vuln: Fix GO-2025-3770 vulnerability

2025-08-07 12:34:45 +01:00 · 2025-08-07 12:34:45 +01:00 · 6c3df26b3c
parent 1cedefa1c2
commit 6c3df26b3c
13 changed files with 148 additions and 48 deletions
--- a/go.mod
+++ b/go.mod
@ -10,7 +10,7 @@ require (
 	github.com/fortytw2/leaktest v1.3.0
 	github.com/fsnotify/fsnotify v1.4.9
 	github.com/getsentry/sentry-go v0.16.0
-	github.com/go-chi/chi/v5 v5.0.10
+	github.com/go-chi/chi/v5 v5.2.2
 	github.com/go-chi/cors v1.2.1
 	github.com/go-jose/go-jose/v4 v4.1.0
 	github.com/gobwas/ws v1.2.1
--- a/go.sum
+++ b/go.sum
@ -58,8 +58,8 @@ github.com/gin-contrib/sse v0.1.0/go.mod h1:RHrZQHXnP2xjPF+u1gW/2HnVO7nvIa9PG3Gm
 github.com/gin-gonic/gin v1.6.3/go.mod h1:75u5sXoLsGZoRN5Sgbi1eraJ4GU3++wFwWzhwvtwp4M=
 github.com/gin-gonic/gin v1.9.1 h1:4idEAncQnU5cB7BeOkPtxjfCSye0AAm1R0RVIqJ+Jmg=
 github.com/gin-gonic/gin v1.9.1/go.mod h1:hPrL7YrpYKXt5YId3A/Tnip5kqbEAP+KLuI3SUcPTeU=
-github.com/go-chi/chi/v5 v5.0.10 h1:rLz5avzKpjqxrYwXNfmjkrYYXOyLJd37pz53UFHC6vk=
-github.com/go-chi/chi/v5 v5.0.10/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
+github.com/go-chi/chi/v5 v5.2.2 h1:CMwsvRVTbXVytCk1Wd72Zy1LAsAh9GxMmSNWLHCG618=
+github.com/go-chi/chi/v5 v5.2.2/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops=
 github.com/go-chi/cors v1.2.1 h1:xEC8UT3Rlp2QuWNEr4Fs/c2EAGVKBwy/1vHx3bppil4=
 github.com/go-chi/cors v1.2.1/go.mod h1:sSbTewc+6wYHBBCW7ytsFSn836hqM7JxpglAy2Vzc58=
 github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=
--- a/vendor/github.com/go-chi/chi/v5/CHANGELOG.md
+++ b/vendor/github.com/go-chi/chi/v5/CHANGELOG.md
@ -1,9 +1,19 @@
 # Changelog

+## v5.0.12 (2024-02-16)
+
+- History of changes: see https://github.com/go-chi/chi/compare/v5.0.11...v5.0.12
+
+
+## v5.0.11 (2023-12-19)
+
+- History of changes: see https://github.com/go-chi/chi/compare/v5.0.10...v5.0.11
+
+
 ## v5.0.10 (2023-07-13)

 - Fixed small edge case in tests of v5.0.9 for older Go versions
- History of changes: see https://github.com/go-chi/chi/compare/v5.0.8...v5.0.10
+- History of changes: see https://github.com/go-chi/chi/compare/v5.0.9...v5.0.10


 ## v5.0.9 (2023-07-13)
@ -306,7 +316,7 @@ Cheers all, happy coding!
  request-scoped values. We're very excited about the new context addition and are proud to
  introduce chi v2, a minimal and powerful routing package for building large HTTP services,
  with zero external dependencies. Chi focuses on idiomatic design and encourages the use of 
-  stdlib HTTP handlers and middlwares.
+  stdlib HTTP handlers and middlewares.
 - chi v2 deprecates its `chi.Handler` interface and requires `http.Handler` or `http.HandlerFunc`
 - chi v2 stores URL routing parameters and patterns in the standard request context: `r.Context()`
 - chi v2 lower-level routing context is accessible by `chi.RouteContext(r.Context()) *chi.Context`,
--- a/vendor/github.com/go-chi/chi/v5/CONTRIBUTING.md
+++ b/vendor/github.com/go-chi/chi/v5/CONTRIBUTING.md
@ -14,7 +14,7 @@

 A typical workflow is:

-1. [Fork the repository.][fork] [This tip maybe also helpful.][go-fork-tip]
+1. [Fork the repository.][fork]
 2. [Create a topic branch.][branch]
 3. Add tests for your change.
 4. Run `go test`. If your tests pass, return to the step 3.
@ -24,8 +24,8 @@ A typical workflow is:
 8. [Submit a pull request.][pull-req]

 [go-install]: https://golang.org/doc/install
-[go-fork-tip]: http://blog.campoy.cat/2014/03/github-and-go-forking-pull-requests-and.html
-[fork]: https://help.github.com/articles/fork-a-repo
-[branch]: http://learn.github.com/p/branching.html
-[git-help]: https://guides.github.com
-[pull-req]: https://help.github.com/articles/using-pull-requests
+[fork]: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/working-with-forks/fork-a-repo
+[branch]: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/about-branches 
+[git-help]: https://docs.github.com/en
+[pull-req]: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/about-pull-requests
+
--- a/vendor/github.com/go-chi/chi/v5/README.md
+++ b/vendor/github.com/go-chi/chi/v5/README.md
@ -20,7 +20,9 @@ and [docgen](https://github.com/go-chi/docgen). We hope you enjoy it too!

 ## Install

-`go get -u github.com/go-chi/chi/v5`
+```sh
+go get -u github.com/go-chi/chi/v5
+```


 ## Features
@ -65,7 +67,7 @@ func main() {

 **REST Preview:**

-Here is a little preview of how routing looks like with chi. Also take a look at the generated routing docs
+Here is a little preview of what routing looks like with chi. Also take a look at the generated routing docs
 in JSON ([routes.json](https://github.com/go-chi/chi/blob/master/_examples/rest/routes.json)) and in
 Markdown ([routes.md](https://github.com/go-chi/chi/blob/master/_examples/rest/routes.md)).

@ -194,7 +196,7 @@ type Router interface {
 	// path, with a fresh middleware stack for the inline-Router.
 	Group(fn func(r Router)) Router

-	// Route mounts a sub-Router along a `pattern`` string.
+	// Route mounts a sub-Router along a `pattern` string.
 	Route(pattern string, fn func(r Router)) Router

 	// Mount attaches another http.Handler along ./pattern/*
@ -354,6 +356,7 @@ with `net/http` can be used with chi's mux.
 | [RouteHeaders]         | Route handling for request headers                                      |
 | [SetHeader]            | Short-hand middleware to set a response header key/value                |
 | [StripSlashes]         | Strip slashes on routing paths                                          |
+| [Sunset]               | Sunset set Deprecation/Sunset header to response                        |
 | [Throttle]             | Puts a ceiling on the number of concurrent requests                     |
 | [Timeout]              | Signals to the request context when the timeout deadline is reached     |
 | [URLFormat]            | Parse extension from url and put it on request context                  |
@ -380,6 +383,7 @@ with `net/http` can be used with chi's mux.
 [RouteHeaders]: https://pkg.go.dev/github.com/go-chi/chi/middleware#RouteHeaders
 [SetHeader]: https://pkg.go.dev/github.com/go-chi/chi/middleware#SetHeader
 [StripSlashes]: https://pkg.go.dev/github.com/go-chi/chi/middleware#StripSlashes
+[Sunset]: https://pkg.go.dev/github.com/go-chi/chi/v5/middleware#Sunset
 [Throttle]: https://pkg.go.dev/github.com/go-chi/chi/middleware#Throttle
 [ThrottleBacklog]: https://pkg.go.dev/github.com/go-chi/chi/middleware#ThrottleBacklog
 [ThrottleWithOpts]: https://pkg.go.dev/github.com/go-chi/chi/middleware#ThrottleWithOpts
@ -467,7 +471,8 @@ how setting context on a request in Go works.

 * Carl Jackson for https://github.com/zenazn/goji
  * Parts of chi's thinking comes from goji, and chi's middleware package
-    sources from goji.
+    sources from [goji](https://github.com/zenazn/goji/tree/master/web/middleware).
+  * Please see goji's [LICENSE](https://github.com/zenazn/goji/blob/master/LICENSE) (MIT)
 * Armon Dadgar for https://github.com/armon/go-radix
 * Contributions: [@VojtechVitek](https://github.com/VojtechVitek)

@ -494,7 +499,7 @@ Copyright (c) 2015-present [Peter Kieltyka](https://github.com/pkieltyka)

 Licensed under [MIT License](./LICENSE)

-[GoDoc]: https://pkg.go.dev/github.com/go-chi/chi?tab=versions
+[GoDoc]: https://pkg.go.dev/github.com/go-chi/chi/v5
 [GoDoc Widget]: https://godoc.org/github.com/go-chi/chi?status.svg
 [Travis]: https://travis-ci.org/go-chi/chi
 [Travis Widget]: https://travis-ci.org/go-chi/chi.svg?branch=master
--- a/vendor/github.com/go-chi/chi/v5/SECURITY.md
+++ b/vendor/github.com/go-chi/chi/v5/SECURITY.md
@ -0,0 +1,5 @@
+# Reporting Security Issues
+
+We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.
+
+To report a security issue, please use the GitHub Security Advisory ["Report a Vulnerability"](https://github.com/go-chi/chi/security/advisories/new) tab.
--- a/vendor/github.com/go-chi/chi/v5/chi.go
+++ b/vendor/github.com/go-chi/chi/v5/chi.go
@ -37,8 +37,7 @@
 //
 // A placeholder with a name followed by a colon allows a regular
 // expression match, for example {number:\\d+}. The regular expression
-// syntax is Go's normal regexp RE2 syntax, except that regular expressions
-// including { or } are not supported, and / will never be
+// syntax is Go's normal regexp RE2 syntax, except that / will never be
 // matched. An anonymous regexp pattern is allowed, using an empty string
 // before the colon in the placeholder, such as {:\\d+}
 //
@ -51,7 +50,7 @@
 //	"/user/{name}" matches "/user/jsmith" but not "/user/jsmith/info" or "/user/jsmith/"
 //	"/user/{name}/info" matches "/user/jsmith/info"
 //	"/page/*" matches "/page/intro/latest"
-//	"/page/{other}/index" also matches "/page/intro/latest"
+//	"/page/{other}/latest" also matches "/page/intro/latest"
 //	"/date/{yyyy:\\d\\d\\d\\d}/{mm:\\d\\d}/{dd:\\d\\d}" matches "/date/2017/04/01"
 package chi

@ -127,6 +126,10 @@ type Routes interface {
 	// the method/path - similar to routing a http request, but without
 	// executing the handler thereafter.
 	Match(rctx *Context, method, path string) bool
+
+	// Find searches the routing tree for the pattern that matches
+	// the method/path.
+	Find(rctx *Context, method, path string) string
 }

 // Middlewares type is a slice of standard middleware handlers with methods
--- a/vendor/github.com/go-chi/chi/v5/context.go
+++ b/vendor/github.com/go-chi/chi/v5/context.go
@ -60,7 +60,7 @@ type Context struct {
 	URLParams RouteParams

 	// Route parameters matched for the current sub-router. It is
-	// intentionally unexported so it cant be tampered.
+	// intentionally unexported so it can't be tampered.
 	routeParams RouteParams

 	// The endpoint routing pattern that matched the request URI path
@ -74,9 +74,8 @@ type Context struct {
 	// patterns across a stack of sub-routers.
 	RoutePatterns []string

-	// methodNotAllowed hint
-	methodNotAllowed bool
 	methodsAllowed   []methodTyp // allowed methods in case of a 405
+	methodNotAllowed bool
 }

 // Reset a routing context to its initial state.
@ -92,6 +91,7 @@ func (x *Context) Reset() {
 	x.routeParams.Keys = x.routeParams.Keys[:0]
 	x.routeParams.Values = x.routeParams.Values[:0]
 	x.methodNotAllowed = false
+	x.methodsAllowed = x.methodsAllowed[:0]
 	x.parentCtx = nil
 }

@ -109,22 +109,27 @@ func (x *Context) URLParam(key string) string {
 // RoutePattern builds the routing pattern string for the particular
 // request, at the particular point during routing. This means, the value
 // will change throughout the execution of a request in a router. That is
-// why its advised to only use this value after calling the next handler.
+// why it's advised to only use this value after calling the next handler.
 //
 // For example,
 //
-//   func Instrument(next http.Handler) http.Handler {
-//     return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-//       next.ServeHTTP(w, r)
-//       routePattern := chi.RouteContext(r.Context()).RoutePattern()
-//       measure(w, r, routePattern)
-//   	 })
-//   }
+//	func Instrument(next http.Handler) http.Handler {
+//		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+//			next.ServeHTTP(w, r)
+//			routePattern := chi.RouteContext(r.Context()).RoutePattern()
+//			measure(w, r, routePattern)
+//		})
+//	}
 func (x *Context) RoutePattern() string {
+	if x == nil {
+		return ""
+	}
 	routePattern := strings.Join(x.RoutePatterns, "")
 	routePattern = replaceWildcards(routePattern)
-	routePattern = strings.TrimSuffix(routePattern, "//")
-	routePattern = strings.TrimSuffix(routePattern, "/")
+	if routePattern != "/" {
+		routePattern = strings.TrimSuffix(routePattern, "//")
+		routePattern = strings.TrimSuffix(routePattern, "/")
+	}
 	return routePattern
 }

--- a/vendor/github.com/go-chi/chi/v5/mux.go
+++ b/vendor/github.com/go-chi/chi/v5/mux.go
@ -107,12 +107,22 @@ func (mx *Mux) Use(middlewares ...func(http.Handler) http.Handler) {
 // Handle adds the route `pattern` that matches any http method to
 // execute the `handler` http.Handler.
 func (mx *Mux) Handle(pattern string, handler http.Handler) {
+	if method, rest, found := strings.Cut(pattern, " "); found {
+		mx.Method(method, rest, handler)
+		return
+	}
+
 	mx.handle(mALL, pattern, handler)
 }

 // HandleFunc adds the route `pattern` that matches any http method to
 // execute the `handlerFn` http.HandlerFunc.
 func (mx *Mux) HandleFunc(pattern string, handlerFn http.HandlerFunc) {
+	if method, rest, found := strings.Cut(pattern, " "); found {
+		mx.Method(method, rest, handlerFn)
+		return
+	}
+
 	mx.handle(mALL, pattern, handlerFn)
 }

@ -250,20 +260,19 @@ func (mx *Mux) With(middlewares ...func(http.Handler) http.Handler) Router {
 	return im
 }

-// Group creates a new inline-Mux with a fresh middleware stack. It's useful
+// Group creates a new inline-Mux with a copy of middleware stack. It's useful
 // for a group of handlers along the same routing path that use an additional
 // set of middlewares. See _examples/.
 func (mx *Mux) Group(fn func(r Router)) Router {
-	im := mx.With().(*Mux)
+	im := mx.With()
 	if fn != nil {
 		fn(im)
 	}
 	return im
 }

-// Route creates a new Mux with a fresh middleware stack and mounts it
-// along the `pattern` as a subrouter. Effectively, this is a short-hand
-// call to Mount. See _examples/.
+// Route creates a new Mux and mounts it along the `pattern` as a subrouter.
+// Effectively, this is a short-hand call to Mount. See _examples/.
 func (mx *Mux) Route(pattern string, fn func(r Router)) Router {
 	if fn == nil {
 		panic(fmt.Sprintf("chi: attempting to Route() a nil subrouter on '%s'", pattern))
@ -352,19 +361,40 @@ func (mx *Mux) Middlewares() Middlewares {
 // Note: the *Context state is updated during execution, so manage
 // the state carefully or make a NewRouteContext().
 func (mx *Mux) Match(rctx *Context, method, path string) bool {
+	return mx.Find(rctx, method, path) != ""
+}
+
+// Find searches the routing tree for the pattern that matches
+// the method/path.
+//
+// Note: the *Context state is updated during execution, so manage
+// the state carefully or make a NewRouteContext().
+func (mx *Mux) Find(rctx *Context, method, path string) string {
 	m, ok := methodMap[method]
 	if !ok {
-		return false
+		return ""
 	}

-	node, _, h := mx.tree.FindRoute(rctx, m, path)
+	node, _, _ := mx.tree.FindRoute(rctx, m, path)
+	pattern := rctx.routePattern
+
+	if node != nil {
+		if node.subroutes == nil {
+			e := node.endpoints[m]
+			return e.pattern
+		}

-	if node != nil && node.subroutes != nil {
 		rctx.RoutePath = mx.nextRoutePath(rctx)
-		return node.subroutes.Match(rctx, method, rctx.RoutePath)
+		subPattern := node.subroutes.Find(rctx, method, rctx.RoutePath)
+		if subPattern == "" {
+			return ""
+		}
+
+		pattern = strings.TrimSuffix(pattern, "/*")
+		pattern += subPattern
 	}

-	return h != nil
+	return pattern
 }

 // NotFoundHandler returns the default Mux 404 responder whenever a route
@ -441,6 +471,10 @@ func (mx *Mux) routeHTTP(w http.ResponseWriter, r *http.Request) {

 	// Find the route
 	if _, _, h := mx.tree.FindRoute(rctx, method, routePath); h != nil {
+		if supportsPathValue {
+			setPathValue(rctx, r)
+		}
+
 		h.ServeHTTP(w, r)
 		return
 	}
--- a/vendor/github.com/go-chi/chi/v5/path_value.go
+++ b/vendor/github.com/go-chi/chi/v5/path_value.go
@ -0,0 +1,21 @@
+//go:build go1.22 && !tinygo
+// +build go1.22,!tinygo
+
+
+package chi
+
+import "net/http"
+
+// supportsPathValue is true if the Go version is 1.22 and above.
+//
+// If this is true, `net/http.Request` has methods `SetPathValue` and `PathValue`.
+const supportsPathValue = true
+
+// setPathValue sets the path values in the Request value
+// based on the provided request context.
+func setPathValue(rctx *Context, r *http.Request) {
+	for i, key := range rctx.URLParams.Keys {
+		value := rctx.URLParams.Values[i]
+		r.SetPathValue(key, value)
+	}
+}
--- a/vendor/github.com/go-chi/chi/v5/path_value_fallback.go
+++ b/vendor/github.com/go-chi/chi/v5/path_value_fallback.go
@ -0,0 +1,19 @@
+//go:build !go1.22 || tinygo
+// +build !go1.22 tinygo
+
+package chi
+
+import "net/http"
+
+// supportsPathValue is true if the Go version is 1.22 and above.
+//
+// If this is true, `net/http.Request` has methods `SetPathValue` and `PathValue`.
+const supportsPathValue = false
+
+// setPathValue sets the path values in the Request value
+// based on the provided request context.
+//
+// setPathValue is only supported in Go 1.22 and above so
+// this is just a blank function so that it compiles.
+func setPathValue(rctx *Context, r *http.Request) {
+}
--- a/vendor/github.com/go-chi/chi/v5/tree.go
+++ b/vendor/github.com/go-chi/chi/v5/tree.go
@ -730,11 +730,9 @@ func patNextSegment(pattern string) (nodeTyp, string, string, byte, int, int) {
 			tail = pattern[pe]
 		}

-		var rexpat string
-		if idx := strings.Index(key, ":"); idx >= 0 {
+		key, rexpat, isRegexp := strings.Cut(key, ":")
+		if isRegexp {
 			nt = ntRegexp
-			rexpat = key[idx+1:]
-			key = key[:idx]
 		}

 		if len(rexpat) > 0 {
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@ -87,8 +87,8 @@ github.com/getsentry/sentry-go/internal/otel/baggage/internal/baggage
 github.com/getsentry/sentry-go/internal/ratelimit
 # github.com/gin-gonic/gin v1.9.1
 ## explicit; go 1.20
-# github.com/go-chi/chi/v5 v5.0.10
-## explicit; go 1.14
+# github.com/go-chi/chi/v5 v5.2.2
+## explicit; go 1.20
 github.com/go-chi/chi/v5
 # github.com/go-chi/cors v1.2.1
 ## explicit; go 1.14