Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update module github.com/gofiber/fiber/v2 to v2.50.0 [SECURITY] - autoclosed #45

Closed
wants to merge 1 commit into from
Closed

Update module github.com/gofiber/fiber/v2 to v2.50.0 [SECURITY] - autoclosed #45

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jun 14, 2023
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/gofiber/fiber/v2 v2.28.0 -> v2.50.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2018-20744

The Olivier Poitrey Go CORS handler through 1.3.0 actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfiguration security problems.

CVE-2023-41338

Impact

This vulnerability can be categorized as a security misconfiguration. It impacts users of our project who rely on the ctx.IsFromLocal() method to restrict access to localhost requests. If exploited, it could allow unauthorized access to resources intended only for localhost.

In it's implementation it uses c.IPs():

// IPs returns a string slice of IP addresses specified in the X-Forwarded-For request header.
// When IP validation is enabled, only valid IPs are returned.
func (c *Ctx) IPs() []string {
    return c.extractIPsFromHeader(HeaderXForwardedFor)
}

Thereby, setting X-Forwarded-For: 127.0.0.1 in a request from a foreign host, will result in true for ctx.IsFromLocal()

Patches

This issue has been patched in v2.49.2 with commit b8c9ede6efa231116c4bd8bb9d5e03eac1cb76dc

Workarounds

Currently, there are no known workarounds to remediate this vulnerability without upgrading to the patched version. We strongly advise users to apply the patch as soon as it is released.

References

For further information and context regarding this security issue, please refer to the following resources:

CVE-2023-45128

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to inject arbitrary values and forge malicious requests on behalf of a user. This vulnerability can allow an attacker to inject arbitrary values without any authentication, or perform various malicious actions on behalf of an authenticated user, potentially compromising the security and integrity of the application.

Vulnerability Details

The vulnerability is caused by improper validation and enforcement of CSRF tokens within the application. The following issues were identified:

  1. Token Injection: For 'safe' methods, the token was extracted from the cookie and saved to storage without further validation or sanitization.

  2. Lack of Token Association: The CSRF token was validated against tokens in storage but not associated with a session, nor by using a Double Submit Cookie Method, allowing for token reuse.

Specific Go Packages Affected

github.com/gofiber/fiber/v2/middleware/csrf

Remediation

To remediate this vulnerability, it is recommended to take the following actions:

  1. Update the Application: Upgrade the application to a fixed version with a patch for the vulnerability.

  2. Implement Proper CSRF Protection: Review the updated documentation and ensure your application's CSRF protection mechanisms follow best practices.

  3. Choose CSRF Protection Method: Select the appropriate CSRF protection method based on your application's requirements, either the Double Submit Cookie method or the Synchronizer Token Pattern using sessions.

  4. Security Testing: Conduct a thorough security assessment, including penetration testing, to identify and address any other security vulnerabilities.

Defence-in-depth

Users should take additional security measures like captchas or Two-Factor Authentication (2FA) and set Session cookies with SameSite=Lax or SameSite=Secure, and the Secure and HttpOnly attributes.

CVE-2023-45141

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to obtain tokens and forge malicious requests on behalf of a user. This can lead to unauthorized actions being taken on the user's behalf, potentially compromising the security and integrity of the application.

Vulnerability Details

The vulnerability is caused by improper validation and enforcement of CSRF tokens within the application. The following issues were identified:

  1. Lack of Token Association: The CSRF token was validated against tokens in storage but was not tied to the original requestor that generated it, allowing for token reuse.

Specific Go Packages Affected

github.com/gofiber/fiber/v2/middleware/csrf

Remediation

To remediate this vulnerability, it is recommended to take the following actions:

  1. Update the Application: Upgrade the application to a fixed version with a patch for the vulnerability.

  2. Implement Proper CSRF Protection: Review the updated documentation and ensure your application's CSRF protection mechanisms follow best practices.

  3. Choose CSRF Protection Method: Select the appropriate CSRF protection method based on your application's requirements, either the Double Submit Cookie method or the Synchronizer Token Pattern using sessions.

  4. Security Testing: Conduct a thorough security assessment, including penetration testing, to identify and address any other security vulnerabilities.

Defence-in-depth

Users should take additional security measures like captchas or Two-Factor Authentication (2FA) and set Session cookies with SameSite=Lax or SameSite=Secure, and the Secure and HttpOnly attributes.

Release Notes

gofiber/fiber (github.com/gofiber/fiber/v2)

v2.50.0

Compare Source

❗ Breaking Changes

  • Change signatures of GetReqHeaders and GetRespHeaders (#​2650)

To allow single and list values under headers according to the rfc standard

- func (c *Ctx) GetReqHeaders() map[string]string
+ func (c *Ctx) GetReqHeaders() map[string][]string
- func (c *Ctx) GetRespHeaders() map[string]string
+ func (c *Ctx) GetRespHeaders() map[string][]string

👮 Security

Middleware/csrf: Token Vulnerability (GHSA-mv73-f69x-444p, GHSA-94w9-97p3-p368)

https://docs.gofiber.io/api/middleware/csrf

🚀 Improvements to the CSRF middleware:

  • Added support for single-use tokens through the SingleUseToken configuration option.
  • Optional integration with GoFiber session middleware through the Session and SessionKey configuration options.
  • Introduction of origin checks for HTTPS connections to verify referer headers.
  • Implementation of a Double Submit Cookie approach for CSRF token generation and validation when used without Session.
  • Enhancement of error handling with more descriptive error messages.
  • The documentation for the CSRF middleware has been enhanced with the addition of the new options and best practices to improve security.

Thank you @​sixcolors

🚀 New

// Field names should start with an uppercase letter
type Person struct {
    Name     string  `cookie:"name"`
    Age      int     `cookie:"age"`
    Job      bool    `cookie:"job"`
}
// Example route
app.Get("/", func(c *fiber.Ctx) error {
    p := new(Person)
    // This method is similar to BodyParser, but for cookie parameters
    if err := c.CookieParser(p); err != nil {
        return err
    }
    
    log.Println(p.Name)     // Joseph
    log.Println(p.Age)      // 23
    log.Println(p.Job)      // true
})
// To disable caching completely, pass MaxAge value negative. It will set the Access-Control-Max-Age header 0.
app.Use(cors.New(cors.Config{MaxAge: -1})) 
// Provide more flexibility in session management, especially in scenarios like repeated user logins
func (s *Session) Reset() error

Example usage:

// Initialize default config
// This stores all of your app's sessions
store := session.New()

app.Post("/login", func(c *fiber.Ctx) error {
    // Get session from storage
    sess, err := store.Get(c)
    if err != nil {
        panic(err)
    }
    
    // ... validate login ...
    
    // Check if the session is fresh
    if !sess.Fresh() {
        // If the session is not fresh, reset it
        if err := sess.Reset(); err != nil {
            panic(err)
        }
    }
    // Set new session data
    sess.Set("user_id", user.ID)
    // Save session
    if err := sess.Save(); err != nil {
        panic(err)
    }

    return c.SendString(fmt.Sprintf("Welcome %v", user.ID))
})
// Provide more control over individual session management, especially in scenarios 
// like administrator-enforced user logout or user-initiated logout from a specific device session
func (s *Store) Delete(id string) error

Example usage:

app.Post("/admin/session/:id/logout", func(c *fiber.Ctx) error {
    // Get session id from request
    sessionID := c.Params("id")

    // Delete the session
    if err := store.Delete(sessionID); err != nil {
        return c.Status(500).SendString(err.Error())
    }

    return c.SendString("Logout successful")
})

🧹 Updates

  • Middleware/filesystem: Improve status for SendFile (#​2664)
  • Middleware/filesystem: Set response code (#​2632)
  • Refactor Ctx.Method func to improve code readability (#​2647)

🛠️ Maintenance

  • Fix loop variable captured by func literal (#​2660)
  • Run gofumpt and goimports (#​2662)
  • Use utils.AssertEqual instead of t.Fatal on some tests (#​2653)
  • Apply go fix ./... with latest version of go in repository (#​2661)
  • Bump github.com/valyala/fasthttp from 1.49.0 to 1.50.0 (#​2634)
  • Bump golang.org/x/sys from 0.12.0 to 0.13.0 (#​2665)

🐛 Fixes

  • Path checking on route naming (#​2676)
  • Incorrect log depth when use log.WithContext (#​2666)
  • Jsonp ignoring custom json encoder (#​2658)
  • PassLocalsToView when bind parameter is nil (#​2651)
  • Parse ips return invalid in abnormal case (#​2642)
  • Bug parse custom header (#​2638)
  • Middleware/adaptor: Reduce memory usage by replacing io.ReadAll() with io.Copy() (#​2637)
  • Middleware/idempotency: Nil pointer dereference issue on idempotency middleware (#​2668)

📚 Documentation

  • Incorrect status code source (#​2667)
  • Middleware/requestid: Typo in requestid.md (#​2675)
  • Middleware/cors: Update docs to better explain AllowOriginsFunc (#​2652)

Full Changelog: gofiber/fiber@v2.49.2...v2.50.0

Thank you @​KaptinLin, @​Skyenought, @​cuipeiyu, @​dairlair, @​efectn, @​gaby, @​geerew, @​huykn, @​jimmyl02, @​joey1123455, @​joshlarsen, @​jscappini, @​peczenyj and @​sixcolors for making this update possible.

v2.49.2

Compare Source

🧹 Updates

  • Middleware/logger: Enabling color changes padding for some fields #​2604 (#​2616)
  • Bump actions/checkout from 3 to 4 (#​2618)
  • Bump golang.org/x/sys from 0.11.0 to 0.12.0 (#​2617)

🐛 Fixes

📚 Documentation

  • Replaced double quotes with backticks in all route parameter strings (#​2591)

Full Changelog: gofiber/fiber@v2.49.1...v2.49.2

Thank you @​11-aryan and @​AKARSHITJOSHI for making this update possible.

v2.49.1

Compare Source

🧹 Updates

  • Bump github.com/valyala/fasthttp from 1.48.0 to 1.49.0 (#​2615)

🐛 Fixes

  • Rollback changes to go.mod file (#​2614)

📚 Documentation

  • Add Polish translation - README_pl.md (#​2613)
  • Update README_ko.md (#​2605)

Full Changelog: gofiber/fiber@v2.49.0...v2.49.1

Thank you @​KompocikDot, @​LimJiAn and @​gaby for making this update possible.

v2.49.0

Compare Source

❗ Breaking Changes

EnableSplittingOnParsers splits the query/body/header parameters by comma when it's true (default: false).

For example, you can use it to parse multiple values from a query parameter like this:
/api?foo=bar,baz == foo[]=bar&foo[]=baz

🚀 New

This allows the user to use //go:embed flags to load favicon data during build-time, and supply it to the middleware instead of reading the file every time the application starts.

🧹 Updates

  • Middleware/logger: Latency match gin-gonic/gin formatter (#​2569)
  • Middleware/filesystem: Refactor: use errors.Is instead of os.IsNotExist (#​2558)
  • Use Global vars instead of local vars for isLocalHost (#​2595)
  • Remove redundant nil check (#​2584)
  • Bump github.com/mattn/go-runewidth from 0.0.14 to 0.0.15 (#​2551)
  • Bump github.com/google/uuid from 1.3.0 to 1.3.1 (#​2592)
  • Bump golang.org/x/sys from 0.10.0 to 0.11.0 (#​2563)
  • Add go 1.21 to ci and readmes (#​2588)

🐛 Fixes

  • Middleware/logger: Default latency output format (#​2580)
  • Decompress request body when multi Content-Encoding sent on request headers (#​2555)

📚 Documentation

  • Fix wrong JSON docs (#​2554)
  • Update io/ioutil package to io package (#​2589)
  • Replace EG flag with the proper and smaller SVG (#​2585)
  • Added Egyptian Arabic readme file (#​2565)
  • Translate README to Portuguese (#​2567)
  • Improve *fiber.Client section (#​2553)
  • Improved the config section of the middleware readme´s (#​2552)
  • Added documentation about ctx Fresh (#​2549)
  • Update intro.md (#​2550)
  • Fixed link to slim template engine (#​2547)

Full Changelog: gofiber/fiber@v2.48.0...v2.49.0

Thank you @​Jictyvoo, @​Juneezee, @​Kirari04, @​LimJiAn, @​PassTheMayo, @​andersonmiranda-com, @​bigpreshy, @​efectn, @​renanbastos93, @​scandar, @​sixcolors and @​stefanb for making this update possible.

v2.48.0

Compare Source

🚀 New

app := fiber.New(fiber.Config{
  DisableStartupMessage: true,
})

app.Hooks().OnListen(func(listenData fiber.ListenData) error {
  if fiber.IsChild() {
      return nil
  }
  scheme := "http"
  if data.TLS {
    scheme = "https"
  }
  log.Println(scheme + "://" + listenData.Host + ":" + listenData.Port)
  return nil
})

app.Listen(":5000")

🧹 Updates

  • Dictpool is not completely gone (#​2540)
  • Bump golang.org/x/sys from 0.9.0 to 0.10.0 (#​2530)
  • Bump github.com/valyala/fasthttp from 1.47.0 to 1.48.0 (#​2511)

🐛 Fixes

  • Middleware/logger: Default logger color behaviour (#​2513)

📚 Documentation

  • Fix link (#​2542)
  • Fix bad documentation on queries function (#​2522)
  • Fix validation-guide (#​2517)
  • Fix bad documentation on queries function (#​2522)
  • Add a warning on security implications when using X-Forwarded-For improperly (#​2520)
  • Fix typo (#​2518)
  • Typo in ctx.md (#​2516)
  • Fix comment in client.go (#​2514)
  • Fix docs api fiber custom config (#​2510)

Full Changelog: gofiber/fiber@v2.47.0...v2.48.0

Thank you @​ForAeons, @​RHeynsZa, @​Saman-Safaei, @​Skyenought, @​Z3NTL3, @​andre-dasilva, @​cmd777, @​dozheiny, @​efectn, @​f1rstmehul, @​gaby, @​itcuihao and @​mo1ein for making this update possible.

v2.47.0

Compare Source

🚀 New

// GET /api/posts?filters.author.name=John&filters.category.name=Technology

app.Get("/", func(c *fiber.Ctx) error {
    m := c.Queries()
    m["filters.author.name"] // John
    m["filters.category.name"] // Technology
})
// Disable colors when outputting to default format
app.Use(logger.New(logger.Config{
    DisableColors: true,
}))

🧹 Updates

  • Update getOffer to consider quality and specificity (#​2486)
  • Use c.app.getString instead of string(...) (#​2489)
  • Bump github.com/mattn/go-isatty from 0.0.18 to 0.0.19 (#​2474)
  • Bump golang.org/x/sys from 0.8.0 to 0.9.0 (#​2508)

🐛 Fixes

  • Middleware/limiter: Fix Sliding Window limiter when SkipSuccessfulRequests/SkipFailedRequests is used. (#​2484)
  • Fix onListen hooks when they are used with prefork mode (#​2504)
  • Fix middleware naming and returned values of group methods (#​2477)
  • Treat case for possible timer memory leak (#​2488)
  • Reset terminal colors after print routes (#​2481)

📚 Documentation

  • Update version of html template (#​2505)
  • Translate README_fa.md (#​2496)
  • Correcting a syntax error in the README (#​2473)

Full Changelog: gofiber/fiber@v2.46.0...v2.47.0

Thank you @​Kamandlou, @​Satont, @​Skyenought, @​cmd777, @​dozheiny, @​efectn, @​gaby, @​kaazedev, @​luk3skyw4lker, @​obakumen, @​sixcolors and @​ytsruh for making this update possible.

v2.46.0

Compare Source

🚀 New

  • Utils: add Go 1.20+ way of converting byte slice to string (#​2468)
  • Middleware/adaptor: allow to convert fiber.Ctx to (net/http).Request (#​2461)

🧹 Updates

🐛 Fixes

  • Fix mount route positioning (#​2463)

📚 Documentation

Full Changelog: gofiber/fiber@v2.45.0...v2.46.0

Thank you @​alekseikovrigin, @​efectn and @​leonklingele for making this update possible.

v2.45.0

Compare Source

🚀 New

🧹 Updates

  • Consistent way of logging and fix middleware log format (#​2432, #​2444)
  • Improve error handling for net error(s) (#​2421)
  • Bump golang.org/x/sys from 0.7.0 to 0.8.0 (#​2449)
  • Bump github.com/valyala/fasthttp from 1.45.0 to 1.47.0 (#​2426, #​2445)

🐛 Fixes

  • Middleware/cors: Changed condition for 'AllowOriginsFunc' (#​2423)

📚 Documentation

  • Correct errors in Italian translation (#​2417)
  • Correct grammar errors in Azerbaijani translation. (#​2413)

Full Changelog: gofiber/fiber@v2.44.0...v2.45.0

Thank you @​Jamess-Lucass, @​baichangda, @​carmeloriolo, @​kanansnote and @​kousikmitra for making this update possible.

v2.44.0

Compare Source

🚀 New

👮 Security hint

Note: Using this feature is discouraged in production and it's best practice to explicitly set CORS origins via AllowOrigins.

In this example any origin will be allowed via CORS.
For example, if a browser running on http://localhost:3000 sends a request, this will be accepted and the access-control-allow-origin response header will be set to http://localhost:3000.

app.Use(cors.New(cors.Config{
    AllowOriginsFunc: func(origin string) bool {
        return os.Getenv("ENVIRONMENT") == "development"
    },
}))

🧹 Updates

  • Bump golang.org/x/sys from 0.6.0 to 0.7.0 (#​2405)
  • github/workflows: also run tests with Go 1.19.x (#​2384)
  • Bump github.com/mattn/go-isatty from 0.0.17 to 0.0.18 (#​2381)

🐛 Fixes

  • Middleware/logger: Fix #​2396, data race logger middleware (#​2397)
  • Middleware/timeout: Add original timeout middleware (#​2367)
    https://docs.gofiber.io/next/api/middleware/timeout
    ❗With version v2.38.1 we changed the behavior of the timeout function, this has now been undone and a function for use with context has been provided
  • Mounted subapps don't work correctly if parent app attached (#​2331)
  • Change default value of Querybool from true to false. (#​2391)
    ❗The fallback value for not found or not boolean values was adjusted to the golang standard
  • Fix #​2383, accepts mimeType (#​2386)

📚 Documentation

  • Added Azerbaijani README translation (#​2411)
  • Fix import and comma issues (#​2410)
  • Fix typos, and make middleware documentation more consistent (#​2408)
  • Added code link to fiber config fields (#​2385)
  • Adding to fac sub domain routing (#​2393)

Full Changelog: gofiber/fiber@v2.43.0...v2.44.0

Thank you @​Jamess-Lucass, @​ancogamer, @​cmd777, @​dozheiny, @​eld4niz, @​hakankutluay, @​jcyamacho, @​leonklingele and @​shahriarsohan for making this update possible.

v2.43.0

Compare Source

❗ BreakingChange

  • Drop go 1.16 support & update to fasthttp 1.45.0 (#​2374)

Due to the fact that fasthttp, which fiber is based on in release 1.45.0, does not support go version 1.16 anymore, we had to remove it from our package as well.

🚀 New

app.ListenTLSWithCertificate(":443", cert); 
app.ListenMutualTLSWithCertificate(":443", cert, clientCertPool);
// GET http://example.com/?name=alex&want_pizza=false&id=

app.Get("/", func(c *fiber.Ctx) error {
    c.QueryBool("want_pizza")       // false
    c.QueryBool("want_pizza", true) // false
    c.QueryBool("alex")             // true
    c.QueryBool("alex", false)      // false
    c.QueryBool("id")               // true
    c.QueryBool("id", false)        // false

  // ...
})
// GET http://example.com/?name=alex&amount=32.23&id=

app.Get("/", func(c *fiber.Ctx) error {
    c.QueryFloat("amount")      // 32.23
    c.QueryFloat("amount", 3)   // 32.23
    c.QueryFloat("name", 1)     // 1
    c.QueryFloat("name")        // 0
    c.QueryFloat("id", 3)       // 3

  // ...
})
  session.New(session.Config{
    // Decides whether cookie should last for only the browser sesison.
    CookieSessionOnly: true,
  })
// DoRedirects performs the given http request and fills the given http response while following up to maxRedirectsCount redirects.
func DoRedirects(c *fiber.Ctx, addr string, maxRedirectsCount int, clients ...*fasthttp.Client) error
// DoDeadline performs the given request and waits for response until the given deadline.
func DoDeadline(c *fiber.Ctx, addr string, deadline time.Time, clients ...*fasthttp.Client) error
// DoTimeout performs the given request and waits for response during the given timeout duration.
func DoTimeout(c *fiber.Ctx, addr string, timeout time.Duration, clients ...*fasthttp.Client) error

🧹 Updates

  • Get mime fallback (#​2340)
  • Middleware/requestid: don't call "Generator" func on existing request ID header (#​2371)
  • Middleware/basicauth: Optimize Basic auth alloc (#​2333)

🐛 Fixes

  • Middleware/requestid: Config.ContextKey is interface{} (#​2369)
  • Middleware/cors: Fix cors * behavior #​2338 (#​2339)

📚 Documentation

  • Use proper discord invitation link (#​2382)
  • Corrected coding typos in MountPath docs section (#​2379)
  • Fix typo in docs (#​2357)
  • Fix(docs): add missing comma (#​2353)
  • Fix all inaccessible links in docs (#​2349)
  • Automated synchronization with gofiber/docs (#​2344)

Full Changelog: gofiber/fiber@v2.42.0...v2.43.0

Thank you @​CaioAugustoo, @​HHongSeungWoo, @​IwateKyle, @​Rorke76753, @​Skyenought, @​UtopiaGitHub, @​benjajaja, @​derkan, @​dozheiny, @​efectn, @​gaby, @​leonklingele, @​lublak, @​msaf1980, @​ryand67 and @​yvestumushimire for making this update possible.

v2.42.0

Compare Source

🚀 New

// GET http://example.com/?id=5555
app.Get("/", func(c *fiber.Ctx) error {
    c.QueryInt("id", 1)         // 5555
    // ...
})

adds support for TLS 1.3's early data ("0-RTT") feature

app.Use(earlydata.New())

allows for fault-tolerant APIs where duplicate requests — for example due to networking issues on the client-side — do not erroneously cause the same action performed multiple times on the server-side.

app.Use(idempotency.New(idempotency.Config{
    Lifetime: 42 * time.Minute,
    // ...
}))
// If you want to forward with a specific domain. You have to use proxy.DomainForward.
app.Get("/payments", proxy.DomainForward("docs.gofiber.io", "http://localhost:8000"))

// Or this way if the balancer is using https and the destination server is only using http.
app.Use(proxy.BalancerForward([]string{
    "http://localhost:3001",
    "http://localhost:3002",
    "http://localhost:3003",
}))

🧹 Updates/CI

🐛 Fixes

  • CI: Fix issues introduced in linting PR (#​2319)
  • Use app.getString, app.GetBytes instead of utils.UnsafeString, utils.UnsafeBytes in ctx.go (#​2297)
  • Os: Fix gopsutil compilation (#​2298)
  • Middleware/logger: logger color output (#​2296)

📚 Documentation

  • Rework Chinese (Taiwan) translation of documentation (#​2310)
  • Correct the figure link in READMEs (#​2312)
  • Remove the redundant space beside a comma (#​2309)
  • Add discord channel link (ID) (#​2303)
  • Middleware/filesystem: fix statik filesystem middleware example typo (#​2302)
  • Middleware/filesystem: clean duplicated namespace for example (#​2313)
  • Middleware/limiter: fix alignment in limiter example (#​2283)
  • Middleware/encryptcookie: Openssl rand -base64 32 hints (#​2316)

Full Changelog: gofiber/fiber@v2.41.0...v2.42.0

Thank you @​0xdeface, @​100gle, @​TwiN, @​cloudwindy, @​dozheiny, @​efectn, @​leonklingele, @​meehow, @​pan93412, @​rendiputra and @​rhabichl for making this update possible.

v2.41.0

Compare Source

🚀 New

🧹 Updates

  • Latency use lowest time unit in logger middleware (#​2261)
  • Add more detail error message in serverErrorHandler (#​2267)
  • Use fasthttp.AddMissingPort (#​2268)
  • Set byteSent log to 0 when use SetBodyStreamWriter (#​2239)
  • Unintended overwritten bind variables (#​2240)
  • Bump github.com/valyala/fasthttp from 1.41.0 to 1.43.0 (#​2237, #​2245)
  • Bump github.com/mattn/go-isatty from 0.0.16 to 0.0.17 (#​2279)

🐛 Fixes

  • Fix some warnings, go-ole on mac os (#​2280)
  • Properly handle error of "net.ParseCIDR" in "(*App).handleTrustedProxy" (#​2243)
  • Fix regex constraints that contain comma (#​2256)
  • Unintended overwritten bind variables (#​2240)

📚 Documentation

  • Fix ci badge errors (#​2282)
  • Replace 1.14 with 1.16 in READMEs (#​2265)
  • Update docstring for FormValue() (#​2262)
  • Added Ukrainian README translation (#​2249)
  • middleware/requestid: mention that the default UUID generator exposes the number of requests made to the server (#​2241)
  • middleware/filesystem does not handle url encoded values on it's own (#​2247)

Full Changelog: gofiber/fiber@v2.40.1...v2.41.0

Thank you @​AngelVI13, @​Simerax, @​cwinters8, @​efectn, @​jfcg, @​leonklingele, @​li-jin-gou, @​pjebs, @​shuuji3 and @​v1def for making this update possible.

v2.40.1

Compare Source

🐛 Fixes

  • Fix mounting when mount prefix is / (#​2227)

Full Changelog: gofiber/fiber@v2.40.0...v2.40.1

v2.40.0

Compare Source

❗ BreakingChange

  • Bump github.com/valyala/fasthttp from 1.40.0 to 1.41.0 (#​2171)
  • Deprecate: go 1.14 & go 1.15 support deprecation (#​2172)

Due to the fact that fasthttp, which fiber is based on in release 1.41.0, does not support go versions 1.14 & 1.15 anymore, we had to remove them from our package as well.

🚀 New

// now you can add your own custom methods
app := fiber.New(fiber.Config{
    RequestMethods: append(fiber.DefaultMethods, "LOAD", "TEST"),
})

app.Add("LOAD", "/hello", func(c *fiber.Ctx) error {
    return c.SendString("Hello, World 👋!")
})
// declaration of multiple paths for the ".Use" method as in express is now possible
app.Use([]string{"/john", "/doe"}, func(c *Ctx) error {
    return c.SendString(c.Path())
})
app.Get("/:userId<int>?", func(c *fiber.Ctx) error {
    return c.SendString(c.Params("userId"))
})
// curl -X GET http://localhost:3000/42
// 42

// curl -X GET http://localhost:3000/
//
app := fiber.New()
micro := fiber.New()
// order when registering the mounted apps no longer plays a role
app.Mount("/john", micro)
// before there was problem when after mounting routes were registered
micro.Get("/doe", func(c *fiber.Ctx) error {
    return c.SendStatus(fiber.StatusOK)
})
// output of the mount path possible
micro.MountPath()   // "/john"
// In systems where you have multiple ingress endpoints, it is common to add a URL prefix, like so:
app.Use(pprof.New(pprof.Config{Prefix: "/endpoint-prefix"}))
app.Use(logger.New(logger.Config{
    Format: "[${time}] ${status} - ${latency} ${method} ${randomNumber} ${path}\n",
    CustomTags: map[string]logger.LogFunc{
        // possibility to adapt or overwrite existing tags
        logger.TagMethod: func(output logger.Buffer, c *fiber.Ctx, data *logger.Data, extraParam string) (int, error) {
            return output.WriteString(utils.ToLower(c.Method()))
        },
        // own tags can be registered
        "randomNumber": func(output logger.Buffer, c *fiber.Ctx, data *logger.Data, extraParam string) (int, error) {
            return output.WriteString(strconv.FormatInt(rand.Int63n(100), 10))
        },
    },
}))
// [17:15:17] 200 -      0s get 10 /test
// [17:15:17] 200 -      0s get 51 /test
app.Use(logger.New(logger.Config{
    // is triggered when the handlers has been processed
    Done: func(c *fiber.Ctx, logString []byte) {
        // allows saving the logging string to other sources
        if c.Response().StatusCode() != fiber.StatusOK {
            reporter.SendToSlack(logString) 
        }
    },
}))

🧹 Updates

  • Track Configured Values (#​2221)
  • Ctx: simplify Protocol() (#​2217)
  • Ctx: make Secure() also report whether a secure connection was established to a trusted proxy (#​2215)
  • Ctx: update Locals function to accept interface{} key (#​2144)
  • Utils: reduce diff to external utils package (#​2206)
  • Utils: Update HTTP status codes (#​2203)
  • Utils: Replace UnsafeBytes util with suggested way (#​2204)
  • Fix and optimize memory storage (#​2207)
  • Leverage runtime/debug to print the full stack trace info (#​2183)
  • Ci: add check-latest param in vulncheck.yml (#​2197)
  • Ci: replace snyk with govulncheck (#​2178)

🐛 Fixes

  • Fix naming of routes inside groups (#​2199)

📚 Documentation

  • Update list of third-party library licenses (#​2211)
  • Update README_zh-CN.md (#​2186)
  • Add korean translate in Installation section (#​2213)
  • Comment typo (#​2173)
  • Cache readme and docs update (#​2169)

Full Changelog: gofiber/fiber@v2.39.0...v2.40.0

Thank you @​Skyenought, @​calebcase, @​efectn, @​gandaldf, @​gmlewis, @​jamestiotio, @​leonklingele, @​li-jin-gou, @​marcmartin13, @​panjf2000, @​pjebs, @​rafimuhammad01 and @​thor-son for making this update possible.

v2.39.0

Compare Source

🚀 New

🧹 Updates

  • Improve memory storage (#​2162)
  • Make IP validation 2x faster (#​2158)
  • Switch to text/javascript as per RFC9239 (#​2146)
  • Test: add nil jsonDecoder test case (#​2139)
  • Utils: update mime extensions (#​2133)

🐛 Fixes

  • Unhandled errors and update code comments to help the IDEs (#​2128)
  • Multi-byte AppName displays confusion (#​2148)
  • Query string parameter pass to fiber context (#​2164)
  • Handle multiple X-Forwarded header (#​2154)
  • Middleware/proxy - solve data race in middleware/proxy's test (#​2153)
  • Middleware/session - Reset d.Data instead of deleting keys in it (#​2156)
  • Agent: agent.Struct fails to unmarshal response since 2.33.0 #​2134 (#​2137)

📚 Documentation

Full Changelog: gofiber/fiber@v2.38.1...v2.39.0

Thank you @​Kamandlou, @​Yureien, @​efectn, @​floxydio, @​fufuok, @​joseroberto, @​leonklingele, @​li-jin-gou, @​marcmartin13, @​nathanfaucett, @​sadfun, @​supakornbabe, @​unickorn and @​xbt573 for making this update possible.

v2.38.1

Compare Source

🚀 New

🧹 Updates

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot changed the title Update module github.com/gofiber/fiber/v2 to v2.43.0 [SECURITY] Update module github.com/gofiber/fiber/v2 to v2.43.0 [SECURITY] - autoclosed Sep 12, 2023
@renovate renovate bot closed this Sep 12, 2023
@renovate renovate bot deleted the renovate/go-github.com/gofiber/fiber/v2-vulnerability branch September 12, 2023 21:20
@renovate renovate bot changed the title Update module github.com/gofiber/fiber/v2 to v2.43.0 [SECURITY] - autoclosed Update module github.com/gofiber/fiber/v2 to v2.43.0 [SECURITY] Sep 14, 2023
@renovate renovate bot reopened this Sep 14, 2023
@renovate renovate bot restored the renovate/go-github.com/gofiber/fiber/v2-vulnerability branch September 14, 2023 22:40
@renovate renovate bot force-pushed the renovate/go-github.com/gofiber/fiber/v2-vulnerability branch from eae4994 to 0b4f930 Compare September 14, 2023 22:40
@renovate renovate bot changed the title Update module github.com/gofiber/fiber/v2 to v2.43.0 [SECURITY] Update module github.com/gofiber/fiber/v2 to v2.49.2 [SECURITY] Sep 14, 2023
@renovate
Copy link
Contributor Author

renovate bot commented Sep 14, 2023
edited
Loading

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum
Command failed: docker run --rm --name=renovate_a_sidecar --label=renovate_a_child --memory=3584m -v "/tmp/worker/a3b56f/c7d5d7/repos/github/thefuga/go-poc":"/tmp/worker/a3b56f/c7d5d7/repos/github/thefuga/go-poc" -v "/tmp/worker/a3b56f/c7d5d7/cache":"/tmp/worker/a3b56f/c7d5d7/cache" -e GOPATH -e GOPROXY -e GOSUMDB -e GOFLAGS -e CGO_ENABLED -e GIT_CONFIG_KEY_0 -e GIT_CONFIG_VALUE_0 -e GIT_CONFIG_KEY_1 -e GIT_CONFIG_VALUE_1 -e GIT_CONFIG_KEY_2 -e GIT_CONFIG_VALUE_2 -e GIT_CONFIG_COUNT -e CONTAINERBASE_CACHE_DIR -w "/tmp/worker/a3b56f/c7d5d7/repos/github/thefuga/go-poc" ghcr.io/containerbase/sidecar:9.23.4 bash -l -c "install-tool golang 1.21.3 && go get -d -t ./..."
go: go.buf.build/grpc/go/thefuga/[email protected]: unrecognized import path "go.buf.build/grpc/go/thefuga/go-poc": https fetch: Get "https://go.buf.build/grpc/go/thefuga/go-poc?go-get=1": dial tcp: lookup go.buf.build on 10.43.0.2:53: no such host

@renovate renovate bot force-pushed the renovate/go-github.com/gofiber/fiber/v2-vulnerability branch from 0b4f930 to 3f335d9 Compare October 17, 2023 14:25
@renovate renovate bot changed the title Update module github.com/gofiber/fiber/v2 to v2.49.2 [SECURITY] Update module github.com/gofiber/fiber/v2 to v2.50.0 [SECURITY] Oct 17, 2023
@renovate renovate bot changed the title Update module github.com/gofiber/fiber/v2 to v2.50.0 [SECURITY] Update module github.com/gofiber/fiber/v2 to v2.50.0 [SECURITY] - autoclosed Jan 8, 2024
@renovate renovate bot closed this Jan 8, 2024
@renovate renovate bot deleted the renovate/go-github.com/gofiber/fiber/v2-vulnerability branch January 8, 2024 22:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants