oss/forgejo-runner
oss/forgejo-runner
1
0
Fork 0
mirror of https://code.forgejo.org/forgejo/runner.git synced 2025-09-15 18:57:01 +00:00
Code Wiki Activity

Update github.com/go-viper/mapstructure/v2 (indirect) to v2.3.0 [SECURITY] (#622)

Browse source 
This PR contains the following updates:

| Package | Change | Age | Confidence |
|---|---|---|---|
| [github.com/go-viper/mapstructure/v2](https://github.com/go-viper/mapstructure) | `v2.2.1` -> `v2.3.0` | [![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fgo-viper%2fmapstructure%2fv2/v2.3.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fgo-viper%2fmapstructure%2fv2/v2.2.1/v2.3.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) |

---

### mapstructure May Leak Sensitive Information in Logs When Processing Malformed Data
[GHSA-fv92-fjc5-jj9h](https://github.com/advisories/GHSA-fv92-fjc5-jj9h)

<details>
<summary>More information</summary>

#### Details
##### Summary

Use of this library in a security-critical context may result in leaking sensitive information, if used to process sensitive fields.

##### Details

OpenBao (and presumably HashiCorp Vault) have surfaced error messages from `mapstructure` as follows:

98c3a59c04/sdk/framework/field_data.go (L43-L50)

```go
			_, _, err := d.getPrimitive(field, schema)
			if err != nil {
				return fmt.Errorf("error converting input for field %q: %w", field, err)
			}
```

where this calls `mapstructure.WeakDecode(...)`: 98c3a59c04/sdk/framework/field_data.go (L181-L193)

```go

func (d *FieldData) getPrimitive(k string, schema *FieldSchema) (interface{}, bool, error) {
	raw, ok := d.Raw[k]
	if !ok {
		return nil, false, nil
	}

	switch t := schema.Type; t {
	case TypeBool:
		var result bool
		if err := mapstructure.WeakDecode(raw, &result); err != nil {
			return nil, false, err
		}
		return result, true, nil
```

Notably, `WeakDecode(...)` eventually calls one of the decode helpers, which surfaces the original value:

1a66224d5e/mapstructure.go (L679-L686)

1a66224d5e/mapstructure.go (L726-L730)

1a66224d5e/mapstructure.go (L783-L787)

& more.

##### PoC

To reproduce with OpenBao:

```
$ podman run -p 8300:8300 openbao/openbao:latest server -dev -dev-root-token-id=root -dev-listen-address=0.0.0.0:8300
```

and in a new tab:

```
$ BAO_TOKEN=root BAO_ADDR=http://localhost:8300 bao auth enable userpass
Success! Enabled userpass auth method at: userpass/
$ curl -X PUT -H "X-Vault-Request: true" -H "X-Vault-Token: root" -d '{"password":{"asdf":"my-sensitive-value"}}' "http://localhost:8300/v1/auth/userpass/users/adsf"
{"errors":["error converting input for field \"password\": '' expected type 'string', got unconvertible type 'map[string]interface {}', value: 'map[asdf:my-sensitive-value]'"]}
```

##### Impact

This is an information disclosure bug with little mitigation. See https://discuss.hashicorp.com/t/hcsec-2025-09-vault-may-expose-sensitive-information-in-error-logs-when-processing-malformed-data-with-the-kv-v2-plugin/74717 for a previous version. That version was fixed, but this is in the second part of that error message (starting at `'' expected a map, got 'string'` -- when the field type is `string` and a `map` is provided, we see the above information leak -- the previous example had a `map` type field with a `string` value provided).

This was rated 4.5 Medium by HashiCorp in the past iteration.

#### Severity
- CVSS Score: 5.3 / 10 (Medium)
- Vector String: `CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N`

#### References
- [https://github.com/go-viper/mapstructure/security/advisories/GHSA-fv92-fjc5-jj9h](https://github.com/go-viper/mapstructure/security/advisories/GHSA-fv92-fjc5-jj9h)
- [https://github.com/go-viper/mapstructure](https://github.com/go-viper/mapstructure)

This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-fv92-fjc5-jj9h) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>go-viper/mapstructure (github.com/go-viper/mapstructure/v2)</summary>

### [`v2.3.0`](https://github.com/go-viper/mapstructure/releases/tag/v2.3.0)

[Compare Source](https://github.com/go-viper/mapstructure/compare/v2.2.1...v2.3.0)

#### What's Changed

- build(deps): bump actions/checkout from 4.1.7 to 4.2.0 by [@&#8203;dependabot](https://github.com/dependabot) in https://github.com/go-viper/mapstructure/pull/46
- build(deps): bump golangci/golangci-lint-action from 6.1.0 to 6.1.1 by [@&#8203;dependabot](https://github.com/dependabot) in https://github.com/go-viper/mapstructure/pull/47
- \[enhancement] Add check for `reflect.Value` in `ComposeDecodeHookFunc` by [@&#8203;mahadzaryab1](https://github.com/mahadzaryab1) in https://github.com/go-viper/mapstructure/pull/52
- build(deps): bump actions/setup-go from 5.0.2 to 5.1.0 by [@&#8203;dependabot](https://github.com/dependabot) in https://github.com/go-viper/mapstructure/pull/51
- build(deps): bump actions/checkout from 4.2.0 to 4.2.2 by [@&#8203;dependabot](https://github.com/dependabot) in https://github.com/go-viper/mapstructure/pull/50
- build(deps): bump actions/setup-go from 5.1.0 to 5.2.0 by [@&#8203;dependabot](https://github.com/dependabot) in https://github.com/go-viper/mapstructure/pull/55
- build(deps): bump actions/setup-go from 5.2.0 to 5.3.0 by [@&#8203;dependabot](https://github.com/dependabot) in https://github.com/go-viper/mapstructure/pull/58
- ci: add Go 1.24 to the test matrix by [@&#8203;sagikazarmark](https://github.com/sagikazarmark) in https://github.com/go-viper/mapstructure/pull/74
- build(deps): bump golangci/golangci-lint-action from 6.1.1 to 6.5.0 by [@&#8203;dependabot](https://github.com/dependabot) in https://github.com/go-viper/mapstructure/pull/72
- build(deps): bump golangci/golangci-lint-action from 6.5.0 to 6.5.1 by [@&#8203;dependabot](https://github.com/dependabot) in https://github.com/go-viper/mapstructure/pull/76
- build(deps): bump actions/setup-go from 5.3.0 to 5.4.0 by [@&#8203;dependabot](https://github.com/dependabot) in https://github.com/go-viper/mapstructure/pull/78
- feat: add decode hook for netip.Prefix by [@&#8203;tklauser](https://github.com/tklauser) in https://github.com/go-viper/mapstructure/pull/85
- Updates by [@&#8203;sagikazarmark](https://github.com/sagikazarmark) in https://github.com/go-viper/mapstructure/pull/86
- build(deps): bump github/codeql-action from 2.13.4 to 3.28.15 by [@&#8203;dependabot](https://github.com/dependabot) in https://github.com/go-viper/mapstructure/pull/87
- build(deps): bump actions/setup-go from 5.4.0 to 5.5.0 by [@&#8203;dependabot](https://github.com/dependabot) in https://github.com/go-viper/mapstructure/pull/93
- build(deps): bump github/codeql-action from 3.28.15 to 3.28.17 by [@&#8203;dependabot](https://github.com/dependabot) in https://github.com/go-viper/mapstructure/pull/92
- build(deps): bump github/codeql-action from 3.28.17 to 3.28.19 by [@&#8203;dependabot](https://github.com/dependabot) in https://github.com/go-viper/mapstructure/pull/97
- build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by [@&#8203;dependabot](https://github.com/dependabot) in https://github.com/go-viper/mapstructure/pull/96
- Update README.md by [@&#8203;peczenyj](https://github.com/peczenyj) in https://github.com/go-viper/mapstructure/pull/90
- Add omitzero tag. by [@&#8203;Crystalix007](https://github.com/Crystalix007) in https://github.com/go-viper/mapstructure/pull/98
- Use error structs instead of duplicated strings by [@&#8203;m1k1o](https://github.com/m1k1o) in https://github.com/go-viper/mapstructure/pull/102
- build(deps): bump github/codeql-action from 3.28.19 to 3.29.0 by [@&#8203;dependabot](https://github.com/dependabot) in https://github.com/go-viper/mapstructure/pull/101
- feat: add common error interface by [@&#8203;sagikazarmark](https://github.com/sagikazarmark) in https://github.com/go-viper/mapstructure/pull/105
- update linter by [@&#8203;sagikazarmark](https://github.com/sagikazarmark) in https://github.com/go-viper/mapstructure/pull/106
- Feature allow unset pointer by [@&#8203;rostislaved](https://github.com/rostislaved) in https://github.com/go-viper/mapstructure/pull/80

#### New Contributors

- [@&#8203;tklauser](https://github.com/tklauser) made their first contribution in https://github.com/go-viper/mapstructure/pull/85
- [@&#8203;peczenyj](https://github.com/peczenyj) made their first contribution in https://github.com/go-viper/mapstructure/pull/90
- [@&#8203;Crystalix007](https://github.com/Crystalix007) made their first contribution in https://github.com/go-viper/mapstructure/pull/98
- [@&#8203;rostislaved](https://github.com/rostislaved) made their first contribution in https://github.com/go-viper/mapstructure/pull/80

**Full Changelog**: https://github.com/go-viper/mapstructure/compare/v2.2.1...v2.3.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xLjQiLCJ1cGRhdGVkSW5WZXIiOiI0MS4xLjQiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=-->

Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/622
Reviewed-by: earl-warren <earl-warren@noreply.code.forgejo.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>
This commit is contained in:
Renovate Bot 2025-06-29 07:35:20 +00:00 committed by earl-warren
parent decd9ae90b
commit 4c3cfd3dd7
No known key found for this signature in database
GPG key ID: F128CBE6AB3A7201
2 changed files with 3 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

2
go.mod
View file

@ -50,7 +50,7 @@ require (
github.com/go-git/go-git/v5 v5.13.1 // indirect
github.com/go-logr/logr v1.4.2 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
github.com/go-viper/mapstructure/v2 v2.2.1 // indirect
github.com/go-viper/mapstructure/v2 v2.3.0 // indirect
github.com/gobwas/glob v0.2.3 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect

4
go.sum
View file

@ -78,8 +78,8 @@ github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
github.com/go-viper/mapstructure/v2 v2.2.1 h1:ZAaOCxANMuZx5RCeg0mBdEZk7DZasvvZIxtHqx8aGss=
github.com/go-viper/mapstructure/v2 v2.2.1/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
github.com/go-viper/mapstructure/v2 v2.3.0 h1:27XbWsHIqhbdR5TIC911OfYvgSaW93HM+dX7970Q7jk=
github.com/go-viper/mapstructure/v2 v2.3.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=