From 3ed005441d9a4d4e7c1008b4fedeb0f22ba07797 Mon Sep 17 00:00:00 2001 From: "F." Date: Sat, 4 Apr 2026 10:39:26 +0200 Subject: [PATCH 1/2] fix(serializer): disable MsgpackSerializer and remove shamaton/msgpack dependency Disable Marshal and Unmarshal in MsgpackSerializer by converting them into stubs that return errors. This addresses a security concern in the upstream shamaton/msgpack library (ref: shamaton/msgpack#60). The type is marked deprecated and will be removed in a future release. - Remove github.com/shamaton/msgpack/v3 from go.mod - Bump github.com/hyp3rd/ewrap from v1.3.8 to v1.3.9 --- go.mod | 3 +-- go.sum | 4 +-- internal/libs/serializer/msgpack.go | 39 +++++++++++++++++++---------- 3 files changed, 29 insertions(+), 17 deletions(-) diff --git a/go.mod b/go.mod index 5e216ad..cdebeb0 100644 --- a/go.mod +++ b/go.mod @@ -6,11 +6,10 @@ require ( github.com/cespare/xxhash/v2 v2.3.0 github.com/goccy/go-json v0.10.6 github.com/gofiber/fiber/v3 v3.1.0 - github.com/hyp3rd/ewrap v1.3.8 + github.com/hyp3rd/ewrap v1.3.9 github.com/hyp3rd/sectools v1.2.3 github.com/longbridgeapp/assert v1.1.0 github.com/redis/go-redis/v9 v9.18.0 - github.com/shamaton/msgpack/v3 v3.1.0 github.com/ugorji/go/codec v1.3.1 go.opentelemetry.io/otel v1.43.0 go.opentelemetry.io/otel/metric v1.43.0 diff --git a/go.sum b/go.sum index cd9f2cb..53c8447 100644 --- a/go.sum +++ b/go.sum @@ -29,8 +29,8 @@ github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/hyp3rd/ewrap v1.3.8 h1:36IYDgSWI5wG85G+CIwE7WvU5xi+FJvT8KWR8YVT+cA= -github.com/hyp3rd/ewrap v1.3.8/go.mod h1:ly3lreW7OWbBaX9I4zTKqctJlf9uxNQiUD5zXl2vz4g= +github.com/hyp3rd/ewrap v1.3.9 h1:4vtnxji/aJdnyR2dfl93R/uYcGrNdi93EbV/r5BYalk= +github.com/hyp3rd/ewrap v1.3.9/go.mod h1:2AgfjKPZjfBxvlTrbdWrNZzxV3jqmcOHg38aKyXvxpQ= github.com/hyp3rd/sectools v1.2.3 h1:XElGIhLOWPJxVLyLPzfKASYjs+3yEkDN48JeSw/Wvjo= github.com/hyp3rd/sectools v1.2.3/go.mod h1:iwl65boK1VNhwvRNSQDItdD5xon8W1l+ox4JFTe5WbI= github.com/klauspost/compress v1.18.5 h1:/h1gH5Ce+VWNLSWqPzOVn6XBO+vJbCNGvjoaGBFW2IE= diff --git a/internal/libs/serializer/msgpack.go b/internal/libs/serializer/msgpack.go index 94087ee..4cb6f72 100644 --- a/internal/libs/serializer/msgpack.go +++ b/internal/libs/serializer/msgpack.go @@ -2,31 +2,44 @@ package serializer import ( "github.com/hyp3rd/ewrap" - "github.com/shamaton/msgpack/v3" ) // MsgpackSerializer leverages `msgpack` to serialize the items before storing them in the cache. +// +// Deprecated: This serializer is now a shim and will be removed in a future release for security reasons. +// REF: https://github.com/shamaton/msgpack/pull/60 +// Please use the `Marshal` method of the `Serializer` interface instead. type MsgpackSerializer struct{} // Marshal serializes the given value into a byte slice. // @param v. -func (*MsgpackSerializer) Marshal(v any) ([]byte, error) { // receiver omitted (unused) - data, err := msgpack.Marshal(&v) - if err != nil { - return nil, ewrap.Wrap(err, "failed to marshal msgpack") - } +// +// Deprecated: This method is now a shim and will be removed in a future release for security reasons. +// REF: https://github.com/shamaton/msgpack/pull/60 +// Please use the `Marshal` method of the `Serializer` interface instead. +func (*MsgpackSerializer) Marshal(_ any) ([]byte, error) { // receiver omitted (unused) + // data, err := msgpack.Marshal(&v) + // if err != nil { + // return nil, ewrap.Wrap(err, "failed to marshal msgpack") + // } - return data, nil + // return data, nil + return nil, ewrap.New("msgpack serialization is deprecated and has been disabled for security reasons") } // Unmarshal deserializes the given byte slice into the given value. // @param data // @param v. -func (*MsgpackSerializer) Unmarshal(data []byte, v any) error { // receiver omitted (unused) - err := msgpack.Unmarshal(data, v) - if err != nil { - return ewrap.Wrap(err, "failed to unmarshal msgpack") - } +// +// Deprecated: This method is now a shim and will be removed in a future release for security reasons. +// REF: https://github.com/shamaton/msgpack/pull/60 +// Please use the `Marshal` method of the `Serializer` interface instead. +func (*MsgpackSerializer) Unmarshal(_ []byte, _ any) error { // receiver omitted (unused) + // err := msgpack.Unmarshal(data, v) + // if err != nil { + // return ewrap.Wrap(err, "failed to unmarshal msgpack") + // } - return nil + // return nil + return ewrap.New("msgpack deserialization is deprecated and has been disabled for security reasons") } From 91f7919cd3637a3ab0d8a759647ad00c8a4d7b6b Mon Sep 17 00:00:00 2001 From: "F." Date: Sat, 4 Apr 2026 10:46:14 +0200 Subject: [PATCH 2/2] fix(serializer): disable MsgpackSerializer and remove shamaton/msgpack dependency Disable Marshal and Unmarshal in MsgpackSerializer by converting them into stubs that return errors. This addresses a security concern in the upstream shamaton/msgpack library (ref: shamaton/msgpack#60). The type is marked deprecated and will be removed in a future release. - Remove github.com/shamaton/msgpack/v3 from go.mod - Bump github.com/hyp3rd/ewrap from v1.3.8 to v1.3.9 --- internal/libs/serializer/msgpack.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/libs/serializer/msgpack.go b/internal/libs/serializer/msgpack.go index 4cb6f72..de4b6d4 100644 --- a/internal/libs/serializer/msgpack.go +++ b/internal/libs/serializer/msgpack.go @@ -33,7 +33,7 @@ func (*MsgpackSerializer) Marshal(_ any) ([]byte, error) { // receiver omitted ( // // Deprecated: This method is now a shim and will be removed in a future release for security reasons. // REF: https://github.com/shamaton/msgpack/pull/60 -// Please use the `Marshal` method of the `Serializer` interface instead. +// Please use the `Unmarshal` method of the `Serializer` interface instead. func (*MsgpackSerializer) Unmarshal(_ []byte, _ any) error { // receiver omitted (unused) // err := msgpack.Unmarshal(data, v) // if err != nil {