Compare commits

...

7 Commits

Author SHA1 Message Date
Barry
5a2e5e1118
Merge be5d5da882 into e95bb7e472 2026-06-25 15:43:16 +07:00
dependabot[bot]
e95bb7e472
Bump golang.org/x/net from 0.55.0 to 0.56.0 (#2740)
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.55.0 to 0.56.0.
- [Commits](https://github.com/golang/net/compare/v0.55.0...v0.56.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-version: 0.56.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-23 11:11:00 +10:00
dependabot[bot]
2074319595
Bump golang.org/x/mod from 0.36.0 to 0.37.0 (#2741)
Bumps [golang.org/x/mod](https://github.com/golang/mod) from 0.36.0 to 0.37.0.
- [Commits](https://github.com/golang/mod/compare/v0.36.0...v0.37.0)

---
updated-dependencies:
- dependency-name: golang.org/x/mod
  dependency-version: 0.37.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-23 10:04:36 +10:00
dependabot[bot]
be992d8add
Bump alpine from a2d49ea to 28bd5fe (#2752)
Bumps alpine from `a2d49ea` to `28bd5fe`.

---
updated-dependencies:
- dependency-name: alpine
  dependency-version: '3'
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-23 10:04:28 +10:00
dependabot[bot]
637bb1fecd
Bump golang from 11fd8f7 to 792443b (#2753)
Bumps golang from `11fd8f7` to `792443b`.

---
updated-dependencies:
- dependency-name: golang
  dependency-version: 1.26.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-23 10:04:05 +10:00
dependabot[bot]
bc23b42789
Bump github.com/pelletier/go-toml/v2 from 2.3.1 to 2.4.0 (#2754)
Bumps [github.com/pelletier/go-toml/v2](https://github.com/pelletier/go-toml) from 2.3.1 to 2.4.0.
- [Release notes](https://github.com/pelletier/go-toml/releases)
- [Commits](https://github.com/pelletier/go-toml/compare/v2.3.1...v2.4.0)

---
updated-dependencies:
- dependency-name: github.com/pelletier/go-toml/v2
  dependency-version: 2.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-23 10:03:55 +10:00
barry3406
be5d5da882 Fix roundtrip of top-level string scalars that look like YAML structure
When UnwrapScalar is enabled (the default for yaml output), the yaml
encoder writes node.Value verbatim as a bare line. Any string whose
content is itself a valid YAML mapping, sequence, or alias then round
trips as that container instead of as a string. For example, the input
document `"this: should really work"` previously re-emitted as the bare
line `this: should really work`, which the next reader parses as a one
key map, destroying the original scalar. The same problem surfaces
whenever a multiline string literal happens to contain `key: value`
lines, which is the form the bug report uses for its second reproducer.

Guard the fast-path by re-parsing node.Value with yaml.v4: if the bare
form decodes to a non-scalar, fall through to the regular encoder so it
can apply the quoting style required by the YAML spec. The check is
limited to `!!str` nodes and to structural reinterpretations, so tag
expressions such as `!!int` and plain strings that re-read as integers,
booleans, or nulls are unaffected. An unparseable value (e.g. one
containing NUL) stays on the fast-path so downstream NUL-aware writers
still see the raw bytes.

Updates the base64 "decode yaml document" scenario whose expected
output was `a: apple\n` bare; it is now emitted as a block literal,
which round-trips back to the same string.

Reproducer:

```
printf '"this: should really work"\n' | yq -p yaml -o yaml
```

Before this fix the second run of yq parses the output as a map;
after, it remains the original string.

Fixes #2608
2026-04-11 09:06:37 -07:00
7 changed files with 132 additions and 20 deletions

View File

@ -1,4 +1,4 @@
FROM golang:1.26.4@sha256:11fd8f7f63db3b6fb198797042ba4c40a4a34dc83325d3328ca3bc4bb7726786 AS builder
FROM golang:1.26.4@sha256:792443b89f65105abba56b9bd5e97f680a80074ac62fc844a584212f8c8102c3 AS builder
WORKDIR /go/src/mikefarah/yq
@ -10,7 +10,7 @@ RUN ./scripts/acceptance.sh
# Choose alpine as a base image to make this useful for CI, as many
# CI tools expect an interactive shell inside the container
FROM alpine:3@sha256:a2d49ea686c2adfe3c992e47dc3b5e7fa6e6b5055609400dc2acaeb241c829f4 AS production
FROM alpine:3@sha256:28bd5fe8b56d1bd048e5babf5b10710ebe0bae67db86916198a6eec434943f8b AS production
LABEL maintainer="Mike Farah <mikefarah@users.noreply.github.com>"
COPY --from=builder /go/src/mikefarah/yq/yq /usr/bin/yq

View File

@ -1,4 +1,4 @@
FROM golang:1.26.4@sha256:11fd8f7f63db3b6fb198797042ba4c40a4a34dc83325d3328ca3bc4bb7726786
FROM golang:1.26.4@sha256:792443b89f65105abba56b9bd5e97f680a80074ac62fc844a584212f8c8102c3
COPY scripts/devtools.sh /opt/devtools.sh

8
go.mod
View File

@ -13,15 +13,15 @@ require (
github.com/hashicorp/hcl/v2 v2.24.0
github.com/jinzhu/copier v0.4.0
github.com/magiconair/properties v1.8.10
github.com/pelletier/go-toml/v2 v2.3.1
github.com/pelletier/go-toml/v2 v2.4.0
github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e
github.com/spf13/cobra v1.10.2
github.com/spf13/pflag v1.0.10
github.com/yuin/gopher-lua v1.1.2
github.com/zclconf/go-cty v1.18.1
go.yaml.in/yaml/v4 v4.0.0-rc.5
golang.org/x/mod v0.36.0
golang.org/x/net v0.55.0
golang.org/x/mod v0.37.0
golang.org/x/net v0.56.0
golang.org/x/text v0.38.0
)
@ -34,7 +34,7 @@ require (
github.com/mattn/go-isatty v0.0.20 // indirect
github.com/mitchellh/go-wordwrap v1.0.1 // indirect
golang.org/x/sync v0.21.0 // indirect
golang.org/x/sys v0.45.0 // indirect
golang.org/x/sys v0.46.0 // indirect
golang.org/x/tools v0.45.0 // indirect
)

16
go.sum
View File

@ -46,8 +46,8 @@ github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWE
github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0=
github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0=
github.com/pelletier/go-toml/v2 v2.3.1 h1:MYEvvGnQjeNkRF1qUuGolNtNExTDwct51yp7olPtrEc=
github.com/pelletier/go-toml/v2 v2.3.1/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
github.com/pelletier/go-toml/v2 v2.4.0 h1:Mwu0mAkUKbittDs3/ADDWXqMmq3EOK2VHiuCkV00Row=
github.com/pelletier/go-toml/v2 v2.4.0/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e h1:aoZm08cpOy4WuID//EZDgcC4zIxODThtZNPirFr42+A=
github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
@ -70,15 +70,15 @@ github.com/zclconf/go-cty-debug v0.0.0-20240509010212-0d6042c53940/go.mod h1:CmB
go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
go.yaml.in/yaml/v4 v4.0.0-rc.5 h1:JVliQq9EGOYaTgMi+k8BhUJyqcGk4ZqeuiN1Cirba9c=
go.yaml.in/yaml/v4 v4.0.0-rc.5/go.mod h1:aZqd9kCMsGL7AuUv/m/PvWLdg5sjJsZ4oHDEnfPPfY0=
golang.org/x/mod v0.36.0 h1:JJjpVx6myfUsUdAzZuOSTTmRE0PfZeNWzzvKrP7amb4=
golang.org/x/mod v0.36.0/go.mod h1:moc6ELqsWcOw5Ef3xVprK5ul/MvtVvkIXLziUOICjUQ=
golang.org/x/net v0.55.0 h1:bcvxaJn3e1U6InsFWt1JUq1aSjnRxLzT2rtD2KfkDF8=
golang.org/x/net v0.55.0/go.mod h1:L5U2KuzuOe1lY7Z+aWVIKK6qEeJXnXV9yzGA+WCHJww=
golang.org/x/mod v0.37.0 h1:vF1DjpVEshcIqoEaauuHebaLk1O1forxjxBaVn884JQ=
golang.org/x/mod v0.37.0/go.mod h1:m8S8VeM9r4dzDwjrKO0a1sZP3YjeMamRRlD+fmR2Q/0=
golang.org/x/net v0.56.0 h1:Rw8j/hFzGvJUZwNBXnAtf5sVDVt+65SK2C7IxCxZt5o=
golang.org/x/net v0.56.0/go.mod h1:D3Ku6r+V6JROoZK144D2XfMHFcMq/0zSfLelVTCFKec=
golang.org/x/sync v0.21.0 h1:HLII4xRRTtCRkxYp4HNFF0Js/Og6q2i++KXbg0gHCwM=
golang.org/x/sync v0.21.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.45.0 h1:dO4czNzziLiiXplLQgBCEpCvXQ3dnkn0SdaZSYdQ+FY=
golang.org/x/sys v0.45.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
golang.org/x/sys v0.46.0 h1:noSf2Fq6F8DBgS+LysIkx7rIExoNHJsxOAtPp4rthXw=
golang.org/x/sys v0.46.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
golang.org/x/text v0.38.0 h1:sXmwo9DwP3OK9EZ7PqAdaooSGozfl/3a6/xJcbzPRhE=
golang.org/x/text v0.38.0/go.mod h1:YXZt3QhHUKYT53r2lLKFIVi6Ao1jdzrTR/KQ09qyxF4=
golang.org/x/tools v0.45.0 h1:18qN3FAooORvApf5XjCXgsuayZOEtXf6JK18I3+ONa8=

View File

@ -81,10 +81,13 @@ var base64Scenarios = []formatScenario{
scenarioType: "decode",
},
{
skipDoc: true,
description: "decode yaml document",
input: base64EncodedYaml,
expected: base64DecodedYaml + "\n",
skipDoc: true,
description: "decode yaml document",
input: base64EncodedYaml,
// The decoded payload ("a: apple\n") would re-parse as a map if
// emitted bare, so the yaml encoder keeps it as a block literal to
// preserve roundtrip safety. See issue #2608.
expected: "|\n a: apple\n",
scenarioType: "decode",
},
{

View File

@ -35,7 +35,7 @@ func (ye *yamlEncoder) Encode(writer io.Writer, node *CandidateNode) error {
if strings.Contains(node.LeadingContent, "\r\n") {
lineEnding = "\r\n"
}
if node.Kind == ScalarNode && ye.prefs.UnwrapScalar {
if node.Kind == ScalarNode && ye.prefs.UnwrapScalar && !bareStringNeedsQuoting(node) {
valueToPrint := node.Value
if node.LeadingContent == "" || valueToPrint != "" {
valueToPrint = valueToPrint + lineEnding
@ -78,3 +78,28 @@ func (ye *yamlEncoder) Encode(writer io.Writer, node *CandidateNode) error {
}
return nil
}
// bareStringNeedsQuoting reports whether a top-level string scalar would be
// structurally reinterpreted if emitted as an unquoted bare value. The
// unwrap-scalar fast-path writes node.Value verbatim, which silently turns a
// string like "this: should really work" into a mapping on the next read, or
// "- item" into a sequence. When this returns true the caller falls through
// to the full yaml encoder, which applies the quoting style required by the
// YAML spec. Scalar-to-scalar reinterpretations (e.g. "123" parsing as an int
// tag) are not covered here: they preserve the node shape and are handled by
// callers that care about explicit tag preservation.
func bareStringNeedsQuoting(node *CandidateNode) bool {
if node.Tag != "!!str" {
return false
}
var parsed yaml.Node
if err := yaml.Unmarshal([]byte(node.Value), &parsed); err != nil {
// Unparseable bare form (e.g. control characters): leave it on the
// fast-path so callers that check for those characters still see them.
return false
}
if parsed.Kind != yaml.DocumentNode || len(parsed.Content) != 1 {
return false
}
return parsed.Content[0].Kind != yaml.ScalarNode
}

View File

@ -0,0 +1,84 @@
package yqlib
import (
"bytes"
"strings"
"testing"
)
// TestYamlEncoderUnwrapScalarRoundtripSafety verifies that a top-level string
// scalar whose unquoted form would re-parse as a non-scalar node (map or
// sequence) is emitted quoted even when UnwrapScalar is enabled. Safe plain
// strings continue to round-trip through the existing fast-path. See #2608.
func TestYamlEncoderUnwrapScalarRoundtripSafety(t *testing.T) {
cases := []struct {
name string
value string
wantBare bool // true: output equals value+"\n"; false: output must differ
}{
{name: "colon_parses_as_map", value: "this: should really work"},
{name: "dash_parses_as_seq", value: "- item"},
{name: "multiline_maplike", value: "a: a\nb: b"},
{name: "safe_plain_string", value: "hello world", wantBare: true},
{name: "safe_identifier", value: "cat", wantBare: true},
{name: "safe_digits_preserved", value: "123", wantBare: true},
{name: "safe_null_word_preserved", value: "null", wantBare: true},
{name: "safe_tag_shorthand_preserved", value: "!!int", wantBare: true},
}
for _, tc := range cases {
t.Run(tc.name, func(t *testing.T) {
prefs := NewDefaultYamlPreferences()
prefs.UnwrapScalar = true
var buf bytes.Buffer
err := NewYamlEncoder(prefs).Encode(&buf, &CandidateNode{
Kind: ScalarNode,
Tag: "!!str",
Value: tc.value,
})
if err != nil {
t.Fatalf("encode failed: %v", err)
}
got := buf.String()
if tc.wantBare {
if got != tc.value+"\n" {
t.Fatalf("expected bare %q, got %q", tc.value+"\n", got)
}
return
}
// Ambiguous input: must not be emitted as the bare value.
if got == tc.value+"\n" {
t.Fatalf("value %q was emitted bare; expected quoted form", tc.value)
}
// The output must round-trip back to a string scalar with the
// same value, proving structural roundtrip safety.
decoder := NewYamlDecoder(NewDefaultYamlPreferences())
nodes, err := readDocuments(strings.NewReader(got), "test.yaml", 0, decoder)
if err != nil {
t.Fatalf("decode of %q failed: %v", got, err)
}
if nodes.Len() != 1 {
t.Fatalf("expected one document, got %d", nodes.Len())
}
candidate := nodes.Front().Value.(*CandidateNode)
// readDocuments wraps the document; descend to the scalar.
scalar := candidate
for scalar.Kind != ScalarNode && len(scalar.Content) == 1 {
scalar = scalar.Content[0]
}
if scalar.Kind != ScalarNode {
t.Fatalf("round-tripped node is not a scalar: kind=%v value=%q", scalar.Kind, scalar.Value)
}
if scalar.Tag != "!!str" {
t.Fatalf("round-tripped tag is %q, want !!str", scalar.Tag)
}
if scalar.Value != tc.value {
t.Fatalf("round-tripped value is %q, want %q", scalar.Value, tc.value)
}
})
}
}