This is a regression from Go-Yaml v2, which did not have an Unmarshal function. Invalid input will always cause a panic in v2. This can be tested by creating a valid object, setting some properties, and then trying to deserialize it with v3.
Range check in data type handling
The Go-Yaml type system is designed to be easily extensible, so this is not considered a flaw. However, it can be an annoyance if you need to use a different range than the one the type provides.
This is an important change in v3. Although it's not considered a flaw when compared to other changes, there are edge cases where user input can result in panic errors due to new data types not being implemented yet.
Modular and flexible import/export
One of the big changes in Go-Yaml v3 is its modular design. Previously, the library only exported a Set and an Unmarshal function. As of v3, it now exports several functions for loading data from and exporting data to different formats:
Go-Yaml also provides a flexible import/export process with a function called LoadFile() which loads an object from the file given to it as a parameter. This allows you to use your own custom serialization format when importing data. For example, if you have a JSON payload that you'd like to load into Go-Yaml, you could use this function:
If you wanted to export your serialized object back out, you can use:
CVE-2023-28949
This is a regression from Go-Yaml v2, which did not have an Unmarshal function. Invalid input will always cause a panic in v2. This can be tested by creating a valid object, setting some properties, and then trying to deserialize it with v3.
CVE-2022-28949
This is a regression from Go-Yaml v2, which did not have an Unmarshal function. Invalid input will always cause a panic in v2. This can be tested by creating a valid object, setting some properties, and then trying to deserialize it with v3.
Timeline
Published on: 05/19/2022 20:15:00 UTC
Last modified on: 06/02/2022 16:05:00 UTC