History

renovate[bot] 037e30b2f8 fix(security): update module github.com/go-viper/mapstructure/v2 to v2.4.0 [security] (#1784 ) This PR contains the following updates: \| Package \| Change \| Age \| Confidence \| \|---\|---\|---\|---\| \| [github.com/go-viper/mapstructure/v2](https://redirect.github.com/go-viper/mapstructure) \| `v2.3.0` -> `v2.4.0` \| [![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fgo-viper%2fmapstructure%2fv2/v2.4.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| [![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fgo-viper%2fmapstructure%2fv2/v2.3.0/v2.4.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| ### GitHub Vulnerability Alerts #### [GHSA-2464-8j7c-4cjm](https://redirect.github.com/go-viper/mapstructure/security/advisories/GHSA-2464-8j7c-4cjm) ### Summary Use of this library in a security-critical context may result in leaking sensitive information, if used to process sensitive fields. ### Details OpenBao (and presumably HashiCorp Vault) have surfaced error messages from `mapstructure` as follows: `98c3a59c04/sdk/framework/field_data.go (L43-L50)` ```go _, _, err := d.getPrimitive(field, schema) if err != nil { return fmt.Errorf("error converting input for field %q: %w", field, err) } ``` where this calls `mapstructure.WeakDecode(...)`: `98c3a59c04/sdk/framework/field_data.go (L181-L193)` ```go func (d FieldData) getPrimitive(k string, schema FieldSchema) (interface{}, bool, error) { raw, ok := d.Raw[k] if !ok { return nil, false, nil } switch t := schema.Type; t { case TypeBool: var result bool if err := mapstructure.WeakDecode(raw, &result); err != nil { return nil, false, err } return result, true, nil ``` Notably, `WeakDecode(...)` eventually calls one of the decode helpers, which surfaces the original value via `strconv` helpers: `8c61ec1924/mapstructure.go (L720-L727)` `8c61ec1924/mapstructure.go (L791-L798)` `8c61ec1924/decode_hooks.go (L180)` & more. These are different code paths than are fixed in the previous iteration at https://github.com/go-viper/mapstructure/security/advisories/GHSA-fv92-fjc5-jj9h. ### PoC To reproduce with OpenBao: ``` $ podman run --pull=always -p 8300:8300 openbao/openbao:latest server -dev -dev-root-token-id=root -dev-listen-address=0.0.0.0:8300 ``` and in a new tab: ``` $ BAO_TOKEN=root BAO_ADDR=http://localhost:8300 bao auth enable userpass Success! Enabled userpass auth method at: userpass/ $ curl -X PUT -H "X-Vault-Request: true" -H "X-Vault-Token: root" -d '{"ttl":"asdf"}' "http://localhost:8200/v1/auth/userpass/users/asdf" --> server logs: 2025-06-25T21:32:25.101-0500 [ERROR] core: failed to run existence check: error="error converting input for field \"ttl\": time: invalid duration \"asdf\"" ``` ### Impact This is an information disclosure bug with little mitigation. See https://discuss.hashicorp.com/t/hcsec-2025-09-vault-may-expose-sensitive-information-in-error-logs-when-processing-malformed-data-with-the-kv-v2-plugin/74717 for a previous version. That version was fixed, but this is in the second part of that error message (starting at `'' expected a map, got 'string'` -- when the field type is `string` and a `map` is provided, we see the above information leak -- the previous example had a `map` type field with a `string` value provided). This was rated 4.5 Medium by HashiCorp in the past iteration. --- ### Release Notes <details> <summary>go-viper/mapstructure (github.com/go-viper/mapstructure/v2)</summary> ### [`v2.4.0`](https://redirect.github.com/go-viper/mapstructure/releases/tag/v2.4.0) [Compare Source](https://redirect.github.com/go-viper/mapstructure/compare/v2.3.0...v2.4.0) #### What's Changed - refactor: replace interface{} with any by [@sagikazarmark](https://redirect.github.com/sagikazarmark) in [https://github.com/go-viper/mapstructure/pull/115](https://redirect.github.com/go-viper/mapstructure/pull/115) - build(deps): bump github/codeql-action from 3.29.0 to 3.29.2 by [@dependabot](https://redirect.github.com/dependabot)\[bot] in[https://github.com/go-viper/mapstructure/pull/114](https://redirect.github.com/go-viper/mapstructure/pull/114)4 - Generic tests by [@sagikazarmark](https://redirect.github.com/sagikazarmark) in [https://github.com/go-viper/mapstructure/pull/118](https://redirect.github.com/go-viper/mapstructure/pull/118) - Fix godoc reference link in README.md by [@peczenyj](https://redirect.github.com/peczenyj) in [https://github.com/go-viper/mapstructure/pull/107](https://redirect.github.com/go-viper/mapstructure/pull/107) - feat: add StringToTimeLocationHookFunc to convert strings to \time.Location by [@ErfanMomeniii](https://redirect.github.com/ErfanMomeniii) in [https://github.com/go-viper/mapstructure/pull/117](https://redirect.github.com/go-viper/mapstructure/pull/117) - feat: add back previous StringToSlice as a weak function by [@sagikazarmark](https://redirect.github.com/sagikazarmark) in [https://github.com/go-viper/mapstructure/pull/119](https://redirect.github.com/go-viper/mapstructure/pull/119) #### New Contributors - [@ErfanMomeniii](https://redirect.github.com/ErfanMomeniii) made their first contribution in [https://github.com/go-viper/mapstructure/pull/117](https://redirect.github.com/go-viper/mapstructure/pull/117) Full Changelog: https://github.com/go-viper/mapstructure/compare/v2.3.0...v2.4.0 </details> --- ### Configuration 📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore*: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/open-feature/flagd). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS44MS4yIiwidXBkYXRlZEluVmVyIjoiNDEuODEuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsicmVub3ZhdGUiXX0=--> --------- Signed-off-by: Todd Baert <todd.baert@dynatrace.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Todd Baert <todd.baert@dynatrace.com>		2025-08-29 15:14:05 -04:00
..
config	test: introduce flagd-proxy profiling tool (#599 )	2023-04-13 09:40:00 -04:00
pkg	fix(deps): update module buf.build/gen/go/open-feature/flagd/grpc/go to v1.5.1-20240906125204-0a6a901b42e8.1 (#1400 )	2024-09-23 10:39:19 -04:00
.gitignore	test: introduce flagd-proxy profiling tool (#599 )	2023-04-13 09:40:00 -04:00
README.md	test: introduce flagd-proxy profiling tool (#599 )	2023-04-13 09:40:00 -04:00
go.mod	fix(security): update module github.com/go-viper/mapstructure/v2 to v2.4.0 [security] (#1784 )	2025-08-29 15:14:05 -04:00
go.sum	fix(security): update module github.com/go-viper/mapstructure/v2 to v2.4.0 [security] (#1784 )	2025-08-29 15:14:05 -04:00
main.go	test: introduce flagd-proxy profiling tool (#599 )	2023-04-13 09:40:00 -04:00
target.json	test: introduce flagd-proxy profiling tool (#599 )	2023-04-13 09:40:00 -04:00

README.md

flagd Proxy Profiling

This go module contains a profiling tool for the flagd-proxy. Starting n watchers against a single flag configuration resource to monitor the effects of server load and flag configuration definition size on the response time between a configuration change and all watchers receiving the configuration change.

Pseudo Code

Parse configuration file referenced as the only startup argument
Loop for each defined repeat
Write to the target file using the start configuration
Start n watchers for the resource using a grpc sync definining the selector as file:TARGET-FILE
Wait for all watchers to receive their first configuration change event (which will contain the full configuration object)
Flush the change event channel to ensure there are no previous events
Trigger a configuration change event by writing the end configuration to the target file
Time how long it takes for all watchers to receive the new configuration

Example

run the flagd-proxy locally (from the project root):

go run flagd-proxy/main.go start --port 8080

run the flagd-proxy-profiler (from the project root):

go run flagd-proxy/tests/loadtest/main.go ./flagd-proxy/tests/loadtest/config/config.json

Once the tests have been run the results can be found in ./flagd-proxy/tests/loadtest/profiling-results.json

Sample Configuration

{
    "triggerType": "filepath",
    "fileTriggerConfig": {
        "startFile":"./start-spec.json",
        "endFile":"./config/end-spec.json",
        "targetFile":"./target.json"
    },
    "handlerConfig": {
        "filePath": "./target.json",
        "outFile":"./profiling-results.json",
        "host": "localhost",
        "port": 8080,
    },
    "tests": [
        {
            "watchers": 10000,
            "repeats": 5,
            "delay": 2000000000 
        }
    ]
}