build(deps): bump the go-deps group with 7 updates

Bumps the go-deps group with 7 updates: | Package | From | To | | --- | --- | --- | | [github.com/Azure/azure-sdk-for-go/sdk/storage/azblob](https://github.com/Azure/azure-sdk-for-go) | `1.1.0` | `1.2.0` | | [github.com/google/go-cmp](https://github.com/google/go-cmp) | `0.5.9` | `0.6.0` | | [github.com/labstack/echo/v4](https://github.com/labstack/echo) | `4.11.1` | `4.11.2` | | [github.com/openshift-online/ocm-sdk-go](https://github.com/openshift-online/ocm-sdk-go) | `0.1.371` | `0.1.373` | | [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) | `1.16.0` | `1.17.0` | | [golang.org/x/sync](https://github.com/golang/sync) | `0.3.0` | `0.4.0` | | [google.golang.org/api](https://github.com/googleapis/google-api-go-client) | `0.145.0` | `0.146.0` | Updates `github.com/Azure/azure-sdk-for-go/sdk/storage/azblob` from 1.1.0 to 1.2.0 - [Release notes](https://github.com/Azure/azure-sdk-for-go/releases) - [Changelog](https://github.com/Azure/azure-sdk-for-go/blob/main/documentation/release.md) - [Commits](https://github.com/Azure/azure-sdk-for-go/compare/v1.1...v1.2) Updates `github.com/google/go-cmp` from 0.5.9 to 0.6.0 - [Release notes](https://github.com/google/go-cmp/releases) - [Commits](https://github.com/google/go-cmp/compare/v0.5.9...v0.6.0) Updates `github.com/labstack/echo/v4` from 4.11.1 to 4.11.2 - [Release notes](https://github.com/labstack/echo/releases) - [Changelog](https://github.com/labstack/echo/blob/master/CHANGELOG.md) - [Commits](https://github.com/labstack/echo/compare/v4.11.1...v4.11.2) Updates `github.com/openshift-online/ocm-sdk-go` from 0.1.371 to 0.1.373 - [Release notes](https://github.com/openshift-online/ocm-sdk-go/releases) - [Changelog](https://github.com/openshift-online/ocm-sdk-go/blob/main/CHANGES.md) - [Commits](https://github.com/openshift-online/ocm-sdk-go/compare/v0.1.371...v0.1.373) Updates `github.com/prometheus/client_golang` from 1.16.0 to 1.17.0 - [Release notes](https://github.com/prometheus/client_golang/releases) - [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md) - [Commits](https://github.com/prometheus/client_golang/compare/v1.16.0...v1.17.0) Updates `golang.org/x/sync` from 0.3.0 to 0.4.0 - [Commits](https://github.com/golang/sync/compare/v0.3.0...v0.4.0) Updates `google.golang.org/api` from 0.145.0 to 0.146.0 - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.145.0...v0.146.0) --- updated-dependencies: - dependency-name: github.com/Azure/azure-sdk-for-go/sdk/storage/azblob dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-deps - dependency-name: github.com/google/go-cmp dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-deps - dependency-name: github.com/labstack/echo/v4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go-deps - dependency-name: github.com/openshift-online/ocm-sdk-go dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go-deps - dependency-name: github.com/prometheus/client_golang dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-deps - dependency-name: golang.org/x/sync dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-deps - dependency-name: google.golang.org/api dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-deps ... Signed-off-by: dependabot[bot] <support@github.com>
2023-10-12 04:43:21 +00:00 · 2023-10-12 04:43:21 +00:00 · d4af58c9f5
commit d4af58c9f5
parent 0a255df1ca
136 changed files with 2587 additions and 1394 deletions
--- a/vendor/github.com/labstack/echo/v4/CHANGELOG.md
+++ b/vendor/github.com/labstack/echo/v4/CHANGELOG.md
@ -1,5 +1,21 @@
 # Changelog

+## v4.11.2 - 2023-10-11
+
+**Security**
+
+* Bump golang.org/x/net to prevent CVE-2023-39325 / CVE-2023-44487 HTTP/2 Rapid Reset Attack [#2527](https://github.com/labstack/echo/pull/2527)
+* fix(sec): randomString bias introduced by #2490 [#2492](https://github.com/labstack/echo/pull/2492)
+* CSRF/RequestID mw: switch math/random usage to crypto/random [#2490](https://github.com/labstack/echo/pull/2490)
+
+**Enhancements**
+
+* Delete unused context in body_limit.go [#2483](https://github.com/labstack/echo/pull/2483)
+* Use Go 1.21 in CI [#2505](https://github.com/labstack/echo/pull/2505)
+* Fix some typos [#2511](https://github.com/labstack/echo/pull/2511)
+* Allow CORS middleware to send Access-Control-Max-Age: 0 [#2518](https://github.com/labstack/echo/pull/2518)
+* Bump dependancies [#2522](https://github.com/labstack/echo/pull/2522)
+
 ## v4.11.1 - 2023-07-16

 **Fixes**
--- a/vendor/github.com/labstack/echo/v4/README.md
+++ b/vendor/github.com/labstack/echo/v4/README.md
@ -3,7 +3,7 @@
 [![Sourcegraph](https://sourcegraph.com/github.com/labstack/echo/-/badge.svg?style=flat-square)](https://sourcegraph.com/github.com/labstack/echo?badge)
 [![GoDoc](http://img.shields.io/badge/go-documentation-blue.svg?style=flat-square)](https://pkg.go.dev/github.com/labstack/echo/v4)
 [![Go Report Card](https://goreportcard.com/badge/github.com/labstack/echo?style=flat-square)](https://goreportcard.com/report/github.com/labstack/echo)
-[![Build Status](http://img.shields.io/travis/labstack/echo.svg?style=flat-square)](https://travis-ci.org/labstack/echo)
+[![GitHub Workflow Status (with event)](https://img.shields.io/github/actions/workflow/status/labstack/echo/echo.yml?style=flat-square)](https://github.com/labstack/echo/actions)
 [![Codecov](https://img.shields.io/codecov/c/github/labstack/echo.svg?style=flat-square)](https://codecov.io/gh/labstack/echo)
 [![Forum](https://img.shields.io/badge/community-forum-00afd1.svg?style=flat-square)](https://github.com/labstack/echo/discussions)
 [![Twitter](https://img.shields.io/badge/twitter-@labstack-55acee.svg?style=flat-square)](https://twitter.com/labstack)
--- a/vendor/github.com/labstack/echo/v4/echo.go
+++ b/vendor/github.com/labstack/echo/v4/echo.go
@ -259,7 +259,7 @@ const (

 const (
 	// Version of Echo
-	Version = "4.11.1"
+	Version = "4.11.2"
 	website = "https://echo.labstack.com"
 	// http://patorjk.com/software/taag/#p=display&f=Small%20Slant&t=Echo
 	banner = `
--- a/vendor/github.com/labstack/echo/v4/middleware/body_limit.go
+++ b/vendor/github.com/labstack/echo/v4/middleware/body_limit.go
@ -23,9 +23,8 @@ type (

 	limitedReader struct {
 		BodyLimitConfig
-		reader  io.ReadCloser
-		read    int64
-		context echo.Context
+		reader io.ReadCloser
+		read   int64
 	}
 )

@ -80,7 +79,7 @@ func BodyLimitWithConfig(config BodyLimitConfig) echo.MiddlewareFunc {

 			// Based on content read
 			r := pool.Get().(*limitedReader)
-			r.Reset(req.Body, c)
+			r.Reset(req.Body)
 			defer pool.Put(r)
 			req.Body = r

@ -102,9 +101,8 @@ func (r *limitedReader) Close() error {
 	return r.reader.Close()
 }

-func (r *limitedReader) Reset(reader io.ReadCloser, context echo.Context) {
+func (r *limitedReader) Reset(reader io.ReadCloser) {
 	r.reader = reader
-	r.context = context
 	r.read = 0
 }

--- a/vendor/github.com/labstack/echo/v4/middleware/context_timeout.go
+++ b/vendor/github.com/labstack/echo/v4/middleware/context_timeout.go
@ -13,7 +13,7 @@ type ContextTimeoutConfig struct {
 	// Skipper defines a function to skip middleware.
 	Skipper Skipper

-	// ErrorHandler is a function when error aries in middeware execution.
+	// ErrorHandler is a function when error aries in middleware execution.
 	ErrorHandler func(err error, c echo.Context) error

 	// Timeout configures a timeout for the middleware, defaults to 0 for no timeout
--- a/vendor/github.com/labstack/echo/v4/middleware/cors.go
+++ b/vendor/github.com/labstack/echo/v4/middleware/cors.go
@ -99,8 +99,9 @@ type (
 		// MaxAge determines the value of the Access-Control-Max-Age response header.
 		// This header indicates how long (in seconds) the results of a preflight
 		// request can be cached.
+		// The header is set only if MaxAge != 0, negative value sends "0" which instructs browsers not to cache that response.
 		//
-		// Optional. Default value 0.  The header is set only if MaxAge > 0.
+		// Optional. Default value 0 - meaning header is not sent.
 		//
 		// See also: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Max-Age
 		MaxAge int `yaml:"max_age"`
@ -159,7 +160,11 @@ func CORSWithConfig(config CORSConfig) echo.MiddlewareFunc {
 	allowMethods := strings.Join(config.AllowMethods, ",")
 	allowHeaders := strings.Join(config.AllowHeaders, ",")
 	exposeHeaders := strings.Join(config.ExposeHeaders, ",")
-	maxAge := strconv.Itoa(config.MaxAge)
+
+	maxAge := "0"
+	if config.MaxAge > 0 {
+		maxAge = strconv.Itoa(config.MaxAge)
+	}

 	return func(next echo.HandlerFunc) echo.HandlerFunc {
 		return func(c echo.Context) error {
@ -282,7 +287,7 @@ func CORSWithConfig(config CORSConfig) echo.MiddlewareFunc {
 					res.Header().Set(echo.HeaderAccessControlAllowHeaders, h)
 				}
 			}
-			if config.MaxAge > 0 {
+			if config.MaxAge != 0 {
 				res.Header().Set(echo.HeaderAccessControlMaxAge, maxAge)
 			}
 			return c.NoContent(http.StatusNoContent)
--- a/vendor/github.com/labstack/echo/v4/middleware/csrf.go
+++ b/vendor/github.com/labstack/echo/v4/middleware/csrf.go
@ -6,7 +6,6 @@ import (
 	"time"

 	"github.com/labstack/echo/v4"
-	"github.com/labstack/gommon/random"
 )

 type (
@ -103,6 +102,7 @@ func CSRFWithConfig(config CSRFConfig) echo.MiddlewareFunc {
 	if config.TokenLength == 0 {
 		config.TokenLength = DefaultCSRFConfig.TokenLength
 	}
+
 	if config.TokenLookup == "" {
 		config.TokenLookup = DefaultCSRFConfig.TokenLookup
 	}
@ -132,7 +132,7 @@ func CSRFWithConfig(config CSRFConfig) echo.MiddlewareFunc {

 			token := ""
 			if k, err := c.Cookie(config.CookieName); err != nil {
-				token = random.String(config.TokenLength) // Generate token
+				token = randomString(config.TokenLength)
 			} else {
 				token = k.Value // Reuse token
 			}
--- a/vendor/github.com/labstack/echo/v4/middleware/request_id.go
+++ b/vendor/github.com/labstack/echo/v4/middleware/request_id.go
@ -2,7 +2,6 @@ package middleware

 import (
 	"github.com/labstack/echo/v4"
-	"github.com/labstack/gommon/random"
 )

 type (
@ -12,7 +11,7 @@ type (
 		Skipper Skipper

 		// Generator defines a function to generate an ID.
-		// Optional. Default value random.String(32).
+		// Optional. Defaults to generator for random string of length 32.
 		Generator func() string

 		// RequestIDHandler defines a function which is executed for a request id.
@ -73,5 +72,5 @@ func RequestIDWithConfig(config RequestIDConfig) echo.MiddlewareFunc {
 }

 func generator() string {
-	return random.String(32)
+	return randomString(32)
 }
--- a/vendor/github.com/labstack/echo/v4/middleware/util.go
+++ b/vendor/github.com/labstack/echo/v4/middleware/util.go
@ -1,7 +1,11 @@
 package middleware

 import (
+	"bufio"
+	"crypto/rand"
+	"io"
 	"strings"
+	"sync"
 )

 func matchScheme(domain, pattern string) bool {
@ -52,3 +56,45 @@ func matchSubdomain(domain, pattern string) bool {
 	}
 	return false
 }
+
+// https://tip.golang.org/doc/go1.19#:~:text=Read%20no%20longer%20buffers%20random%20data%20obtained%20from%20the%20operating%20system%20between%20calls
+var randomReaderPool = sync.Pool{New: func() interface{} {
+	return bufio.NewReader(rand.Reader)
+}}
+
+const randomStringCharset = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
+const randomStringCharsetLen = 52 // len(randomStringCharset)
+const randomStringMaxByte = 255 - (256 % randomStringCharsetLen)
+
+func randomString(length uint8) string {
+	reader := randomReaderPool.Get().(*bufio.Reader)
+	defer randomReaderPool.Put(reader)
+
+	b := make([]byte, length)
+	r := make([]byte, length+(length/4)) // perf: avoid read from rand.Reader many times
+	var i uint8 = 0
+
+	// security note:
+	// we can't just simply do b[i]=randomStringCharset[rb%len(randomStringCharset)],
+	// len(len(randomStringCharset)) is 52, and rb is [0, 255], 256 = 52 * 4 + 48.
+	// make the first 48 characters more possibly to be generated then others.
+	// So we have to skip bytes when rb > randomStringMaxByte
+
+	for {
+		_, err := io.ReadFull(reader, r)
+		if err != nil {
+			panic("unexpected error happened when reading from bufio.NewReader(crypto/rand.Reader)")
+		}
+		for _, rb := range r {
+			if rb > randomStringMaxByte {
+				// Skip this number to avoid bias.
+				continue
+			}
+			b[i] = randomStringCharset[rb%randomStringCharsetLen]
+			i++
+			if i == length {
+				return string(b)
+			}
+		}
+	}
+}
--- a/vendor/github.com/labstack/gommon/random/random.go
+++ b/vendor/github.com/labstack/gommon/random/random.go
@ -1,48 +0,0 @@
-package random
-
-import (
-	"math/rand"
-	"strings"
-	"time"
-)
-
-type (
-	Random struct {
-	}
-)
-
-// Charsets
-const (
-	Uppercase    = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
-	Lowercase    = "abcdefghijklmnopqrstuvwxyz"
-	Alphabetic   = Uppercase + Lowercase
-	Numeric      = "0123456789"
-	Alphanumeric = Alphabetic + Numeric
-	Symbols      = "`" + `~!@#$%^&*()-_+={}[]|\;:"<>,./?`
-	Hex          = Numeric + "abcdef"
-)
-
-var (
-	global = New()
-)
-
-func New() *Random {
-	rand.Seed(time.Now().UnixNano())
-	return new(Random)
-}
-
-func (r *Random) String(length uint8, charsets ...string) string {
-	charset := strings.Join(charsets, "")
-	if charset == "" {
-		charset = Alphanumeric
-	}
-	b := make([]byte, length)
-	for i := range b {
-		b[i] = charset[rand.Int63()%int64(len(charset))]
-	}
-	return string(b)
-}
-
-func String(length uint8, charsets ...string) string {
-	return global.String(length, charsets...)
-}