Merge pull request #11 from retailnext/dependabot/go_modules/golang.org/x/crypto-0.49.0

kmansou · web-flow · commit 70a3d3accf45 · 2026-03-25T15:25:35.000+01:00
Bump golang.org/x/crypto from 0.48.0 to 0.49.0
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -17,4 +17,4 @@ jobs:
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v7
         with:
-          version: v2.0
+          version: v2.11
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        go: [ '1.22.x', '1.23.x', '1.24.x']
+        go: [ '1.22.x', '1.23.x', '1.24.x', '1.25.x']
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v4
diff --git a/.golangci.yml b/.golangci.yml
@@ -51,7 +51,17 @@ linters:
     generated: lax
     rules:
       - path: (.+)\.go$
-        text: G104 # 'Errors unhandled. (gosec)
+        text: G104 # Errors unhandled (gosec)
+      - path: (.+)\.go$
+        text: G115 # integer overflow conversion int -> byte (gosec)
+      - path: (.+)\.go$
+        text: G117 # Marshaled struct field matches secret pattern (gosec)
+      - path: (.+)\.go$
+        text: G120 # Parsing form data without limiting request body size (gosec)
+      - path: (.+)\.go$
+        text: G705 # XSS via taint analysis (gosec)
+      - path: (.+)\.go$
+        text: G706 # Log injection via taint analysis (gosec)
     paths:
       - example/.*\.go$
 formatters:
diff --git a/go.mod b/go.mod
@@ -1,14 +1,14 @@
 module github.com/crewjam/saml
 
-go 1.24.0
+go 1.25.0
 
 require (
 	github.com/beevik/etree v1.6.0
 	github.com/golang-jwt/jwt/v5 v5.3.1
 	github.com/google/go-cmp v0.7.0
 	github.com/mattermost/xml-roundtrip-validator v0.1.0
 	github.com/russellhaering/goxmldsig v1.6.0
-	golang.org/x/crypto v0.48.0
+	golang.org/x/crypto v0.49.0
 	gotest.tools v2.2.0+incompatible
 )
 
diff --git a/go.sum b/go.sum
@@ -21,8 +21,8 @@ github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts=
-golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos=
+golang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4=
+golang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
diff --git a/identity_provider.go b/identity_provider.go
@@ -745,7 +745,7 @@ func (DefaultAssertionMaker) MakeAssertion(req *IdpAuthnRequest, session *Sessio
 	attributes = append(attributes, session.CustomAttributes...)
 
 	if len(session.Groups) != 0 {
-		groupMemberAttributeValues := []AttributeValue{}
+		groupMemberAttributeValues := make([]AttributeValue, 0, len(session.Groups))
 		for _, group := range session.Groups {
 			groupMemberAttributeValues = append(groupMemberAttributeValues, AttributeValue{
 				Type:  "xs:string",
@@ -1084,7 +1084,8 @@ func (req *IdpAuthnRequest) MakeResponse() error {
 // signingContext will create a signing context for the request.
 func (req *IdpAuthnRequest) signingContext() (*dsig.SigningContext, error) {
 	// Create a cert chain based off of the IDP cert and its intermediates.
-	certificates := [][]byte{req.IDP.Certificate.Raw}
+	certificates := make([][]byte, 0, 1+len(req.IDP.Intermediates))
+	certificates = append(certificates, req.IDP.Certificate.Raw)
 	for _, cert := range req.IDP.Intermediates {
 		certificates = append(certificates, cert.Raw)
 	}
diff --git a/xmlenc/cbc.go b/xmlenc/cbc.go
@@ -61,7 +61,7 @@ func (e CBC) Encrypt(key interface{}, plaintext []byte, _ []byte) (*etree.Elemen
 
 	plaintext = appendPadding(plaintext, block.BlockSize())
 
-	iv := make([]byte, block.BlockSize())
+	iv := make([]byte, block.BlockSize(), block.BlockSize()+len(plaintext))
 	if _, err := RandReader.Read(iv); err != nil {
 		return nil, err
 	}

Original file line number	Diff line number	Diff line change
`@@ -61,7 +61,7 @@ func (e CBC) Encrypt(key interface{}, plaintext []byte, _ []byte) (*etree.Elemen`
`61`	`61`
`62`	`62`	`plaintext = appendPadding(plaintext, block.BlockSize())`
`63`	`63`
`64`		`- iv := make([]byte, block.BlockSize())`
	`64`	`+ iv := make([]byte, block.BlockSize(), block.BlockSize()+len(plaintext))`
`65`	`65`	`if _, err := RandReader.Read(iv); err != nil {`
`66`	`66`	`return nil, err`
`67`	`67`	`}`