Skip to content

chore(deps): update module github.com/oapi-codegen/oapi-codegen/v2 to v2.7.2#226

Merged
jianyuan merged 1 commit into
mainfrom
renovate/github.com-oapi-codegen-oapi-codegen-v2-2.x
Jul 16, 2026
Merged

chore(deps): update module github.com/oapi-codegen/oapi-codegen/v2 to v2.7.2#226
jianyuan merged 1 commit into
mainfrom
renovate/github.com-oapi-codegen-oapi-codegen-v2-2.x

Conversation

@renovate

@renovate renovate Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
github.com/oapi-codegen/oapi-codegen/v2 v2.7.1v2.7.2 age confidence

Release Notes

oapi-codegen/oapi-codegen (github.com/oapi-codegen/oapi-codegen/v2)

v2.7.2: More fixes for code injection issues

Compare Source

String escaping fixes due to more code injection issues

We've had two more code injection issues reported in oapi-codegen, thanks @​Gal3M, @​mrostamipoor for these findings.

These specific issues are now patches in the main branch and in this v2.7.2 release.

You shouldn't blindly trust OpenAPI specs

This code wasn't originally written assuming code generation from random specs from the internet, and it never took any measures to protect itself from malicious specifications, the assumption being that you control your specification, and that you actually look over generated code.

For example, all these RCE exploits rely on using the package init() function in the generated code to run some malicious code at package startup. A way to test for this is to see whether an init() function is emitted, which we currently don't do.

When working with OpenAPI specifications, especially specs you find on remote servers, you should download the spec locally, run some kind of spec validator on it, like openapi-spec-validator, and only then feed it into oapi-codegen. We're very permissive in accepting broken specifications, intentionally, since people feed a lot of garbage input, but this flexibility also makes us weak to these kinds of attacks. There are hundreds of injection sites in oapi-codegen based on my survey.

For the next minor release, v2.8.0, we're going to validate the spec before code generation (#​2435), however, since this introduces a new set of failure modes, I don't want to include it in a maintenance release version. The future release is resilient against many forms of injection, and the spec validation has the added benefit that it can generate meaningful error messages for garbage input, where currently, we generate non-compiling code.

Until then, please do sanity checks on your input specifications, on the generated output, and don't fetch specs from the internet in your build, commit both the spec locally into your source control, and go through code review. In our repo, we've hooked up Greptile to catch issues like this, and you should also use some code quality tool. We can't possibly protect against every kind of attack with simple heuristics.

Sponsors

We would like to thank our sponsors for their support during this release.

DevZero logo

Cybozu logo

We'd also like to thank Greptile for allowing our project to use their code review system.

Greptile logo


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate
renovate Bot requested a review from jianyuan as a code owner July 7, 2026 05:12
@renovate
renovate Bot force-pushed the renovate/github.com-oapi-codegen-oapi-codegen-v2-2.x branch from 9244f36 to ae125ca Compare July 16, 2026 08:43
@jianyuan
jianyuan merged commit 14b92f3 into main Jul 16, 2026
6 checks passed
@jianyuan
jianyuan deleted the renovate/github.com-oapi-codegen-oapi-codegen-v2-2.x branch July 16, 2026 08:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant