Update github.com/go-viper/mapstructure/v2 (indirect) to v2.4.0 [SECURITY] (#904)

mirror of https://code.forgejo.org/forgejo/runner.git synced 2025-09-15 18:57:01 +00:00

This PR contains the following updates:

| Package | Change | Age | Confidence |
|---|---|---|---|
| [github.com/go-viper/mapstructure/v2](https://github.com/go-viper/mapstructure) | `v2.3.0` -> `v2.4.0` | [![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fgo-viper%2fmapstructure%2fv2/v2.4.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fgo-viper%2fmapstructure%2fv2/v2.3.0/v2.4.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) |

---

### go-viper's mapstructure May Leak Sensitive Information in Logs When Processing Malformed Data
[GHSA-2464-8j7c-4cjm](https://github.com/advisories/GHSA-2464-8j7c-4cjm)

<details>
<summary>More information</summary>

#### Details
##### Summary

Use of this library in a security-critical context may result in leaking sensitive information, if used to process sensitive fields.

##### Details

OpenBao (and presumably HashiCorp Vault) have surfaced error messages from `mapstructure` as follows:

98c3a59c04/sdk/framework/field_data.go (L43-L50)

```go
			_, _, err := d.getPrimitive(field, schema)
			if err != nil {
				return fmt.Errorf("error converting input for field %q: %w", field, err)
			}
```

where this calls `mapstructure.WeakDecode(...)`: 98c3a59c04/sdk/framework/field_data.go (L181-L193)

```go

func (d *FieldData) getPrimitive(k string, schema *FieldSchema) (interface{}, bool, error) {
	raw, ok := d.Raw[k]
	if !ok {
		return nil, false, nil
	}

	switch t := schema.Type; t {
	case TypeBool:
		var result bool
		if err := mapstructure.WeakDecode(raw, &result); err != nil {
			return nil, false, err
		}
		return result, true, nil
```

Notably, `WeakDecode(...)` eventually calls one of the decode helpers, which surfaces the original value via `strconv` helpers:

8c61ec1924/mapstructure.go (L720-L727)

8c61ec1924/mapstructure.go (L791-L798)

8c61ec1924/decode_hooks.go (L180)

& more. These are different code paths than are fixed in the previous iteration at https://github.com/go-viper/mapstructure/security/advisories/GHSA-fv92-fjc5-jj9h.

##### PoC

To reproduce with OpenBao:

```
$ podman run --pull=always -p 8300:8300 openbao/openbao:latest server -dev -dev-root-token-id=root -dev-listen-address=0.0.0.0:8300
```

and in a new tab:

```
$ BAO_TOKEN=root BAO_ADDR=http://localhost:8300 bao auth enable userpass
Success! Enabled userpass auth method at: userpass/
$ curl -X PUT -H "X-Vault-Request: true" -H "X-Vault-Token: root" -d '{"ttl":"asdf"}' "http://localhost:8200/v1/auth/userpass/users/asdf"

--> server logs:

2025-06-25T21:32:25.101-0500 [ERROR] core: failed to run existence check: error="error converting input for field \"ttl\": time: invalid duration \"asdf\""
```

##### Impact

This is an information disclosure bug with little mitigation. See https://discuss.hashicorp.com/t/hcsec-2025-09-vault-may-expose-sensitive-information-in-error-logs-when-processing-malformed-data-with-the-kv-v2-plugin/74717 for a previous version. That version was fixed, but this is in the second part of that error message (starting at `'' expected a map, got 'string'` -- when the field type is `string` and a `map` is provided, we see the above information leak -- the previous example had a `map` type field with a `string` value provided).

This was rated 4.5 Medium by HashiCorp in the past iteration.

#### Severity
- CVSS Score: 5.3 / 10 (Medium)
- Vector String: `CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N`

#### References
- [https://github.com/go-viper/mapstructure/security/advisories/GHSA-2464-8j7c-4cjm](https://github.com/go-viper/mapstructure/security/advisories/GHSA-2464-8j7c-4cjm)
- [742921c9ba)
- [https://github.com/go-viper/mapstructure](https://github.com/go-viper/mapstructure)

This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-2464-8j7c-4cjm) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>go-viper/mapstructure (github.com/go-viper/mapstructure/v2)</summary>

### [`v2.4.0`](https://github.com/go-viper/mapstructure/releases/tag/v2.4.0)

[Compare Source](https://github.com/go-viper/mapstructure/compare/v2.3.0...v2.4.0)

#### What's Changed

- refactor: replace interface{} with any by [@&#8203;sagikazarmark](https://github.com/sagikazarmark) in https://github.com/go-viper/mapstructure/pull/115
- build(deps): bump github/codeql-action from 3.29.0 to 3.29.2 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in https://github.com/go-viper/mapstructure/pull/114
- Generic tests by [@&#8203;sagikazarmark](https://github.com/sagikazarmark) in https://github.com/go-viper/mapstructure/pull/118
- Fix godoc reference link in README.md by [@&#8203;peczenyj](https://github.com/peczenyj) in https://github.com/go-viper/mapstructure/pull/107
- feat: add StringToTimeLocationHookFunc to convert strings to \*time.Location by [@&#8203;ErfanMomeniii](https://github.com/ErfanMomeniii) in https://github.com/go-viper/mapstructure/pull/117
- feat: add back previous StringToSlice as a weak function by [@&#8203;sagikazarmark](https://github.com/sagikazarmark) in https://github.com/go-viper/mapstructure/pull/119

#### New Contributors

- [@&#8203;ErfanMomeniii](https://github.com/ErfanMomeniii) made their first contribution in https://github.com/go-viper/mapstructure/pull/117

**Full Changelog**: https://github.com/go-viper/mapstructure/compare/v2.3.0...v2.4.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS43Ni4wIiwidXBkYXRlZEluVmVyIjoiNDEuNzYuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiS2luZC9DaG9yZSJdfQ==-->

<!--start release-notes-assistant-->
<!--URL:https://code.forgejo.org/forgejo/runner-->
- other
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/904): <!--number 904 --><!--line 0 --><!--description VXBkYXRlIGdpdGh1Yi5jb20vZ28tdmlwZXIvbWFwc3RydWN0dXJlL3YyIChpbmRpcmVjdCkgdG8gdjIuNC4wIFtTRUNVUklUWV0=-->Update github.com/go-viper/mapstructure/v2 (indirect) to v2.4.0 [SECURITY]<!--description-->
<!--end release-notes-assistant-->

Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/904
Reviewed-by: earl-warren <earl-warren@noreply.code.forgejo.org>
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>

This commit is contained in:

Renovate Bot

2025-08-21 19:44:03 +00:00

• committed by

earl-warren

parent 579c5e24fc

commit d2b39167a8

No known key found for this signature in database

GPG key ID: F128CBE6AB3A7201

2 changed files with 3 additions and 3 deletions

									
										2

go.mod
									
										View file
										
				@ -61,7 +61,7 @@ require (

					github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect

					github.com/go-logr/logr v1.4.2 // indirect

					github.com/go-logr/stdr v1.2.2 // indirect

					github.com/go-viper/mapstructure/v2 v2.3.0 // indirect

					github.com/go-viper/mapstructure/v2 v2.4.0 // indirect

					github.com/gogo/protobuf v1.3.2 // indirect

					github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect

					github.com/google/go-cmp v0.7.0 // indirect

4

go.sum

View file

 @ -76,8 +76,8 @@ github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
 github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-viper/mapstructure/v2 v2.3.0 h1:27XbWsHIqhbdR5TIC911OfYvgSaW93HM+dX7970Q7jk=
 github.com/go-viper/mapstructure/v2 v2.3.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
 github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9LvH92wZUgs=
 github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
 github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
 github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=

Rows
Columns

Update github.com/go-viper/mapstructure/v2 (indirect) to v2.4.0 [SECURITY] (#904)

2 go.mod Unescape Escape View file

4 go.sum Unescape Escape View file

2

go.mod

View file

4

go.sum

View file