Update module github.com/gorilla/schema to v1.4.1 [SECURITY]

[bootc-bot]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/gorilla/schema	v1.2.1 -> v1.4.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2024-37298

Details

Running schema.Decoder.Decode() on a struct that has a field of type []struct{...} opens it up to malicious attacks regarding memory allocations, taking advantage of the sparse slice functionality. For instance, in the Proof of Concept written below, someone can specify to set a field of the billionth element and it will allocate all other elements before it in the slice.

In the local environment environment for my project, I was able to call an endpoint like /innocent_endpoint?arr.10000000.X=1 and freeze my system from the memory allocation while parsing r.Form. I think this line is responsible for allocating the slice, although I haven't tested to make sure, so it's just an educated guess.

Proof of Concept

The following proof of concept works on both v1.2.0 and v1.2.1. I have not tested earlier versions.

package main

import (
	"fmt"

	"github.com/gorilla/schema"
)

func main() {
	dec := schema.NewDecoder()
	var result struct {
		Arr []struct{ Val int }
	}
	if err := dec.Decode(&result, map[string][]string{"arr.1000000000.Val": {"1"}}); err != nil {
		panic(err)
	}
	fmt.Printf("%#+v\n", result)
}

Impact

Any use of schema.Decoder.Decode() on a struct with arrays of other structs could be vulnerable to this memory exhaustion vulnerability. There seems to be no possible solution that a developer using this library can do to disable this behaviour without fixing it in this project, so all uses of Decode that fall under this umbrella are affected. A fix that doesn't require a major change may also be harder to find, since it could break compatibility with some other intended use-cases.

---

Release Notes

gorilla/schema (github.com/gorilla/schema)

v1.4.1

Compare Source

Security Release

Fixes an issue where sparse slice deserialization can cause memory exhaustion CVE-2024-37298

Thanks to @​AlexVasiluta for the report and following responsible disclosure.

Full Changelog: gorilla/schema@v1.4.0...v1.4.1

v1.4.0

Compare Source

What's Changed

• feat: if a different type in slice, raise error by @​lll-lll-lll-lll in #​212
• fixed panic: reflect: indirection through nil pointer to embedded struct by @​morus12 in #​211

New Contributors

• @​lll-lll-lll-lll made their first contribution in #​212

Full Changelog: gorilla/schema@v1.3.0...v1.3.1

v1.3.0

Compare Source

What's Changed

• Remove log.Fatal() usage in encoder.go by @​h2570su in #​207
• Add default tag by @​zak905 in #​183
• update readme: add informations about the default tag option usage by @​zak905 in #​209

New Contributors

• @​h2570su made their first contribution in #​207
• @​zak905 made their first contribution in #​183

Full Changelog: gorilla/schema@v1.2.1...v1.3.0

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[bootc-bot]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.