History

renovate[bot] 037e30b2f8 fix(security): update module github.com/go-viper/mapstructure/v2 to v2.4.0 [security] (#1784 ) This PR contains the following updates: \| Package \| Change \| Age \| Confidence \| \|---\|---\|---\|---\| \| [github.com/go-viper/mapstructure/v2](https://redirect.github.com/go-viper/mapstructure) \| `v2.3.0` -> `v2.4.0` \| [![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fgo-viper%2fmapstructure%2fv2/v2.4.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| [![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fgo-viper%2fmapstructure%2fv2/v2.3.0/v2.4.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) \| ### GitHub Vulnerability Alerts #### [GHSA-2464-8j7c-4cjm](https://redirect.github.com/go-viper/mapstructure/security/advisories/GHSA-2464-8j7c-4cjm) ### Summary Use of this library in a security-critical context may result in leaking sensitive information, if used to process sensitive fields. ### Details OpenBao (and presumably HashiCorp Vault) have surfaced error messages from `mapstructure` as follows: `98c3a59c04/sdk/framework/field_data.go (L43-L50)` ```go _, _, err := d.getPrimitive(field, schema) if err != nil { return fmt.Errorf("error converting input for field %q: %w", field, err) } ``` where this calls `mapstructure.WeakDecode(...)`: `98c3a59c04/sdk/framework/field_data.go (L181-L193)` ```go func (d FieldData) getPrimitive(k string, schema FieldSchema) (interface{}, bool, error) { raw, ok := d.Raw[k] if !ok { return nil, false, nil } switch t := schema.Type; t { case TypeBool: var result bool if err := mapstructure.WeakDecode(raw, &result); err != nil { return nil, false, err } return result, true, nil ``` Notably, `WeakDecode(...)` eventually calls one of the decode helpers, which surfaces the original value via `strconv` helpers: `8c61ec1924/mapstructure.go (L720-L727)` `8c61ec1924/mapstructure.go (L791-L798)` `8c61ec1924/decode_hooks.go (L180)` & more. These are different code paths than are fixed in the previous iteration at https://github.com/go-viper/mapstructure/security/advisories/GHSA-fv92-fjc5-jj9h. ### PoC To reproduce with OpenBao: ``` $ podman run --pull=always -p 8300:8300 openbao/openbao:latest server -dev -dev-root-token-id=root -dev-listen-address=0.0.0.0:8300 ``` and in a new tab: ``` $ BAO_TOKEN=root BAO_ADDR=http://localhost:8300 bao auth enable userpass Success! Enabled userpass auth method at: userpass/ $ curl -X PUT -H "X-Vault-Request: true" -H "X-Vault-Token: root" -d '{"ttl":"asdf"}' "http://localhost:8200/v1/auth/userpass/users/asdf" --> server logs: 2025-06-25T21:32:25.101-0500 [ERROR] core: failed to run existence check: error="error converting input for field \"ttl\": time: invalid duration \"asdf\"" ``` ### Impact This is an information disclosure bug with little mitigation. See https://discuss.hashicorp.com/t/hcsec-2025-09-vault-may-expose-sensitive-information-in-error-logs-when-processing-malformed-data-with-the-kv-v2-plugin/74717 for a previous version. That version was fixed, but this is in the second part of that error message (starting at `'' expected a map, got 'string'` -- when the field type is `string` and a `map` is provided, we see the above information leak -- the previous example had a `map` type field with a `string` value provided). This was rated 4.5 Medium by HashiCorp in the past iteration. --- ### Release Notes <details> <summary>go-viper/mapstructure (github.com/go-viper/mapstructure/v2)</summary> ### [`v2.4.0`](https://redirect.github.com/go-viper/mapstructure/releases/tag/v2.4.0) [Compare Source](https://redirect.github.com/go-viper/mapstructure/compare/v2.3.0...v2.4.0) #### What's Changed - refactor: replace interface{} with any by [@sagikazarmark](https://redirect.github.com/sagikazarmark) in [https://github.com/go-viper/mapstructure/pull/115](https://redirect.github.com/go-viper/mapstructure/pull/115) - build(deps): bump github/codeql-action from 3.29.0 to 3.29.2 by [@dependabot](https://redirect.github.com/dependabot)\[bot] in[https://github.com/go-viper/mapstructure/pull/114](https://redirect.github.com/go-viper/mapstructure/pull/114)4 - Generic tests by [@sagikazarmark](https://redirect.github.com/sagikazarmark) in [https://github.com/go-viper/mapstructure/pull/118](https://redirect.github.com/go-viper/mapstructure/pull/118) - Fix godoc reference link in README.md by [@peczenyj](https://redirect.github.com/peczenyj) in [https://github.com/go-viper/mapstructure/pull/107](https://redirect.github.com/go-viper/mapstructure/pull/107) - feat: add StringToTimeLocationHookFunc to convert strings to \time.Location by [@ErfanMomeniii](https://redirect.github.com/ErfanMomeniii) in [https://github.com/go-viper/mapstructure/pull/117](https://redirect.github.com/go-viper/mapstructure/pull/117) - feat: add back previous StringToSlice as a weak function by [@sagikazarmark](https://redirect.github.com/sagikazarmark) in [https://github.com/go-viper/mapstructure/pull/119](https://redirect.github.com/go-viper/mapstructure/pull/119) #### New Contributors - [@ErfanMomeniii](https://redirect.github.com/ErfanMomeniii) made their first contribution in [https://github.com/go-viper/mapstructure/pull/117](https://redirect.github.com/go-viper/mapstructure/pull/117) Full Changelog: https://github.com/go-viper/mapstructure/compare/v2.3.0...v2.4.0 </details> --- ### Configuration 📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore*: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/open-feature/flagd). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS44MS4yIiwidXBkYXRlZEluVmVyIjoiNDEuODEuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsicmVub3ZhdGUiXX0=--> --------- Signed-off-by: Todd Baert <todd.baert@dynatrace.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Todd Baert <todd.baert@dynatrace.com>		2025-08-29 15:14:05 -04:00
..
cmd	fix: Skip flagd banner when non-console logger in use (#1516 )	2025-01-17 09:54:50 -05:00
pkg/service	feat!: remove sync.Type (#1691 )	2025-07-21 08:01:56 -04:00
tests/loadtest	fix(security): update module github.com/go-viper/mapstructure/v2 to v2.4.0 [security] (#1784 )	2025-08-29 15:14:05 -04:00
CHANGELOG.md	chore: release main (#1686 )	2025-07-23 16:39:41 -04:00
README.md	docs(flagd-proxy): removed invalid grpc prefix from uri config	2024-08-02 10:58:00 -04:00
build.Dockerfile	chore(deps): update golang docker tag to v1.24 (#1561 )	2025-02-13 03:39:57 +00:00
go.mod	fix(security): update module github.com/go-viper/mapstructure/v2 to v2.4.0 [security] (#1784 )	2025-08-29 15:14:05 -04:00
go.sum	fix(security): update module github.com/go-viper/mapstructure/v2 to v2.4.0 [security] (#1784 )	2025-08-29 15:14:05 -04:00
main.go	fix: Skip flagd banner when non-console logger in use (#1516 )	2025-01-17 09:54:50 -05:00

README.md

Kube Flagd Proxy

The kube flagd proxy acts as a pub sub for deployed flagd sidecar containers to subscribe to change events in FeatureFlag CRs.

On request, the flagd-proxy will spawn a goroutine to watch the CR using the `core` package Kubernetes sync. Each further request for the same resource will add a new stream to the broadcast list. Once all streams have been closed and there are no longer any listeners for a given resource, the sync will be closed.

The flagd-proxy API follows the flagd grpc spec, found in the buf schema registry, as such the existing grpc sync can be used to subscribe to the CR changes.

Deployment

The proxy can be deployed to any namespace, provided that the associated service account has been added to the flagd-kubernetes-sync cluster role binding. A sample deployment can be found in /config/deployments/flagd-proxy requiring the namespace flagd-proxy to be deployed.

kubectl create namespace flagd-proxy
kubectl apply -f ./config/deployments/flagd-proxy

Once the flagd-proxy has been deployed, any flagd instances subscribe to flag changes using the grpc sync, providing the target resource uri using the selector configuration field.

apiVersion: v1
kind: Pod
metadata:
  name: flagd
spec:
  containers:
  - name: flagd
    image: ghcr.io/open-feature/flagd:latest
    ports:
    - containerPort: 8013
    args:
    - start
    - --sources
    - '[{"uri":"flagd-proxy-svc.flagd-proxy.svc.cluster.local:8015","provider":"grpc","selector":"core.openfeature.dev/NAMESPACE/NAME"}]'
    - --debug
---
apiVersion: core.openfeature.dev/v1beta1
kind: FeatureFlag
metadata:
  name: end-to-end
spec:
  flagSpec:
    flags:
      color:
        state: ENABLED
        variants:
          red: CC0000
          green: 00CC00
          blue: 0000CC
          yellow: yellow
        defaultVariant: yellow

Once deployed, the client flagd instance will receive almost instant flag configuration change events.