chore(deps): update module github.com/oapi-codegen/oapi-codegen/v2 to v2.7.2#226
Merged
jianyuan merged 1 commit intoJul 16, 2026
Merged
Conversation
renovate
Bot
force-pushed
the
renovate/github.com-oapi-codegen-oapi-codegen-v2-2.x
branch
from
July 16, 2026 08:43
9244f36 to
ae125ca
Compare
jianyuan
deleted the
renovate/github.com-oapi-codegen-oapi-codegen-v2-2.x
branch
July 16, 2026 08:57
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v2.7.1→v2.7.2Release Notes
oapi-codegen/oapi-codegen (github.com/oapi-codegen/oapi-codegen/v2)
v2.7.2: More fixes for code injection issuesCompare Source
String escaping fixes due to more code injection issues
We've had two more code injection issues reported in
oapi-codegen, thanks @Gal3M, @mrostamipoor for these findings.These specific issues are now patches in the main branch and in this v2.7.2 release.
You shouldn't blindly trust OpenAPI specs
This code wasn't originally written assuming code generation from random specs from the internet, and it never took any measures to protect itself from malicious specifications, the assumption being that you control your specification, and that you actually look over generated code.
For example, all these RCE exploits rely on using the package
init()function in the generated code to run some malicious code at package startup. A way to test for this is to see whether aninit()function is emitted, which we currently don't do.When working with OpenAPI specifications, especially specs you find on remote servers, you should download the spec locally, run some kind of spec validator on it, like openapi-spec-validator, and only then feed it into oapi-codegen. We're very permissive in accepting broken specifications, intentionally, since people feed a lot of garbage input, but this flexibility also makes us weak to these kinds of attacks. There are hundreds of injection sites in
oapi-codegenbased on my survey.For the next minor release,
v2.8.0, we're going to validate the spec before code generation (#2435), however, since this introduces a new set of failure modes, I don't want to include it in a maintenance release version. The future release is resilient against many forms of injection, and the spec validation has the added benefit that it can generate meaningful error messages for garbage input, where currently, we generate non-compiling code.Until then, please do sanity checks on your input specifications, on the generated output, and don't fetch specs from the internet in your build, commit both the spec locally into your source control, and go through code review. In our repo, we've hooked up Greptile to catch issues like this, and you should also use some code quality tool. We can't possibly protect against every kind of attack with simple heuristics.
Sponsors
We would like to thank our sponsors for their support during this release.
We'd also like to thank Greptile for allowing our project to use their code review system.
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.