Merging to release-1.14.1: [TT-16932] Fix CVE-2026-32286 (#959)

[probelabs]

Cherry-pick of 76d4448681b75c1279e2e00b10dc3d8f96e8afe4 from master to release-1.14.1 requires manual resolution.

Conflicts detected: 6

• .github/workflows/ci-test.yml
• go.mod

Tips:

• Check out this branch locally and run: git cherry-pick -x 76d4448681b75c1279e2e00b10dc3d8f96e8afe4
• Resolve conflicts (including submodules if any), then push back to this branch.

Original commit: 76d4448

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[probelabs]

This PR addresses security vulnerability CVE-2026-32286 by upgrading core database dependencies, primarily migrating the PostgreSQL driver from pgx/v4 to pgx/v5 and updating the MySQL driver. The update required a specific workaround for a time.Month encoding issue in pgx/v5 and necessitated the introduction of extensive new integration test suites for both PostgreSQL and MySQL to ensure data integrity and prevent regressions.

Files Changed Analysis

The bulk of the changes consists of two new test files, pumps/sql_mysql_test.go and pumps/sql_pgxv5_test.go, which add over 900 lines of comprehensive testing for the new database drivers. Key changes include:

• go.mod / go.sum: Upgraded gorm.io/driver/postgres (to v1.5.0), gorm.io/driver/mysql (to v1.3.2), and replaced jackc/pgx/v4 with jackc/pgx/v5.
• pumps/sql.go: Implemented a custom connection hook for PostgreSQL to correctly handle time.Month encoding with pgx/v5.
• .github/workflows/ci-test.yml: The CI workflow was refactored to use service containers for databases and now includes MySQL in the test matrix.
• pumps/sql_*_test.go: Added comprehensive test suites validating migrations, batch writes, concurrency, upserts, and data type handling for the new drivers.

Architecture & Impact Assessment

• Accomplishment: Patches CVE-2026-32286 by modernizing the SQL database drivers. This enhances security and brings the data persistence layer up to date with current library versions.
• Key Technical Changes:
  • PostgreSQL Driver Upgrade: The migration from pgx/v4 to pgx/v5 is the most significant change, requiring code adaptation to handle the new driver's behavior.
  • Custom Encoding Plan: A workaround was added to ensure time.Month is encoded as an integer, not a string, by the new pgx/v5 driver, preventing data corruption.
  • Expanded Test Coverage: New test suites for both MySQL and PostgreSQL were introduced to validate the behavior of the upgraded drivers under various conditions, including concurrency, migrations, and complex data types.
• Affected Components: The changes primarily affect the SQLPump, SQLAggregatePump, and GraphSQLPump within Tyk Pump, impacting all analytics data persistence to PostgreSQL and MySQL.

PostgreSQL Connection Logic Change

The upgrade to pgx/v5 required changing how the database connection is initialized to inject a custom type encoder.

graph TD
    subgraph "Before (pgx/v4)"
        A[SQLPump] --> B{gorm.Open};
        B --> C[gorm.io/driver/postgres];
        C --> D[DSN String];
    end

    subgraph "After (pgx/v5)"
        A2[SQLPump] --> E{"Dialect()"};
        E --> F[pgx.ParseConfig];
        F --> G[stdlib.OpenDB];
        G -- with --> H[AfterConnect Hook];
        H --> I[Register monthEncodePlan];
        G --> J[gorm.io/driver/postgres];
        J --> K{gorm.Open};
        A2 --> K;
    end

Loading

Scope Discovery & Context Expansion

The core of this PR is a dependency upgrade to mitigate a security risk. The direct impact is confined to the pumps package, but the nature of the change (database driver) makes it a critical update for the stability and correctness of the data pipeline.

• The upgrade from pgx/v4 to v5 is a major version jump that introduced a subtle breaking change in time.Month encoding, which this PR correctly identifies and fixes.
• The addition of over 900 lines of tests demonstrates the high-risk nature of the driver upgrade and provides crucial validation for data-centric operations like migrations, batch inserts, and ON CONFLICT clauses.
• The CI pipeline was updated to support these changes, notably by adding MySQL to the test matrix, ensuring broader coverage for SQL-based pumps.

Metadata

• Review Effort: 4 / 5
• Primary Label: bug

---

Powered by Visor from Probelabs

Last updated: 2026-04-17T17:53:14.601Z | Triggered by: pr_updated | Commit: 917354c

💡 TIP: You can chat with Visor using /visor ask <your question>

[probelabs]

✅ Security Check Passed

No security issues found – changes LGTM.

✅ Security Check Passed

No security issues found – changes LGTM.

\n\n

Architecture Issues (1)

Severity	Location	Issue
🟡 Warning	pumps/sql.go:96-139	The custom logic for handling `time.Month` encoding in the PostgreSQL dialect is a workaround for an issue in the `pgx/v5` driver (referenced as jackc/pgx#2157). While the implementation is well-contained and necessary for the current driver version, it creates a dependency on the internal type-mapping behavior of `pgx`. This constitutes a form of technical debt that should be managed. 💡 Suggestion Consider adding a more prominent comment or linking to an internal tracking ticket to periodically review the status of the upstream `pgx` issue. If a future version of the driver resolves the `time.Month` encoding problem, this custom `monthEncodePlan` and the manual `sql.DB` construction logic should be removed to simplify the code and reduce maintenance overhead.

✅ Performance Check Passed

No performance issues found – changes LGTM.

---

Powered by Visor from Probelabs

Last updated: 2026-04-17T17:53:10.877Z | Triggered by: pr_updated | Commit: 917354c

💡 TIP: You can chat with Visor using /visor ask <your question>