Update module github.com/gin-gonic/gin to v1.9.1 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/gin-gonic/gin	v1.9.0 → v1.9.1

GitHub Vulnerability Alerts

CVE-2023-29401

The filename parameter of the Context.FileAttachment function is not properly sanitized. A maliciously crafted filename can cause the Content-Disposition header to be sent with an unexpected filename value or otherwise modify the Content-Disposition header. For example, a filename of "setup.bat";x=.txt" will be sent as a file named "setup.bat".

If the FileAttachment function is called with names provided by an untrusted source, this may permit an attacker to cause a file to be served with a name different than provided. Maliciously crafted attachment file name can modify the Content-Disposition header.

---

Release Notes

gin-gonic/gin (github.com/gin-gonic/gin)

v1.9.1

Compare Source

BUG FIXES

• fix Request.Context() checks #​3512

SECURITY

• fix lack of escaping of filename in Content-Disposition #​3556

ENHANCEMENTS

• refactor: use bytes.ReplaceAll directly #​3455
• convert strings and slices using the officially recommended way #​3344
• improve render code coverage #​3525

DOCS

• docs: changed documentation link for trusted proxies #​3575
• chore: improve linting, testing, and GitHub Actions setup #​3583

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 11 additional dependencies were updated

Details:

Package	Change
github.com/bytedance/sonic	v1.8.3 -> v1.9.1
github.com/go-playground/validator/v10	v10.11.2 -> v10.14.0
github.com/goccy/go-json	v0.10.0 -> v0.10.2
github.com/leodido/go-urn	v1.2.2 -> v1.2.4
github.com/mattn/go-isatty	v0.0.17 -> v0.0.19
github.com/pelletier/go-toml/v2	v2.0.7 -> v2.0.8
golang.org/x/crypto	v0.7.0 -> v0.9.0
golang.org/x/net	v0.8.0 -> v0.10.0
golang.org/x/sys	v0.6.0 -> v0.8.0
golang.org/x/text	v0.8.0 -> v0.9.0
google.golang.org/protobuf	v1.29.0 -> v1.30.0

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 11 additional dependencies were updated

Details:

Package	Change
github.com/bytedance/sonic	v1.8.3 -> v1.9.1
github.com/go-playground/validator/v10	v10.11.2 -> v10.14.0
github.com/goccy/go-json	v0.10.0 -> v0.10.2
github.com/leodido/go-urn	v1.2.2 -> v1.2.4
github.com/mattn/go-isatty	v0.0.17 -> v0.0.19
github.com/pelletier/go-toml/v2	v2.0.7 -> v2.0.8
golang.org/x/crypto	v0.7.0 -> v0.9.0
golang.org/x/net	v0.8.0 -> v0.10.0
golang.org/x/sys	v0.6.0 -> v0.8.0
golang.org/x/text	v0.8.0 -> v0.9.0
google.golang.org/protobuf	v1.29.0 -> v1.30.0