[TT-16932] Fix CVE-2026-32286

[MFCaballero]

Description

To fix CVE-2026-32286 we need to update to pgx/v5 and for that update to gorm.io/driver/postgres v1.5.0 is needed

Related Issue

Motivation and Context

How This Has Been Tested

Screenshots (if appropriate)

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist

• Make sure you are requesting to pull a topic/feature/bugfix branch (right side). If pulling from your own
  fork, don't request your master!
• Make sure you are making a pull request against the master branch (left side). Also, you should start
  your branch off our latest master.
• My change requires a change to the documentation.
  • If you've changed APIs, describe what needs to be updated in the documentation.
• I have updated the documentation accordingly.
• Modules and vendor dependencies have been updated; run go mod tidy && go mod vendor
• I have added tests to cover my changes.
• All new and existing tests passed.
• Check your code additions will not fail linting checks:
  • go fmt -s
  • go vet

[probelabs]

This pull request addresses security vulnerability CVE-2026-32286 by upgrading the PostgreSQL database driver (pgx) from v4 to v5. This is achieved by updating the GORM Postgres driver to v1.5.0. The PR also updates the MySQL GORM driver, advances the project's custom GORM fork, and introduces comprehensive integration test suites for both PostgreSQL and MySQL pumps to validate these significant dependency changes. A key technical achievement is a workaround that fixes a time.Month encoding issue in pgx/v5, ensuring the prefer_simple_protocol option remains functional.

Files Changed Analysis

• go.mod / go.sum: The core of the change, reflecting the upgrade of gorm.io/driver/postgres (v1.2.0 → v1.5.0) and gorm.io/driver/mysql (v1.0.3 → v1.3.2), which transitively replaces pgx/v4 with pgx/v5. The gorm.io/gorm fork is also updated.
• pumps/sql.go: A sophisticated workaround has been implemented for a pgx/v5 bug. The pump now customizes the database connection to inject a custom type encoder (monthEncodePlan), ensuring time.Month is correctly encoded as an integer when using the simple protocol, thus preserving this feature's functionality.
• pumps/sql_pgxv5_test.go & pumps/sql_mysql_test.go: Two new, extensive test suites have been added. They validate the behavior of the new drivers, covering migration idempotency, batch writes, upsert (ON CONFLICT) logic, connection pooling, and sharded table creation. A specific test (TestSQLWriteData_PreferSimpleProtocol_Month) confirms the time.Month encoding fix.
• .github/workflows/ci-test.yml: The CI pipeline is enhanced to include a MySQL service, enabling the new MySQL integration tests to run.
• bin/ci-test.sh: Minor update to pin the version of goimports used in CI.

Architecture & Impact Assessment

• What this PR accomplishes: Mitigates CVE-2026-32286 by upgrading the database driver stack. It hardens the data persistence layer by adding a robust integration testing framework for the SQL pumps and fixes a potential regression in the new pgx/v5 driver.
• Key technical changes introduced:
  • Upgrade of core database drivers (pgx v4 → v5).
  • Implementation of a custom connection and type encoder in pumps/sql.go to work around a pgx/v5 bug.
  • Introduction of comprehensive integration tests for PostgreSQL and MySQL pumps.
  • CI pipeline enhancement to support database-dependent testing.
• Affected system components: The changes directly impact all SQL-based data pumps (SQLPump, SQLAggregatePump, GraphSQLPump) that persist analytics data to PostgreSQL and MySQL.

graph TD
    subgraph Tyk Pump Service
        A[SQL Pumps] --> B{GORM ORM Fork}
    end
    B --> C[gorm.io/driver/postgres: v1.5.0]
    B --> H[gorm.io/driver/mysql: v1.3.2]
    C --> D[github.com/jackc/pgx: v5]
    D -- Interacts with --> E[(PostgreSQL DB)]
    H -- Interacts with --> I[(MySQL DB)]

    subgraph "CI/CD Pipeline"
        F[New pgx/v5 Tests] -- Validates --> D
        G[New MySQL Tests] -- Validates --> H
    end

    style C fill:#c9ffc9,stroke:#333,stroke-width:2px
    style D fill:#c9ffc9,stroke:#333,stroke-width:2px
    style H fill:#c9ffc9,stroke:#333,stroke-width:2px
    style F fill:#c9ffc9,stroke:#333,stroke-width:2px
    style G fill:#c9ffc9,stroke:#333,stroke-width:2px

Loading

Scope Discovery & Context Expansion

• The initial scope was fixing a CVE. This expanded to include a holistic update of both PostgreSQL and MySQL drivers and the GORM fork for consistency.
• During the upgrade, the author identified and fixed a critical bug in pgx/v5's simple protocol related to time.Month encoding. The workaround in pumps/sql.go is a testament to this deep investigation.
• The most significant expansion of scope is the introduction of a comprehensive integration test suite. This was not strictly required by the CVE fix but demonstrates a proactive approach to de-risking a major dependency change and improving the long-term stability and maintainability of the SQL pumps.

Metadata

• Review Effort: 4 / 5
• Primary Label: bug

---

Powered by Visor from Probelabs

Last updated: 2026-04-17T14:10:01.225Z | Triggered by: pr_updated | Commit: 309285e

💡 TIP: You can chat with Visor using /visor ask <your question>

[probelabs]

✅ Security Check Passed

No security issues found – changes LGTM.

✅ Architecture Check Passed

No architecture issues found – changes LGTM.

✅ Security Check Passed

No security issues found – changes LGTM.

\n\n

✅ Architecture Check Passed

No architecture issues found – changes LGTM.

\n\n

Performance Issues (1)

Severity	Location	Issue
🟡 Warning	pumps/sql.go:105-123	The `AfterConnect` hook runs for every new database connection, prepending a custom encoding plan function. This adds a constant-time overhead to every parameter sent to the database due to an extra type assertion. While the impact is minor for single queries, in high-throughput scenarios with large batch inserts, this per-parameter overhead could accumulate and become a performance concern. 💡 Suggestion This change is a valid trade-off for correctness. However, for long-term performance, consider contributing a fix to the upstream `pgx` driver to handle `time.Month` correctly in simple protocol mode. This would eliminate the need for this workaround and its associated overhead.

✅ Quality Check Passed

No quality issues found – changes LGTM.

---

Powered by Visor from Probelabs

Last updated: 2026-04-17T14:09:17.733Z | Triggered by: pr_updated | Commit: 309285e

💡 TIP: You can chat with Visor using /visor ask <your question>

[sonarqubecloud]

Quality Gate failed

Failed conditions
0.0% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube Cloud

[MFCaballero]

/release to release-1.14.1

[probelabs]

⚠️ Cherry-pick encountered conflicts. A draft PR was created: #979

[MFCaballero]

/release to release-1.14.1

[probelabs]

⚠️ Cherry-pick encountered conflicts. A draft PR was created: #980