From a8ed33344822701a1207f0ddf7c643fa936f3692 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sun, 12 Jul 2026 20:52:31 +0000 Subject: [PATCH] Update module github.com/labstack/echo/v4 to v5 --- go.mod | 3 +- go.sum | 3 + .../github.com/labstack/echo/v4/CHANGELOG.md | 74 ------------------- vendor/github.com/labstack/echo/v4/context.go | 19 +---- vendor/github.com/labstack/echo/v4/echo.go | 15 +--- vendor/github.com/labstack/echo/v4/echo_fs.go | 21 ++---- .../github.com/labstack/echo/v4/group_fs.go | 2 +- .../labstack/echo/v4/middleware/static.go | 17 +---- vendor/github.com/rs/zerolog/.gitignore | 4 +- vendor/modules.txt | 6 +- 10 files changed, 24 insertions(+), 140 deletions(-) diff --git a/go.mod b/go.mod index 4d7e990d..f8f4b922 100644 --- a/go.mod +++ b/go.mod @@ -16,7 +16,8 @@ require ( github.com/fsnotify/fsnotify v1.10.1 github.com/goccy/go-json v0.10.6 github.com/hashicorp/golang-lru/v2 v2.0.7 - github.com/labstack/echo/v4 v4.15.4 + github.com/labstack/echo/v4 v4.15.1 + github.com/labstack/echo/v5 v5.3.0 github.com/matrix-org/gomatrixserverlib v0.0.0-20260506075950-c9c468727353 github.com/mattevans/postmark-go v1.0.0 github.com/microcosm-cc/bluemonday v1.0.27 diff --git a/go.sum b/go.sum index 0c14384b..8f716b14 100644 --- a/go.sum +++ b/go.sum @@ -124,8 +124,11 @@ github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/labstack/echo/v4 v4.15.1 h1:S9keusg26gZpjMmPqB5hOEvNKnmd1lNmcHrbbH2lnFs= +github.com/labstack/echo/v4 v4.15.1/go.mod h1:xmw1clThob0BSVRX1CRQkGQ/vjwcpOMjQZSZa9fKA/c= github.com/labstack/echo/v4 v4.15.4 h1:DL45vVYa+BWE+XuW+zZNd9H0YEdZ80UAWJGcTVW4EVs= github.com/labstack/echo/v4 v4.15.4/go.mod h1:CuMetKIRwsuO/qlAgMq+KTAalwGoB/h4tC+yPdrTj1g= +github.com/labstack/echo/v5 v5.3.0/go.mod h1:Q3j2+clBRgJr0O3DDONQeXNsM7RHgSwUhcuo47unqm8= github.com/labstack/gommon v0.5.0 h1:6VSQ2NOzsnEJ5W6+84E0RbcaDDmgB6NIAzWCczTEe6c= github.com/labstack/gommon v0.5.0/go.mod h1:Rzlg7HHy1maLfzBYGg9NZcVuz1sA68HHhLjhcEllYE0= github.com/matrix-org/gomatrix v0.0.0-20220926102614-ceba4d9f7530 h1:kHKxCOLcHH8r4Fzarl4+Y3K5hjothkVW5z7T1dUM11U= diff --git a/vendor/github.com/labstack/echo/v4/CHANGELOG.md b/vendor/github.com/labstack/echo/v4/CHANGELOG.md index 8388531e..b7fd0e14 100644 --- a/vendor/github.com/labstack/echo/v4/CHANGELOG.md +++ b/vendor/github.com/labstack/echo/v4/CHANGELOG.md @@ -1,79 +1,5 @@ # Changelog -## v4.15.4 - 2026-06-15 - -**Security** - -Fixes [GHSA-vfp3-v2gw-7wfq](https://github.com/labstack/echo/security/advisories/GHSA-vfp3-v2gw-7wfq) - -Make serving static file releated methods and middleware not unescape path by default - so how the way Router interprets paths and Static methods/middleware is consistent. - -Given following situation: -```go -// 0. -// given folder structure: -// private.txt -// public/ -// public/index.html -// public/text.txt -// public/admin/private.txt - -// 1. share `public/` folder contents from the server root. This folder actually contains subfolder `admin` which -// contents we want to forbid from downloading -e.Static("/", "public") - -// 2. naively assume that everything under /admin folder is now forbidden -e.GET("/admin/*", func(c *Context) error { - return ErrForbidden -}) -``` - -Then requests to `/admin%2fprivate.txt` would not be matched to `GET /admin/*` route (routing does not look unescaped path) and static file serving will use unescaped path to serve the file. - -Note: this way of "guarding" subfolders will never work for for paths like `/assets/../admin%2fprivate.txt` which will `path.Clean("/assets/../admin%2fprivate.txt")` to `/admin/private.txt` and are servable if static file serving is configured to unescape paths. - -If you want to guard routes - use middlewares on `Static*` methods and before `Static` middleware. - -**Breaking change / migration:** If you serve files whose names contain URL-encoded characters (e.g., `/hello%20world.txt` → `hello world.txt`), you must now opt in: - -```go - e := echo.New() - e.EnablePathUnescapingStaticFiles = true // <-- enable old behavior - e.Static("/", "public") -``` -for static middleware -```go - e.Use(middleware.StaticWithConfig(middleware.StaticConfig{ - EnablePathUnescaping: true, // <-- enable old behavior - })) -``` - - -## v4.15.3 - 2026-06-14 - -**Security** - -* fix(static): reject encoded path separators that bypass route-level middleware by @vishr in https://github.com/labstack/echo/pull/3011 - -Fixes [GHSA-vfp3-v2gw-7wfq](https://github.com/labstack/echo/security/advisories/GHSA-vfp3-v2gw-7wfq): an encoded path separator (`%2F` or `%5C`) in a static file URL could bypass route-level middleware (e.g. authentication on a sibling route) and disclose static files. Both `StaticDirectoryHandler` (used by `Static`/`StaticFS`) and the `Static` middleware are affected. Backport of the v5 fix (#3009). Thanks to @a-tt-om and @oran-gugu for reporting. - - -## v4.15.2 - 2026-05-01 - -**Security** - -* `Context.Scheme()` should validate values taken from header by @aldas in https://github.com/labstack/echo/pull/2962 - -Thanks to @shblue21 for reporting this [issue](https://github.com/labstack/echo/issues/2952). - - -## v4.15.1 - 2026-02-22 - -**Enhancements** - -* CSRF: support older token-based CSRF protection handler that want to render token into template by @aldas in https://github.com/labstack/echo/pull/2905 - - ## v4.15.0 - 2026-01-01 diff --git a/vendor/github.com/labstack/echo/v4/context.go b/vendor/github.com/labstack/echo/v4/context.go index 6500e5ee..67e83181 100644 --- a/vendor/github.com/labstack/echo/v4/context.go +++ b/vendor/github.com/labstack/echo/v4/context.go @@ -272,35 +272,22 @@ func (c *context) IsWebSocket() bool { return strings.EqualFold(upgrade, "websocket") } -func isValidProto(proto string) bool { - if proto == "" { - return false - } - for _, p := range []string{"http", "https", "ws", "wss"} { - if strings.EqualFold(proto, p) { - return true - } - } - return false -} - -// Scheme returns the HTTP protocol scheme, `http` or `https`. func (c *context) Scheme() string { // Can't use `r.Request.URL.Scheme` // See: https://groups.google.com/forum/#!topic/golang-nuts/pMUkBlQBDF0 if c.IsTLS() { return "https" } - if scheme := c.request.Header.Get(HeaderXForwardedProto); isValidProto(scheme) { + if scheme := c.request.Header.Get(HeaderXForwardedProto); scheme != "" { return scheme } - if scheme := c.request.Header.Get(HeaderXForwardedProtocol); isValidProto(scheme) { + if scheme := c.request.Header.Get(HeaderXForwardedProtocol); scheme != "" { return scheme } if ssl := c.request.Header.Get(HeaderXForwardedSsl); ssl == "on" { return "https" } - if scheme := c.request.Header.Get(HeaderXUrlScheme); isValidProto(scheme) { + if scheme := c.request.Header.Get(HeaderXUrlScheme); scheme != "" { return scheme } return "http" diff --git a/vendor/github.com/labstack/echo/v4/echo.go b/vendor/github.com/labstack/echo/v4/echo.go index f00fb10e..ae2283f6 100644 --- a/vendor/github.com/labstack/echo/v4/echo.go +++ b/vendor/github.com/labstack/echo/v4/echo.go @@ -59,7 +59,6 @@ import ( "golang.org/x/crypto/acme" "golang.org/x/crypto/acme/autocert" "golang.org/x/net/http2" - //lint:ignore SA1019 h2c is required until v4 is supported (end of 2026) "golang.org/x/net/http2/h2c" ) @@ -106,17 +105,6 @@ type Echo struct { Debug bool HideBanner bool HidePort bool - - // EnablePathUnescapingStaticFiles enables path parameter (param: *) unescaping for Static/StaticFS methods. - // Default false (safe): encoded slashes (%2f) in the wildcard param are NOT decoded, - // preventing ACL bypass where /admin%2fprivate.txt bypasses a /admin/* route guard by - // not matching that route but having its wildcard param decoded to admin/private.txt. - // Set to true only when serving files whose names contain URL-encoded characters - // (e.g. "hello world.txt" via /hello%20world.txt) and you are not relying on - // route-based ACL guards to restrict access. - // If you are enabling this option, make sure you understand the security implications. - // See: https://github.com/labstack/echo/security/advisories/GHSA-vfp3-v2gw-7wfq - EnablePathUnescapingStaticFiles bool } // Route contains a handler and information for matching against requests. @@ -279,7 +267,7 @@ const ( const ( // Version of Echo - Version = "4.15.4" + Version = "4.15.0" website = "https://echo.labstack.com" // http://patorjk.com/software/taag/#p=display&f=Small%20Slant&t=Echo banner = ` @@ -857,7 +845,6 @@ func (e *Echo) StartH2CServer(address string, h2s *http2.Server) error { s.Addr = address e.colorer.SetOutput(e.Logger.Output()) s.ErrorLog = e.StdLogger - //lint:ignore SA1019 h2c is required until v4 is supported (end of 2026) s.Handler = h2c.NewHandler(e, h2s) if e.Debug { e.Logger.SetLevel(log.DEBUG) diff --git a/vendor/github.com/labstack/echo/v4/echo_fs.go b/vendor/github.com/labstack/echo/v4/echo_fs.go index ed27b992..0ffc4b0b 100644 --- a/vendor/github.com/labstack/echo/v4/echo_fs.go +++ b/vendor/github.com/labstack/echo/v4/echo_fs.go @@ -9,7 +9,6 @@ import ( "net/http" "net/url" "os" - "path" "path/filepath" "strings" ) @@ -36,7 +35,7 @@ func (e *Echo) Static(pathPrefix, fsRoot string) *Route { return e.Add( http.MethodGet, pathPrefix+"*", - StaticDirectoryHandler(subFs, !e.EnablePathUnescapingStaticFiles), + StaticDirectoryHandler(subFs, false), ) } @@ -49,19 +48,12 @@ func (e *Echo) StaticFS(pathPrefix string, filesystem fs.FS) *Route { return e.Add( http.MethodGet, pathPrefix+"*", - StaticDirectoryHandler(filesystem, !e.EnablePathUnescapingStaticFiles), + StaticDirectoryHandler(filesystem, false), ) } -// StaticDirectoryHandler creates handler function to serve files from provided file system. +// StaticDirectoryHandler creates handler function to serve files from provided file system // When disablePathUnescaping is set then file name from path is not unescaped and is served as is. -// -// Note: when disablePathUnescaping=false, the handler decodes the wildcard param before serving. -// If route guards (e.g. e.GET("/admin/*", forbidden)) are used to restrict parts of the -// filesystem, an encoded separator (%2F) or encoded dot-dot (%2E%2E) in the URL can resolve to -// a path that the router never matched against the guard route. Do not rely on route guards -// alone to restrict a filesystem served by this handler. -// See https://github.com/labstack/echo/security/advisories/GHSA-vfp3-v2gw-7wfq func StaticDirectoryHandler(fileSystem fs.FS, disablePathUnescaping bool) HandlerFunc { return func(c Context) error { p := c.Param("*") @@ -73,11 +65,8 @@ func StaticDirectoryHandler(fileSystem fs.FS, disablePathUnescaping bool) Handle p = tmpPath } - // fs.FS.Open() already assumes that file names are relative to FS root path and considers name with prefix `/` as invalid. - // Use path.Clean (not filepath.Clean): fs.FS paths are always forward-slash, so a backslash must stay a literal - // character rather than being interpreted as a separator on Windows (which would resolve a file across a boundary - // the router never matched on). - name := path.Clean(strings.TrimPrefix(p, "/")) + // fs.FS.Open() already assumes that file names are relative to FS root path and considers name with prefix `/` as invalid + name := filepath.ToSlash(filepath.Clean(strings.TrimPrefix(p, "/"))) fi, err := fs.Stat(fileSystem, name) if err != nil { return ErrNotFound diff --git a/vendor/github.com/labstack/echo/v4/group_fs.go b/vendor/github.com/labstack/echo/v4/group_fs.go index 5246ea06..c1b7ec2d 100644 --- a/vendor/github.com/labstack/echo/v4/group_fs.go +++ b/vendor/github.com/labstack/echo/v4/group_fs.go @@ -23,7 +23,7 @@ func (g *Group) StaticFS(pathPrefix string, filesystem fs.FS) { g.Add( http.MethodGet, pathPrefix+"*", - StaticDirectoryHandler(filesystem, !g.echo.EnablePathUnescapingStaticFiles), + StaticDirectoryHandler(filesystem, false), ) } diff --git a/vendor/github.com/labstack/echo/v4/middleware/static.go b/vendor/github.com/labstack/echo/v4/middleware/static.go index 16a98389..2d946c17 100644 --- a/vendor/github.com/labstack/echo/v4/middleware/static.go +++ b/vendor/github.com/labstack/echo/v4/middleware/static.go @@ -48,15 +48,6 @@ type StaticConfig struct { // Filesystem provides access to the static content. // Optional. Defaults to http.Dir(config.Root) Filesystem http.FileSystem `yaml:"-"` - - // EnablePathUnescaping enables path parameter (param: *) unescaping. - // Default false (safe): encoded slashes (%2f) in the wildcard param are NOT decoded, - // preventing ACL bypass where /admin%2fprivate.txt bypasses a /admin/* route guard by - // not matching that route but having its wildcard param decoded to admin/private.txt. - // Set to true only when serving files whose names contain URL-encoded characters - // (e.g. "hello world.txt" via /hello%20world.txt) and you are not relying on - // route-based ACL guards to restrict access. - EnablePathUnescaping bool `yaml:"enablePathUnescaping"` } const html = ` @@ -179,11 +170,9 @@ func StaticWithConfig(config StaticConfig) echo.MiddlewareFunc { if strings.HasSuffix(c.Path(), "*") { // When serving from a group, e.g. `/static*`. p = c.Param("*") } - if config.EnablePathUnescaping { - p, err = url.PathUnescape(p) - if err != nil { - return - } + p, err = url.PathUnescape(p) + if err != nil { + return } // Security: We use path.Clean() (not filepath.Clean()) because: // 1. HTTP URLs always use forward slashes, regardless of server OS diff --git a/vendor/github.com/rs/zerolog/.gitignore b/vendor/github.com/rs/zerolog/.gitignore index c3622a0a..1a2fc214 100644 --- a/vendor/github.com/rs/zerolog/.gitignore +++ b/vendor/github.com/rs/zerolog/.gitignore @@ -23,5 +23,5 @@ _testmain.go *.exe *.test *.prof - -coverage.out + +coverage.out diff --git a/vendor/modules.txt b/vendor/modules.txt index 6cacc717..a25648e9 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -294,10 +294,12 @@ github.com/hashicorp/golang-lru/v2/internal # github.com/json-iterator/go v1.1.12 ## explicit; go 1.12 github.com/json-iterator/go -# github.com/labstack/echo/v4 v4.15.4 -## explicit; go 1.25.0 +# github.com/labstack/echo/v4 v4.15.1 +## explicit; go 1.24.0 github.com/labstack/echo/v4 github.com/labstack/echo/v4/middleware +# github.com/labstack/echo/v5 v5.3.0 +## explicit; go 1.25.0 # github.com/labstack/gommon v0.5.0 ## explicit; go 1.23.0 github.com/labstack/gommon/bytes