…RITY] (#904)

This PR contains the following updates:

| Package | Change | Age | Confidence |
|---|---|---|---|
| [github.com/go-viper/mapstructure/v2](https://github.com/go-viper/mapstructure) | `v2.3.0` -> `v2.4.0` | [![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fgo-viper%2fmapstructure%2fv2/v2.4.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fgo-viper%2fmapstructure%2fv2/v2.3.0/v2.4.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) |

---

### go-viper's mapstructure May Leak Sensitive Information in Logs When Processing Malformed Data
[GHSA-2464-8j7c-4cjm](GHSA-2464-8j7c-4cjm)

<details>
<summary>More information</summary>

#### Details
##### Summary

Use of this library in a security-critical context may result in leaking sensitive information, if used to process sensitive fields.

##### Details

OpenBao (and presumably HashiCorp Vault) have surfaced error messages from `mapstructure` as follows:

https://github.com/openbao/openbao/blob/98c3a59c040efca724353ca46ca79bd5cdbab920/sdk/framework/field_data.go#L43-L50

```go
			_, _, err := d.getPrimitive(field, schema)
			if err != nil {
				return fmt.Errorf("error converting input for field %q: %w", field, err)
			}
```

where this calls `mapstructure.WeakDecode(...)`: https://github.com/openbao/openbao/blob/98c3a59c040efca724353ca46ca79bd5cdbab920/sdk/framework/field_data.go#L181-L193

```go

func (d *FieldData) getPrimitive(k string, schema *FieldSchema) (interface{}, bool, error) {
	raw, ok := d.Raw[k]
	if !ok {
		return nil, false, nil
	}

	switch t := schema.Type; t {
	case TypeBool:
		var result bool
		if err := mapstructure.WeakDecode(raw, &result); err != nil {
			return nil, false, err
		}
		return result, true, nil
```

Notably, `WeakDecode(...)` eventually calls one of the decode helpers, which surfaces the original value via `strconv` helpers:

https://github.com/go-viper/mapstructure/blob/8c61ec1924fcfa522f9fc6b4618c672db61d1a38/mapstructure.go#L720-L727

https://github.com/go-viper/mapstructure/blob/8c61ec1924fcfa522f9fc6b4618c672db61d1a38/mapstructure.go#L791-L798

https://github.com/go-viper/mapstructure/blob/8c61ec1924fcfa522f9fc6b4618c672db61d1a38/decode_hooks.go#L180

& more. These are different code paths than are fixed in the previous iteration at GHSA-fv92-fjc5-jj9h.

##### PoC

To reproduce with OpenBao:

```
$ podman run --pull=always -p 8300:8300 openbao/openbao:latest server -dev -dev-root-token-id=root -dev-listen-address=0.0.0.0:8300
```

and in a new tab:

```
$ BAO_TOKEN=root BAO_ADDR=http://localhost:8300 bao auth enable userpass
Success! Enabled userpass auth method at: userpass/
$ curl -X PUT -H "X-Vault-Request: true" -H "X-Vault-Token: root" -d '{"ttl":"asdf"}' "http://localhost:8200/v1/auth/userpass/users/asdf"

--> server logs:

2025-06-25T21:32:25.101-0500 [ERROR] core: failed to run existence check: error="error converting input for field \"ttl\": time: invalid duration \"asdf\""
```

##### Impact

This is an information disclosure bug with little mitigation. See https://discuss.hashicorp.com/t/hcsec-2025-09-vault-may-expose-sensitive-information-in-error-logs-when-processing-malformed-data-with-the-kv-v2-plugin/74717 for a previous version. That version was fixed, but this is in the second part of that error message (starting at `'' expected a map, got 'string'` -- when the field type is `string` and a `map` is provided, we see the above information leak -- the previous example had a `map` type field with a `string` value provided).

This was rated 4.5 Medium by HashiCorp in the past iteration.

#### Severity
- CVSS Score: 5.3 / 10 (Medium)
- Vector String: `CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N`

#### References
- [https://github.com/go-viper/mapstructure/security/advisories/GHSA-2464-8j7c-4cjm](https://github.com/go-viper/mapstructure/security/advisories/GHSA-2464-8j7c-4cjm)
- [https://github.com/go-viper/mapstructure/commit/742921c9ba2854d27baa64272487fc5075d2c39c](https://github.com/go-viper/mapstructure/commit/742921c9ba2854d27baa64272487fc5075d2c39c)
- [https://github.com/go-viper/mapstructure](https://github.com/go-viper/mapstructure)

This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-2464-8j7c-4cjm) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>go-viper/mapstructure (github.com/go-viper/mapstructure/v2)</summary>

### [`v2.4.0`](https://github.com/go-viper/mapstructure/releases/tag/v2.4.0)

[Compare Source](go-viper/mapstructure@v2.3.0...v2.4.0)

#### What's Changed

- refactor: replace interface{} with any by [@&#8203;sagikazarmark](https://github.com/sagikazarmark) in go-viper/mapstructure#115
- build(deps): bump github/codeql-action from 3.29.0 to 3.29.2 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in go-viper/mapstructure#114
- Generic tests by [@&#8203;sagikazarmark](https://github.com/sagikazarmark) in go-viper/mapstructure#118
- Fix godoc reference link in README.md by [@&#8203;peczenyj](https://github.com/peczenyj) in go-viper/mapstructure#107
- feat: add StringToTimeLocationHookFunc to convert strings to \*time.Location by [@&#8203;ErfanMomeniii](https://github.com/ErfanMomeniii) in go-viper/mapstructure#117
- feat: add back previous StringToSlice as a weak function by [@&#8203;sagikazarmark](https://github.com/sagikazarmark) in go-viper/mapstructure#119

#### New Contributors

- [@&#8203;ErfanMomeniii](https://github.com/ErfanMomeniii) made their first contribution in go-viper/mapstructure#117

**Full Changelog**: go-viper/mapstructure@v2.3.0...v2.4.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS43Ni4wIiwidXBkYXRlZEluVmVyIjoiNDEuNzYuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiS2luZC9DaG9yZSJdfQ==-->

<!--start release-notes-assistant-->
<!--URL:https://code.forgejo.org/forgejo/runner-->
- other
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/904): <!--number 904 --><!--line 0 --><!--description VXBkYXRlIGdpdGh1Yi5jb20vZ28tdmlwZXIvbWFwc3RydWN0dXJlL3YyIChpbmRpcmVjdCkgdG8gdjIuNC4wIFtTRUNVUklUWV0=-->Update github.com/go-viper/mapstructure/v2 (indirect) to v2.4.0 [SECURITY]<!--description-->
<!--end release-notes-assistant-->

Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/904
Reviewed-by: earl-warren <[email protected]>
Co-authored-by: Renovate Bot <[email protected]>
Co-committed-by: Renovate Bot <[email protected]>