Update dependencies (#2007)

* Update dependencies
2025-07-03 08:27:44 +00:00 · 2023-03-09 22:48:00 +01:00
parent d5f9cdf912
commit 08779c2909
345 changed files with 151040 additions and 125983 deletions
--- a/vendor/github.com/labstack/echo/v4/middleware/context_timeout.go
+++ b/vendor/github.com/labstack/echo/v4/middleware/context_timeout.go
@ -0,0 +1,72 @@
+package middleware
+
+import (
+	"context"
+	"errors"
+	"time"
+
+	"github.com/labstack/echo/v4"
+)
+
+// ContextTimeoutConfig defines the config for ContextTimeout middleware.
+type ContextTimeoutConfig struct {
+	// Skipper defines a function to skip middleware.
+	Skipper Skipper
+
+	// ErrorHandler is a function when error aries in middeware execution.
+	ErrorHandler func(err error, c echo.Context) error
+
+	// Timeout configures a timeout for the middleware, defaults to 0 for no timeout
+	Timeout time.Duration
+}
+
+// ContextTimeout returns a middleware which returns error (503 Service Unavailable error) to client
+// when underlying method returns context.DeadlineExceeded error.
+func ContextTimeout(timeout time.Duration) echo.MiddlewareFunc {
+	return ContextTimeoutWithConfig(ContextTimeoutConfig{Timeout: timeout})
+}
+
+// ContextTimeoutWithConfig returns a Timeout middleware with config.
+func ContextTimeoutWithConfig(config ContextTimeoutConfig) echo.MiddlewareFunc {
+	mw, err := config.ToMiddleware()
+	if err != nil {
+		panic(err)
+	}
+	return mw
+}
+
+// ToMiddleware converts Config to middleware.
+func (config ContextTimeoutConfig) ToMiddleware() (echo.MiddlewareFunc, error) {
+	if config.Timeout == 0 {
+		return nil, errors.New("timeout must be set")
+	}
+	if config.Skipper == nil {
+		config.Skipper = DefaultSkipper
+	}
+	if config.ErrorHandler == nil {
+		config.ErrorHandler = func(err error, c echo.Context) error {
+			if err != nil && errors.Is(err, context.DeadlineExceeded) {
+				return echo.ErrServiceUnavailable.WithInternal(err)
+			}
+			return err
+		}
+	}
+
+	return func(next echo.HandlerFunc) echo.HandlerFunc {
+		return func(c echo.Context) error {
+			if config.Skipper(c) {
+				return next(c)
+			}
+
+			timeoutContext, cancel := context.WithTimeout(c.Request().Context(), config.Timeout)
+			defer cancel()
+
+			c.SetRequest(c.Request().WithContext(timeoutContext))
+
+			if err := next(c); err != nil {
+				return config.ErrorHandler(err, c)
+			}
+			return nil
+		}
+	}, nil
+}
--- a/vendor/github.com/labstack/echo/v4/middleware/cors.go
+++ b/vendor/github.com/labstack/echo/v4/middleware/cors.go
@ -79,6 +79,15 @@ type (
 		// See also: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials
 		AllowCredentials bool `yaml:"allow_credentials"`

+		// UnsafeWildcardOriginWithAllowCredentials UNSAFE/INSECURE: allows wildcard '*' origin to be used with AllowCredentials
+		// flag. In that case we consider any origin allowed and send it back to the client with `Access-Control-Allow-Origin` header.
+		//
+		// This is INSECURE and potentially leads to [cross-origin](https://portswigger.net/research/exploiting-cors-misconfigurations-for-bitcoins-and-bounties)
+		// attacks. See: https://github.com/labstack/echo/issues/2400 for discussion on the subject.
+		//
+		// Optional. Default value is false.
+		UnsafeWildcardOriginWithAllowCredentials bool `yaml:"unsafe_wildcard_origin_with_allow_credentials"`
+
 		// ExposeHeaders determines the value of Access-Control-Expose-Headers, which
 		// defines a list of headers that clients are allowed to access.
 		//
@ -203,7 +212,7 @@ func CORSWithConfig(config CORSConfig) echo.MiddlewareFunc {
 			} else {
 				// Check allowed origins
 				for _, o := range config.AllowOrigins {
-					if o == "*" && config.AllowCredentials {
+					if o == "*" && config.AllowCredentials && config.UnsafeWildcardOriginWithAllowCredentials {
 						allowOrigin = origin
 						break
 					}
--- a/vendor/github.com/labstack/echo/v4/middleware/csrf.go
+++ b/vendor/github.com/labstack/echo/v4/middleware/csrf.go
@ -119,9 +119,9 @@ func CSRFWithConfig(config CSRFConfig) echo.MiddlewareFunc {
 		config.CookieSecure = true
 	}

-	extractors, err := CreateExtractors(config.TokenLookup)
-	if err != nil {
-		panic(err)
+	extractors, cErr := CreateExtractors(config.TokenLookup)
+	if cErr != nil {
+		panic(cErr)
 	}

 	return func(next echo.HandlerFunc) echo.HandlerFunc {
--- a/vendor/github.com/labstack/echo/v4/middleware/jwt.go
+++ b/vendor/github.com/labstack/echo/v4/middleware/jwt.go
@ -196,9 +196,9 @@ func JWTWithConfig(config JWTConfig) echo.MiddlewareFunc {
 		config.ParseTokenFunc = config.defaultParseToken
 	}

-	extractors, err := createExtractors(config.TokenLookup, config.AuthScheme)
-	if err != nil {
-		panic(err)
+	extractors, cErr := createExtractors(config.TokenLookup, config.AuthScheme)
+	if cErr != nil {
+		panic(cErr)
 	}
 	if len(config.TokenLookupFuncs) > 0 {
 		extractors = append(config.TokenLookupFuncs, extractors...)
--- a/vendor/github.com/labstack/echo/v4/middleware/key_auth.go
+++ b/vendor/github.com/labstack/echo/v4/middleware/key_auth.go
@ -108,9 +108,9 @@ func KeyAuthWithConfig(config KeyAuthConfig) echo.MiddlewareFunc {
 		panic("echo: key-auth middleware requires a validator function")
 	}

-	extractors, err := createExtractors(config.KeyLookup, config.AuthScheme)
-	if err != nil {
-		panic(err)
+	extractors, cErr := createExtractors(config.KeyLookup, config.AuthScheme)
+	if cErr != nil {
+		panic(cErr)
 	}

 	return func(next echo.HandlerFunc) echo.HandlerFunc {
--- a/vendor/github.com/labstack/echo/v4/middleware/static.go
+++ b/vendor/github.com/labstack/echo/v4/middleware/static.go
@ -8,7 +8,6 @@ import (
 	"net/url"
 	"os"
 	"path"
-	"path/filepath"
 	"strings"

 	"github.com/labstack/echo/v4"
@ -157,9 +156,9 @@ func StaticWithConfig(config StaticConfig) echo.MiddlewareFunc {
 	}

 	// Index template
-	t, err := template.New("index").Parse(html)
-	if err != nil {
-		panic(fmt.Sprintf("echo: %v", err))
+	t, tErr := template.New("index").Parse(html)
+	if tErr != nil {
+		panic(fmt.Errorf("echo: %w", tErr))
 	}

 	return func(next echo.HandlerFunc) echo.HandlerFunc {
@ -176,7 +175,7 @@ func StaticWithConfig(config StaticConfig) echo.MiddlewareFunc {
 			if err != nil {
 				return
 			}
-			name := filepath.Join(config.Root, filepath.Clean("/"+p)) // "/"+ for security
+			name := path.Join(config.Root, path.Clean("/"+p)) // "/"+ for security

 			if config.IgnoreBase {
 				routePath := path.Base(strings.TrimRight(c.Path(), "/*"))
@ -187,12 +186,14 @@ func StaticWithConfig(config StaticConfig) echo.MiddlewareFunc {
 				}
 			}

-			file, err := openFile(config.Filesystem, name)
+			file, err := config.Filesystem.Open(name)
 			if err != nil {
-				if !os.IsNotExist(err) {
+				if !isIgnorableOpenFileError(err) {
 					return err
 				}

+				// file with that path did not exist, so we continue down in middleware/handler chain, hoping that we end up in
+				// handler that is meant to handle this request
 				if err = next(c); err == nil {
 					return err
 				}
@ -202,7 +203,7 @@ func StaticWithConfig(config StaticConfig) echo.MiddlewareFunc {
 					return err
 				}

-				file, err = openFile(config.Filesystem, filepath.Join(config.Root, config.Index))
+				file, err = config.Filesystem.Open(path.Join(config.Root, config.Index))
 				if err != nil {
 					return err
 				}
@ -216,15 +217,13 @@ func StaticWithConfig(config StaticConfig) echo.MiddlewareFunc {
 			}

 			if info.IsDir() {
-				index, err := openFile(config.Filesystem, filepath.Join(name, config.Index))
+				index, err := config.Filesystem.Open(path.Join(name, config.Index))
 				if err != nil {
 					if config.Browse {
 						return listDir(t, name, file, c.Response())
 					}

-					if os.IsNotExist(err) {
-						return next(c)
-					}
+					return next(c)
 				}

 				defer index.Close()
@ -242,11 +241,6 @@ func StaticWithConfig(config StaticConfig) echo.MiddlewareFunc {
 	}
 }

-func openFile(fs http.FileSystem, name string) (http.File, error) {
-	pathWithSlashes := filepath.ToSlash(name)
-	return fs.Open(pathWithSlashes)
-}
-
 func serveFile(c echo.Context, file http.File, info os.FileInfo) error {
 	http.ServeContent(c.Response(), c.Request(), info.Name(), info.ModTime(), file)
 	return nil
--- a/vendor/github.com/labstack/echo/v4/middleware/static_other.go
+++ b/vendor/github.com/labstack/echo/v4/middleware/static_other.go
@ -0,0 +1,12 @@
+//go:build !windows
+
+package middleware
+
+import (
+	"os"
+)
+
+// We ignore these errors as there could be handler that matches request path.
+func isIgnorableOpenFileError(err error) bool {
+	return os.IsNotExist(err)
+}
--- a/vendor/github.com/labstack/echo/v4/middleware/static_windows.go
+++ b/vendor/github.com/labstack/echo/v4/middleware/static_windows.go
@ -0,0 +1,23 @@
+package middleware
+
+import (
+	"os"
+)
+
+// We ignore these errors as there could be handler that matches request path.
+//
+// As of Go 1.20 filepath.Clean has different behaviour on OS related filesystems so we need to use path.Clean
+// on Windows which has some caveats. The Open methods might return different errors than earlier versions and
+// as of 1.20 path checks are more strict on the provided path and considers [UNC](https://en.wikipedia.org/wiki/Path_(computing)#UNC)
+// paths with missing host etc parts as invalid. Previously it would result you `fs.ErrNotExist`.
+//
+// For 1.20@Windows we need to treat those errors the same as `fs.ErrNotExists` so we can continue handling
+// errors in the middleware/handler chain. Otherwise we might end up with status 500 instead of finding a route
+// or return 404 not found.
+func isIgnorableOpenFileError(err error) bool {
+	if os.IsNotExist(err) {
+		return true
+	}
+	errTxt := err.Error()
+	return errTxt == "http: invalid or unsafe file path" || errTxt == "invalid path"
+}