fix(deps): update module github.com/labstack/echo/v4 to v4.15.4

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/labstack/echo/v4	v4.15.1 → v4.15.4

---

Release Notes

labstack/echo (github.com/labstack/echo/v4)

v4.15.4

Compare Source

Security

Fixes GHSA-vfp3-v2gw-7wfq: an encoded path separator (%2F or %5C) in a static file URL could bypass route-level middleware (e.g. authentication on a sibling route) and disclose static files. Both StaticDirectoryHandler (used by Static/StaticFS) and the Static middleware are affected. Backport of the v5 fix (#​3016, released in v5.2.1). Thanks to @​a-tt-om and @​oran-gugu for reporting.

---

Make serving static file releated methods and middleware not unescape path by default - so how the way Router interprets paths and Static methods/middleware is consistent.

Given following situation:

// 0.
// given folder structure:
// private.txt
// public/
// public/index.html
// public/text.txt
// public/admin/private.txt

// 1. share `public/` folder contents from the server root. This folder actually contains subfolder `admin` which
// contents we want to forbid from downloading
e.Static("/", "public")

// 2. naively assume that everything under /admin folder is now forbidden
e.GET("/admin/*", func(c *Context) error {
    return ErrForbidden
})

Then requests to /admin%2fprivate.txt would not be matched to GET /admin/* route (routing does not look unescaped path) and static file serving will use unescaped path to serve the file.

Note: this way of "guarding" subfolders will never work for for paths like /assets/../admin%2fprivate.txt which will path.Clean("/assets/../admin%2fprivate.txt") to /admin/private.txt and are servable if static file serving is configured to unescape paths.

If you want to guard routes - use middlewares on Static* methods and before Static middleware.

Breaking change / migration: If you serve files whose names contain URL-encoded characters (e.g., /hello%20world.txt → hello world.txt), you must now opt in:

	e := echo.New()
	e.EnablePathUnescapingStaticFiles = true  // <-- enable old behavior
	e.Static("/", "public")

for static middleware

	e.Use(middleware.StaticWithConfig(middleware.StaticConfig{
		EnablePathUnescaping: true, // <-- enable old behavior
	}))

Full Changelog: labstack/echo@v4.15.3...v4.15.4

v4.15.3: - Static encoded-separator route bypass fix (GHSA-vfp3-v2gw-7wfq)

Compare Source

Security

• fix(static): reject encoded path separators that bypass route-level middleware by @​vishr in #​3011

Fixes GHSA-vfp3-v2gw-7wfq: an encoded path separator (%2F or %5C) in a static file URL could bypass route-level middleware (e.g. authentication on a sibling route) and disclose static files. Both StaticDirectoryHandler (used by Static/StaticFS) and the Static middleware are affected. Backport of the v5 fix (#​3009, released in v5.2.0). Thanks to @​a-tt-om and @​oran-gugu for reporting.

Full Changelog: labstack/echo@v4.15.2...v4.15.3

v4.15.2: - Context.Scheme() header validation

Compare Source

Security

• Context.Scheme() should validate values taken from header by @​aldas in #​2962

Thanks to @​shblue21 for reporting this issue.

Full Changelog: labstack/echo@v4.15.1...v4.15.2

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 11 additional dependencies were updated

Details:

Package	Change
github.com/labstack/gommon	v0.4.2 -> v0.5.0
github.com/mattn/go-colorable	v0.1.14 -> v0.1.15
github.com/mattn/go-isatty	v0.0.20 -> v0.0.22
golang.org/x/crypto	v0.49.0 -> v0.53.0
golang.org/x/mod	v0.34.0 -> v0.36.0
golang.org/x/net	v0.52.0 -> v0.56.0
golang.org/x/sync	v0.20.0 -> v0.21.0
golang.org/x/sys	v0.42.0 -> v0.46.0
golang.org/x/text	v0.35.0 -> v0.38.0
golang.org/x/time	v0.14.0 -> v0.15.0
golang.org/x/tools	v0.43.0 -> v0.45.0