fix(deps): update module github.com/oapi-codegen/oapi-codegen/v2 to v2.7.1 (main)

[crossplane-renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/oapi-codegen/oapi-codegen/v2	v2.7.0 → v2.7.1

---

Release Notes

oapi-codegen/oapi-codegen (github.com/oapi-codegen/oapi-codegen/v2)

v2.7.1: Security fix for Go code injection

Compare Source

This is a security fix for a code injection vulnerability in v2.7.0, please see:

GHSA-rjwr-m7qx-3fjr

[!NOTE]
A vulnerability like this requires that it is missed in code review and that you then call the malicious method.

Using an init() function could be enough to not require a direct call to the code, and instead rely on you importing the package, but either way, code review should be performed before any oapi-codegen generated code is executed.

We strongly recommend all users to be reviewing changes to their generated code before they execute anything within it, to protect against supply chain attacks or malicious injected code.

This is also why we recommend oapi-codegen generated code is committed to source control.

We're more strict about escaping strings passed into the OpenAPI specification, so that people can't inject Go code into generated code.

The problem was that it was possible to craft a description for server URL's which would emit arbitrary Go code, so if an attacker controlled your specification, they could inject Go code into your generated code which could do something malicious.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.