Compare commits

...

5 Commits

Author SHA1 Message Date
Barry
f9563c0a75
Merge be5d5da882 into e2f1d5ccf7 2026-07-02 09:56:30 -04:00
dependabot[bot]
e2f1d5ccf7
Bump go.yaml.in/yaml/v4 from 4.0.0-rc.5 to 4.0.0-rc.6 (#2759)
Bumps [go.yaml.in/yaml/v4](https://github.com/yaml/go-yaml) from 4.0.0-rc.5 to 4.0.0-rc.6.
- [Commits](https://github.com/yaml/go-yaml/compare/v4.0.0-rc.5...v4.0.0-rc.6)

---
updated-dependencies:
- dependency-name: go.yaml.in/yaml/v4
  dependency-version: 4.0.0-rc.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-29 16:54:05 +10:00
dependabot[bot]
16f149b351
Bump github.com/pelletier/go-toml/v2 from 2.4.0 to 2.4.2 (#2762)
Bumps [github.com/pelletier/go-toml/v2](https://github.com/pelletier/go-toml) from 2.4.0 to 2.4.2.
- [Release notes](https://github.com/pelletier/go-toml/releases)
- [Commits](https://github.com/pelletier/go-toml/compare/v2.4.0...v2.4.2)

---
updated-dependencies:
- dependency-name: github.com/pelletier/go-toml/v2
  dependency-version: 2.4.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-29 16:53:39 +10:00
dependabot[bot]
5da9215306
Bump actions/setup-go from 6.4.0 to 6.5.0 (#2763)
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 6.4.0 to 6.5.0.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](4a3601121d...924ae3a1cd)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-version: 6.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-29 16:53:18 +10:00
barry3406
be5d5da882 Fix roundtrip of top-level string scalars that look like YAML structure
When UnwrapScalar is enabled (the default for yaml output), the yaml
encoder writes node.Value verbatim as a bare line. Any string whose
content is itself a valid YAML mapping, sequence, or alias then round
trips as that container instead of as a string. For example, the input
document `"this: should really work"` previously re-emitted as the bare
line `this: should really work`, which the next reader parses as a one
key map, destroying the original scalar. The same problem surfaces
whenever a multiline string literal happens to contain `key: value`
lines, which is the form the bug report uses for its second reproducer.

Guard the fast-path by re-parsing node.Value with yaml.v4: if the bare
form decodes to a non-scalar, fall through to the regular encoder so it
can apply the quoting style required by the YAML spec. The check is
limited to `!!str` nodes and to structural reinterpretations, so tag
expressions such as `!!int` and plain strings that re-read as integers,
booleans, or nulls are unaffected. An unparseable value (e.g. one
containing NUL) stays on the fast-path so downstream NUL-aware writers
still see the raw bytes.

Updates the base64 "decode yaml document" scenario whose expected
output was `a: apple\n` bare; it is now emitted as a block literal,
which round-trips back to the same string.

Reproducer:

```
printf '"this: should really work"\n' | yq -p yaml -o yaml
```

Before this fix the second run of yq parses the output as a map;
after, it remains the original string.

Fixes #2608
2026-04-11 09:06:37 -07:00
7 changed files with 125 additions and 13 deletions

View File

@ -37,7 +37,7 @@ jobs:
steps:
- name: Set up Go
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0
with:
go-version: '^1.20'
id: go

View File

@ -15,7 +15,7 @@ jobs:
id-token: write
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
- uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0
with:
go-version: '^1.20'
check-latest: true

4
go.mod
View File

@ -13,13 +13,13 @@ require (
github.com/hashicorp/hcl/v2 v2.24.0
github.com/jinzhu/copier v0.4.0
github.com/magiconair/properties v1.8.10
github.com/pelletier/go-toml/v2 v2.4.0
github.com/pelletier/go-toml/v2 v2.4.2
github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e
github.com/spf13/cobra v1.10.2
github.com/spf13/pflag v1.0.10
github.com/yuin/gopher-lua v1.1.2
github.com/zclconf/go-cty v1.18.1
go.yaml.in/yaml/v4 v4.0.0-rc.5
go.yaml.in/yaml/v4 v4.0.0-rc.6
golang.org/x/mod v0.37.0
golang.org/x/net v0.56.0
golang.org/x/text v0.38.0

8
go.sum
View File

@ -46,8 +46,8 @@ github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWE
github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0=
github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0=
github.com/pelletier/go-toml/v2 v2.4.0 h1:Mwu0mAkUKbittDs3/ADDWXqMmq3EOK2VHiuCkV00Row=
github.com/pelletier/go-toml/v2 v2.4.0/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
github.com/pelletier/go-toml/v2 v2.4.2 h1:M2fKKbmyvI+hGId/D0W64qDBMVhJnNR10O5gIbMc//Q=
github.com/pelletier/go-toml/v2 v2.4.2/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e h1:aoZm08cpOy4WuID//EZDgcC4zIxODThtZNPirFr42+A=
github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
@ -68,8 +68,8 @@ github.com/zclconf/go-cty v1.18.1/go.mod h1:qpnV6EDNgC1sns/AleL1fvatHw72j+S+nS+M
github.com/zclconf/go-cty-debug v0.0.0-20240509010212-0d6042c53940 h1:4r45xpDWB6ZMSMNJFMOjqrGHynW3DIBuR2H9j0ug+Mo=
github.com/zclconf/go-cty-debug v0.0.0-20240509010212-0d6042c53940/go.mod h1:CmBdvvj3nqzfzJ6nTCIwDTPZ56aVGvDrmztiO5g3qrM=
go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
go.yaml.in/yaml/v4 v4.0.0-rc.5 h1:JVliQq9EGOYaTgMi+k8BhUJyqcGk4ZqeuiN1Cirba9c=
go.yaml.in/yaml/v4 v4.0.0-rc.5/go.mod h1:aZqd9kCMsGL7AuUv/m/PvWLdg5sjJsZ4oHDEnfPPfY0=
go.yaml.in/yaml/v4 v4.0.0-rc.6 h1:1h7H1ohdUh93/FyE4YaDa1Zh64K6VVbjF4K6WUxMtH4=
go.yaml.in/yaml/v4 v4.0.0-rc.6/go.mod h1:aZqd9kCMsGL7AuUv/m/PvWLdg5sjJsZ4oHDEnfPPfY0=
golang.org/x/mod v0.37.0 h1:vF1DjpVEshcIqoEaauuHebaLk1O1forxjxBaVn884JQ=
golang.org/x/mod v0.37.0/go.mod h1:m8S8VeM9r4dzDwjrKO0a1sZP3YjeMamRRlD+fmR2Q/0=
golang.org/x/net v0.56.0 h1:Rw8j/hFzGvJUZwNBXnAtf5sVDVt+65SK2C7IxCxZt5o=

View File

@ -81,10 +81,13 @@ var base64Scenarios = []formatScenario{
scenarioType: "decode",
},
{
skipDoc: true,
description: "decode yaml document",
input: base64EncodedYaml,
expected: base64DecodedYaml + "\n",
skipDoc: true,
description: "decode yaml document",
input: base64EncodedYaml,
// The decoded payload ("a: apple\n") would re-parse as a map if
// emitted bare, so the yaml encoder keeps it as a block literal to
// preserve roundtrip safety. See issue #2608.
expected: "|\n a: apple\n",
scenarioType: "decode",
},
{

View File

@ -35,7 +35,7 @@ func (ye *yamlEncoder) Encode(writer io.Writer, node *CandidateNode) error {
if strings.Contains(node.LeadingContent, "\r\n") {
lineEnding = "\r\n"
}
if node.Kind == ScalarNode && ye.prefs.UnwrapScalar {
if node.Kind == ScalarNode && ye.prefs.UnwrapScalar && !bareStringNeedsQuoting(node) {
valueToPrint := node.Value
if node.LeadingContent == "" || valueToPrint != "" {
valueToPrint = valueToPrint + lineEnding
@ -78,3 +78,28 @@ func (ye *yamlEncoder) Encode(writer io.Writer, node *CandidateNode) error {
}
return nil
}
// bareStringNeedsQuoting reports whether a top-level string scalar would be
// structurally reinterpreted if emitted as an unquoted bare value. The
// unwrap-scalar fast-path writes node.Value verbatim, which silently turns a
// string like "this: should really work" into a mapping on the next read, or
// "- item" into a sequence. When this returns true the caller falls through
// to the full yaml encoder, which applies the quoting style required by the
// YAML spec. Scalar-to-scalar reinterpretations (e.g. "123" parsing as an int
// tag) are not covered here: they preserve the node shape and are handled by
// callers that care about explicit tag preservation.
func bareStringNeedsQuoting(node *CandidateNode) bool {
if node.Tag != "!!str" {
return false
}
var parsed yaml.Node
if err := yaml.Unmarshal([]byte(node.Value), &parsed); err != nil {
// Unparseable bare form (e.g. control characters): leave it on the
// fast-path so callers that check for those characters still see them.
return false
}
if parsed.Kind != yaml.DocumentNode || len(parsed.Content) != 1 {
return false
}
return parsed.Content[0].Kind != yaml.ScalarNode
}

View File

@ -0,0 +1,84 @@
package yqlib
import (
"bytes"
"strings"
"testing"
)
// TestYamlEncoderUnwrapScalarRoundtripSafety verifies that a top-level string
// scalar whose unquoted form would re-parse as a non-scalar node (map or
// sequence) is emitted quoted even when UnwrapScalar is enabled. Safe plain
// strings continue to round-trip through the existing fast-path. See #2608.
func TestYamlEncoderUnwrapScalarRoundtripSafety(t *testing.T) {
cases := []struct {
name string
value string
wantBare bool // true: output equals value+"\n"; false: output must differ
}{
{name: "colon_parses_as_map", value: "this: should really work"},
{name: "dash_parses_as_seq", value: "- item"},
{name: "multiline_maplike", value: "a: a\nb: b"},
{name: "safe_plain_string", value: "hello world", wantBare: true},
{name: "safe_identifier", value: "cat", wantBare: true},
{name: "safe_digits_preserved", value: "123", wantBare: true},
{name: "safe_null_word_preserved", value: "null", wantBare: true},
{name: "safe_tag_shorthand_preserved", value: "!!int", wantBare: true},
}
for _, tc := range cases {
t.Run(tc.name, func(t *testing.T) {
prefs := NewDefaultYamlPreferences()
prefs.UnwrapScalar = true
var buf bytes.Buffer
err := NewYamlEncoder(prefs).Encode(&buf, &CandidateNode{
Kind: ScalarNode,
Tag: "!!str",
Value: tc.value,
})
if err != nil {
t.Fatalf("encode failed: %v", err)
}
got := buf.String()
if tc.wantBare {
if got != tc.value+"\n" {
t.Fatalf("expected bare %q, got %q", tc.value+"\n", got)
}
return
}
// Ambiguous input: must not be emitted as the bare value.
if got == tc.value+"\n" {
t.Fatalf("value %q was emitted bare; expected quoted form", tc.value)
}
// The output must round-trip back to a string scalar with the
// same value, proving structural roundtrip safety.
decoder := NewYamlDecoder(NewDefaultYamlPreferences())
nodes, err := readDocuments(strings.NewReader(got), "test.yaml", 0, decoder)
if err != nil {
t.Fatalf("decode of %q failed: %v", got, err)
}
if nodes.Len() != 1 {
t.Fatalf("expected one document, got %d", nodes.Len())
}
candidate := nodes.Front().Value.(*CandidateNode)
// readDocuments wraps the document; descend to the scalar.
scalar := candidate
for scalar.Kind != ScalarNode && len(scalar.Content) == 1 {
scalar = scalar.Content[0]
}
if scalar.Kind != ScalarNode {
t.Fatalf("round-tripped node is not a scalar: kind=%v value=%q", scalar.Kind, scalar.Value)
}
if scalar.Tag != "!!str" {
t.Fatalf("round-tripped tag is %q, want !!str", scalar.Tag)
}
if scalar.Value != tc.value {
t.Fatalf("round-tripped value is %q, want %q", scalar.Value, tc.value)
}
})
}
}