changed: 29 additions & 17 deletions

File tree

go.mod

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,11 +6,10 @@ require (
66
github.com/cespare/xxhash/v2 v2.3.0
77
github.com/goccy/go-json v0.10.6
88
github.com/gofiber/fiber/v3 v3.1.0
9-
github.com/hyp3rd/ewrap v1.3.8
9+
github.com/hyp3rd/ewrap v1.3.9
1010
github.com/hyp3rd/sectools v1.2.3
1111
github.com/longbridgeapp/assert v1.1.0
1212
github.com/redis/go-redis/v9 v9.18.0
13-
github.com/shamaton/msgpack/v3 v3.1.0
1413
github.com/ugorji/go/codec v1.3.1
1514
go.opentelemetry.io/otel v1.43.0
1615
go.opentelemetry.io/otel/metric v1.43.0

go.sum

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -29,8 +29,8 @@ github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
2929
github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
3030
github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
3131
github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
32-
github.com/hyp3rd/ewrap v1.3.8 h1:36IYDgSWI5wG85G+CIwE7WvU5xi+FJvT8KWR8YVT+cA=
33-
github.com/hyp3rd/ewrap v1.3.8/go.mod h1:ly3lreW7OWbBaX9I4zTKqctJlf9uxNQiUD5zXl2vz4g=
32+
github.com/hyp3rd/ewrap v1.3.9 h1:4vtnxji/aJdnyR2dfl93R/uYcGrNdi93EbV/r5BYalk=
33+
github.com/hyp3rd/ewrap v1.3.9/go.mod h1:2AgfjKPZjfBxvlTrbdWrNZzxV3jqmcOHg38aKyXvxpQ=
3434
github.com/hyp3rd/sectools v1.2.3 h1:XElGIhLOWPJxVLyLPzfKASYjs+3yEkDN48JeSw/Wvjo=
3535
github.com/hyp3rd/sectools v1.2.3/go.mod h1:iwl65boK1VNhwvRNSQDItdD5xon8W1l+ox4JFTe5WbI=
3636
github.com/klauspost/compress v1.18.5 h1:/h1gH5Ce+VWNLSWqPzOVn6XBO+vJbCNGvjoaGBFW2IE=

internal/libs/serializer/msgpack.go

Lines changed: 26 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -2,31 +2,44 @@ package serializer
22

33
import (
44
"github.com/hyp3rd/ewrap"
5-
"github.com/shamaton/msgpack/v3"
65
)
76

87
// MsgpackSerializer leverages `msgpack` to serialize the items before storing them in the cache.
8+
//
9+
// Deprecated: This serializer is now a shim and will be removed in a future release for security reasons.
10+
// REF: https://github.com/shamaton/msgpack/pull/60
11+
// Please use the `Marshal` method of the `Serializer` interface instead.
912
type MsgpackSerializer struct{}
1013

1114
// Marshal serializes the given value into a byte slice.
1215
// @param v.
13-
func (*MsgpackSerializer) Marshal(v any) ([]byte, error) { // receiver omitted (unused)
14-
data, err := msgpack.Marshal(&v)
15-
if err != nil {
16-
return nil, ewrap.Wrap(err, "failed to marshal msgpack")
17-
}
16+
//
17+
// Deprecated: This method is now a shim and will be removed in a future release for security reasons.
18+
// REF: https://github.com/shamaton/msgpack/pull/60
19+
// Please use the `Marshal` method of the `Serializer` interface instead.
20+
func (*MsgpackSerializer) Marshal(_ any) ([]byte, error) { // receiver omitted (unused)
21+
// data, err := msgpack.Marshal(&v)
22+
// if err != nil {
23+
// return nil, ewrap.Wrap(err, "failed to marshal msgpack")
24+
// }
1825

19-
return data, nil
26+
// return data, nil
27+
return nil, ewrap.New("msgpack serialization is deprecated and has been disabled for security reasons")
2028
}
2129

2230
// Unmarshal deserializes the given byte slice into the given value.
2331
// @param data
2432
// @param v.
25-
func (*MsgpackSerializer) Unmarshal(data []byte, v any) error { // receiver omitted (unused)
26-
err := msgpack.Unmarshal(data, v)
27-
if err != nil {
28-
return ewrap.Wrap(err, "failed to unmarshal msgpack")
29-
}
33+
//
34+
// Deprecated: This method is now a shim and will be removed in a future release for security reasons.
35+
// REF: https://github.com/shamaton/msgpack/pull/60
36+
// Please use the `Marshal` method of the `Serializer` interface instead.
37+
func (*MsgpackSerializer) Unmarshal(_ []byte, _ any) error { // receiver omitted (unused)
38+
// err := msgpack.Unmarshal(data, v)
39+
// if err != nil {
40+
// return ewrap.Wrap(err, "failed to unmarshal msgpack")
41+
// }
3042

31-
return nil
43+
// return nil
44+
return ewrap.New("msgpack deserialization is deprecated and has been disabled for security reasons")
3245
}

0 commit comments

Comments
 (0)