Commit 889d994
authored
fix(deps): Update module github.com/go-viper/mapstructure/v2 to v2.3.0 [SECURITY] (#20919)
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [github.com/go-viper/mapstructure/v2](https://redirect.github.com/go-viper/mapstructure) | indirect | minor | `v2.2.1` -> `v2.3.0` |
---
> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
### GitHub Vulnerability Alerts
#### [GHSA-fv92-fjc5-jj9h](https://redirect.github.com/go-viper/mapstructure/security/advisories/GHSA-fv92-fjc5-jj9h)
### Summary
Use of this library in a security-critical context may result in leaking sensitive information, if used to process sensitive fields.
### Details
OpenBao (and presumably HashiCorp Vault) have surfaced error messages from `mapstructure` as follows:
https://github.com/openbao/openbao/blob/98c3a59c040efca724353ca46ca79bd5cdbab920/sdk/framework/field_data.go#L43-L50
```go
_, _, err := d.getPrimitive(field, schema)
if err != nil {
return fmt.Errorf("error converting input for field %q: %w", field, err)
}
```
where this calls `mapstructure.WeakDecode(...)`: https://github.com/openbao/openbao/blob/98c3a59c040efca724353ca46ca79bd5cdbab920/sdk/framework/field_data.go#L181-L193
```go
func (d *FieldData) getPrimitive(k string, schema *FieldSchema) (interface{}, bool, error) {
raw, ok := d.Raw[k]
if !ok {
return nil, false, nil
}
switch t := schema.Type; t {
case TypeBool:
var result bool
if err := mapstructure.WeakDecode(raw, &result); err != nil {
return nil, false, err
}
return result, true, nil
```
Notably, `WeakDecode(...)` eventually calls one of the decode helpers, which surfaces the original value:
https://github.com/go-viper/mapstructure/blob/1a66224d5e54d8757f63bd66339cf764c3292c21/mapstructure.go#L679-L686
https://github.com/go-viper/mapstructure/blob/1a66224d5e54d8757f63bd66339cf764c3292c21/mapstructure.go#L726-L730
https://github.com/go-viper/mapstructure/blob/1a66224d5e54d8757f63bd66339cf764c3292c21/mapstructure.go#L783-L787
& more.
### PoC
To reproduce with OpenBao:
```
$ podman run -p 8300:8300 openbao/openbao:latest server -dev -dev-root-token-id=root -dev-listen-address=0.0.0.0:8300
```
and in a new tab:
```
$ BAO_TOKEN=root BAO_ADDR=http://localhost:8300 bao auth enable userpass
Success! Enabled userpass auth method at: userpass/
$ curl -X PUT -H "X-Vault-Request: true" -H "X-Vault-Token: root" -d '{"password":{"asdf":"my-sensitive-value"}}' "http://localhost:8300/v1/auth/userpass/users/adsf"
{"errors":["error converting input for field \"password\": '' expected type 'string', got unconvertible type 'map[string]interface {}', value: 'map[asdf:my-sensitive-value]'"]}
```
### Impact
This is an information disclosure bug with little mitigation. See https://discuss.hashicorp.com/t/hcsec-2025-09-vault-may-expose-sensitive-information-in-error-logs-when-processing-malformed-data-with-the-kv-v2-plugin/74717 for a previous version. That version was fixed, but this is in the second part of that error message (starting at `'' expected a map, got 'string'` -- when the field type is `string` and a `map` is provided, we see the above information leak -- the previous example had a `map` type field with a `string` value provided).
This was rated 4.5 Medium by HashiCorp in the past iteration.
---
### Release Notes
<details>
<summary>go-viper/mapstructure (github.com/go-viper/mapstructure/v2)</summary>
### [`v2.3.0`](https://redirect.github.com/go-viper/mapstructure/releases/tag/v2.3.0)
[Compare Source](https://redirect.github.com/go-viper/mapstructure/compare/v2.2.1...v2.3.0)
##### What's Changed
- build(deps): bump actions/checkout from 4.1.7 to 4.2.0 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/go-viper/mapstructure/pull/46](https://redirect.github.com/go-viper/mapstructure/pull/46)
- build(deps): bump golangci/golangci-lint-action from 6.1.0 to 6.1.1 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/go-viper/mapstructure/pull/47](https://redirect.github.com/go-viper/mapstructure/pull/47)
- \[enhancement] Add check for `reflect.Value` in `ComposeDecodeHookFunc` by [@​mahadzaryab1](https://redirect.github.com/mahadzaryab1) in [https://github.com/go-viper/mapstructure/pull/52](https://redirect.github.com/go-viper/mapstructure/pull/52)
- build(deps): bump actions/setup-go from 5.0.2 to 5.1.0 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/go-viper/mapstructure/pull/51](https://redirect.github.com/go-viper/mapstructure/pull/51)
- build(deps): bump actions/checkout from 4.2.0 to 4.2.2 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/go-viper/mapstructure/pull/50](https://redirect.github.com/go-viper/mapstructure/pull/50)
- build(deps): bump actions/setup-go from 5.1.0 to 5.2.0 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/go-viper/mapstructure/pull/55](https://redirect.github.com/go-viper/mapstructure/pull/55)
- build(deps): bump actions/setup-go from 5.2.0 to 5.3.0 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/go-viper/mapstructure/pull/58](https://redirect.github.com/go-viper/mapstructure/pull/58)
- ci: add Go 1.24 to the test matrix by [@​sagikazarmark](https://redirect.github.com/sagikazarmark) in [https://github.com/go-viper/mapstructure/pull/74](https://redirect.github.com/go-viper/mapstructure/pull/74)
- build(deps): bump golangci/golangci-lint-action from 6.1.1 to 6.5.0 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/go-viper/mapstructure/pull/72](https://redirect.github.com/go-viper/mapstructure/pull/72)
- build(deps): bump golangci/golangci-lint-action from 6.5.0 to 6.5.1 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/go-viper/mapstructure/pull/76](https://redirect.github.com/go-viper/mapstructure/pull/76)
- build(deps): bump actions/setup-go from 5.3.0 to 5.4.0 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/go-viper/mapstructure/pull/78](https://redirect.github.com/go-viper/mapstructure/pull/78)
- feat: add decode hook for netip.Prefix by [@​tklauser](https://redirect.github.com/tklauser) in [https://github.com/go-viper/mapstructure/pull/85](https://redirect.github.com/go-viper/mapstructure/pull/85)
- Updates by [@​sagikazarmark](https://redirect.github.com/sagikazarmark) in [https://github.com/go-viper/mapstructure/pull/86](https://redirect.github.com/go-viper/mapstructure/pull/86)
- build(deps): bump github/codeql-action from 2.13.4 to 3.28.15 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/go-viper/mapstructure/pull/87](https://redirect.github.com/go-viper/mapstructure/pull/87)
- build(deps): bump actions/setup-go from 5.4.0 to 5.5.0 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/go-viper/mapstructure/pull/93](https://redirect.github.com/go-viper/mapstructure/pull/93)
- build(deps): bump github/codeql-action from 3.28.15 to 3.28.17 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/go-viper/mapstructure/pull/92](https://redirect.github.com/go-viper/mapstructure/pull/92)
- build(deps): bump github/codeql-action from 3.28.17 to 3.28.19 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/go-viper/mapstructure/pull/97](https://redirect.github.com/go-viper/mapstructure/pull/97)
- build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/go-viper/mapstructure/pull/96](https://redirect.github.com/go-viper/mapstructure/pull/96)
- Update README.md by [@​peczenyj](https://redirect.github.com/peczenyj) in [https://github.com/go-viper/mapstructure/pull/90](https://redirect.github.com/go-viper/mapstructure/pull/90)
- Add omitzero tag. by [@​Crystalix007](https://redirect.github.com/Crystalix007) in [https://github.com/go-viper/mapstructure/pull/98](https://redirect.github.com/go-viper/mapstructure/pull/98)
- Use error structs instead of duplicated strings by [@​m1k1o](https://redirect.github.com/m1k1o) in [https://github.com/go-viper/mapstructure/pull/102](https://redirect.github.com/go-viper/mapstructure/pull/102)
- build(deps): bump github/codeql-action from 3.28.19 to 3.29.0 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/go-viper/mapstructure/pull/101](https://redirect.github.com/go-viper/mapstructure/pull/101)
- feat: add common error interface by [@​sagikazarmark](https://redirect.github.com/sagikazarmark) in [https://github.com/go-viper/mapstructure/pull/105](https://redirect.github.com/go-viper/mapstructure/pull/105)
- update linter by [@​sagikazarmark](https://redirect.github.com/sagikazarmark) in [https://github.com/go-viper/mapstructure/pull/106](https://redirect.github.com/go-viper/mapstructure/pull/106)
- Feature allow unset pointer by [@​rostislaved](https://redirect.github.com/rostislaved) in [https://github.com/go-viper/mapstructure/pull/80](https://redirect.github.com/go-viper/mapstructure/pull/80)
##### New Contributors
- [@​tklauser](https://redirect.github.com/tklauser) made their first contribution in [https://github.com/go-viper/mapstructure/pull/85](https://redirect.github.com/go-viper/mapstructure/pull/85)
- [@​peczenyj](https://redirect.github.com/peczenyj) made their first contribution in [https://github.com/go-viper/mapstructure/pull/90](https://redirect.github.com/go-viper/mapstructure/pull/90)
- [@​Crystalix007](https://redirect.github.com/Crystalix007) made their first contribution in [https://github.com/go-viper/mapstructure/pull/98](https://redirect.github.com/go-viper/mapstructure/pull/98)
- [@​rostislaved](https://redirect.github.com/rostislaved) made their first contribution in [https://github.com/go-viper/mapstructure/pull/80](https://redirect.github.com/go-viper/mapstructure/pull/80)
**Full Changelog**: go-viper/mapstructure@v2.2.1...v2.3.0
</details>
---
### Configuration
📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update again.
---
- [ ] If you want to rebase/retry this PR, check this box
---
This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate).1 parent 5bea683 commit 889d994
6 files changed
+9
-9
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
79 | 79 | | |
80 | 80 | | |
81 | 81 | | |
82 | | - | |
| 82 | + | |
83 | 83 | | |
84 | 84 | | |
85 | 85 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
99 | 99 | | |
100 | 100 | | |
101 | 101 | | |
102 | | - | |
103 | | - | |
| 102 | + | |
| 103 | + | |
104 | 104 | | |
105 | 105 | | |
106 | 106 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
35 | 35 | | |
36 | 36 | | |
37 | 37 | | |
38 | | - | |
| 38 | + | |
39 | 39 | | |
40 | 40 | | |
41 | 41 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
95 | 95 | | |
96 | 96 | | |
97 | 97 | | |
98 | | - | |
99 | | - | |
| 98 | + | |
| 99 | + | |
100 | 100 | | |
101 | 101 | | |
102 | 102 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
48 | 48 | | |
49 | 49 | | |
50 | 50 | | |
51 | | - | |
| 51 | + | |
52 | 52 | | |
53 | 53 | | |
54 | 54 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
90 | 90 | | |
91 | 91 | | |
92 | 92 | | |
93 | | - | |
94 | | - | |
| 93 | + | |
| 94 | + | |
95 | 95 | | |
96 | 96 | | |
97 | 97 | | |
| |||
0 commit comments