chore: update module github.com/gorilla/schema to v1.4.1 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/gorilla/schema	v1.2.0 → v1.4.1

GitHub Vulnerability Alerts

CVE-2024-37298

Details

Running schema.Decoder.Decode() on a struct that has a field of type []struct{...} opens it up to malicious attacks regarding memory allocations, taking advantage of the sparse slice functionality. For instance, in the Proof of Concept written below, someone can specify to set a field of the billionth element and it will allocate all other elements before it in the slice.

In the local environment environment for my project, I was able to call an endpoint like /innocent_endpoint?arr.10000000.X=1 and freeze my system from the memory allocation while parsing r.Form. I think this line is responsible for allocating the slice, although I haven't tested to make sure, so it's just an educated guess.

Proof of Concept

The following proof of concept works on both v1.2.0 and v1.2.1. I have not tested earlier versions.

package main

import (
	"fmt"

	"github.com/gorilla/schema"
)

func main() {
	dec := schema.NewDecoder()
	var result struct {
		Arr []struct{ Val int }
	}
	if err := dec.Decode(&result, map[string][]string{"arr.1000000000.Val": {"1"}}); err != nil {
		panic(err)
	}
	fmt.Printf("%#+v\n", result)
}

Impact

Any use of schema.Decoder.Decode() on a struct with arrays of other structs could be vulnerable to this memory exhaustion vulnerability. There seems to be no possible solution that a developer using this library can do to disable this behaviour without fixing it in this project, so all uses of Decode that fall under this umbrella are affected. A fix that doesn't require a major change may also be harder to find, since it could break compatibility with some other intended use-cases.

---

Release Notes

gorilla/schema (github.com/gorilla/schema)

v1.4.1

Compare Source

Security Release

Fixes an issue where sparse slice deserialization can cause memory exhaustion CVE-2024-37298

Thanks to @​AlexVasiluta for the report and following responsible disclosure.

Full Changelog: gorilla/schema@v1.4.0...v1.4.1

v1.4.0

Compare Source

What's Changed

• feat: if a different type in slice, raise error by @​lll-lll-lll-lll in #​212
• fixed panic: reflect: indirection through nil pointer to embedded struct by @​morus12 in #​211

New Contributors

• @​lll-lll-lll-lll made their first contribution in #​212

Full Changelog: gorilla/schema@v1.3.0...v1.3.1

v1.3.0

Compare Source

What's Changed

• Remove log.Fatal() usage in encoder.go by @​h2570su in #​207
• Add default tag by @​zak905 in #​183
• update readme: add informations about the default tag option usage by @​zak905 in #​209

New Contributors

• @​h2570su made their first contribution in #​207
• @​zak905 made their first contribution in #​183

Full Changelog: gorilla/schema@v1.2.1...v1.3.0

v1.2.1

Compare Source

What's Changed

• build: use build matrix; drop Go <= 1.10 by @​elithrar in #​147
• doc: Update README CI badge by @​elithrar in #​148
• docs: remove travis badge by @​elithrar in #​149
• build: fix config.yml by @​elithrar in #​150
• [bug] Registered encoder doesn't work for struct pointer types by @​tkhametov in #​174
• Update README.md by @​coreydaley in #​197
• [GPT-98] Update go version & add verification/testing tools by @​apoorvajagtap in #​200
• fix misspell by @​YuyaAbo in #​192
• Update issues.yml by @​coreydaley in #​201
• update GitHub workflows by @​coreydaley in #​205

New Contributors

• @​tkhametov made their first contribution in #​174
• @​coreydaley made their first contribution in #​197
• @​apoorvajagtap made their first contribution in #​200
• @​YuyaAbo made their first contribution in #​192

Full Changelog: gorilla/schema@v1.2.0...v1.2.1

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Join our Discord community for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[netlify]

✅ Deploy Preview for reearth-classic canceled.

Name	Link
🔨 Latest commit	e07fa68
🔍 Latest deploy log	https://app.netlify.com/projects/reearth-classic/deploys/682d7b16dfe4db00083a132a

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 23.79%. Comparing base (703e022) to head (21b07db).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main      #70      +/-   ##
==========================================
- Coverage   23.80%   23.79%   -0.01%     
==========================================
  Files        1587     1588       +1     
  Lines      170092   170141      +49     
  Branches     2801     2801              
==========================================
  Hits        40486    40486              
- Misses     128439   128488      +49     
  Partials     1167     1167              

Flag	Coverage Δ
server	32.02% <ø> (-0.05%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 1 file with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.