Skip to content

chore(deps): bump github.com/dapr/dapr from 1.16.0 to 1.16.14 in /tests/apps/scheduler#1634

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/go_modules/tests/apps/scheduler/github.com/dapr/dapr-1.16.14
Open

chore(deps): bump github.com/dapr/dapr from 1.16.0 to 1.16.14 in /tests/apps/scheduler#1634
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/go_modules/tests/apps/scheduler/github.com/dapr/dapr-1.16.14

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Apr 17, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bumps github.com/dapr/dapr from 1.16.0 to 1.16.14.

Release notes

Sourced from github.com/dapr/dapr's releases.

Dapr Runtime v1.16.14

Dapr 1.16.14

This update contains a critical security fix:

Security: Service invocation path traversal bypasses access control policies

Problem

Reserved URL characters and path traversal sequences in service invocation method paths could bypass access control policies. An attacker with access to the Dapr HTTP or gRPC API could invoke operations on a target application that the ACL was configured to deny.

Impact

Any deployment using access control policies for service invocation is affected. An attacker who can reach the Dapr API (HTTP or gRPC) could:

  • Use encoded path traversal (admin%2F..%2Fpublic) to reach an allowed path (/public) while the method started from a denied prefix (/admin).
  • Use encoded fragment (%23) or query (%3F) characters to cause the ACL to evaluate a different path than what was delivered to the target application.
  • Use a bare % to crash the ACL normalization, potentially bypassing the policy entirely.

The gRPC API was the more dangerous vector because gRPC passes the method as a raw string with no client-side URL sanitization — #, ?, %, ../, and control characters were all delivered literally.

Root Cause

The method path was normalized independently in two places:

  1. The ACL used purell.NormalizeURLString which treated the method as a URL — decoding %XX, resolving ../, and stripping # as a fragment delimiter and ? as a query delimiter.
  2. The dispatch layer (constructRequest for HTTP, gRPC passthrough) used the raw method string.

This created a mismatch: the ACL authorized one path while the target application received a different one. For example, admin%2F..%2Fpublic was normalized by the ACL to public (allowed), but the target application received the raw admin/../public.

Solution

The method path is now normalized at the service invocation edge — in directMessaging.Invoke for HTTP and gRPC public API calls, in callLocalValidateACL for gRPC internal calls, and in the gRPC proxy handler for proxied calls. The normalized form is used for both the ACL check and the outbound dispatch, eliminating the mismatch. The ACL is a pure policy evaluation layer and performs no normalization of its own.

For HTTP, Go's net/http server decodes percent-encoding in r.URL.Path before the method is extracted. For gRPC, method strings are raw (no percent-decoding) and are treated as opaque — percent-encoded sequences like %2F are literal characters, not path separators.

Normalization uses path.Clean to resolve ../ and duplicate slashes, and rejects method paths containing #, ?, null bytes, or control characters. The purell dependency has been removed from the ACL path.

As defense-in-depth, constructRequest in the HTTP channel applies path.Clean to the method before building the outbound URL.

Users are strongly encouraged to upgrade to this release.

Dapr Runtime v1.16.13

Dapr 1.16.13

This update includes a Go version bump, and bug fixes:

... (truncated)

Commits

Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot
chore(deps): bump github.com/dapr/dapr in /tests/apps/scheduler
74a8e68 
Bumps [github.com/dapr/dapr](https://github.com/dapr/dapr) from 1.16.0 to 1.16.14.
- [Release notes](https://github.com/dapr/dapr/releases)
- [Changelog](https://github.com/dapr/dapr/blob/master/RELEASE.md)
- [Commits](dapr/dapr@v1.16.0...v1.16.14)

---
updated-dependencies:
- dependency-name: github.com/dapr/dapr
  dependency-version: 1.16.14
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Apr 17, 2026
@dependabot dependabot Bot requested review from a team as code owners April 17, 2026 22:21
@codecov

codecov Bot commented Apr 17, 2026
edited
Loading

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 15.66%. Comparing base (1c7e715) to head (74a8e68).
⚠️ Report is 78 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #1634      +/-   ##
==========================================
+ Coverage   15.15%   15.66%   +0.50%     
==========================================
  Files          64       64              
  Lines        7191     7200       +9     
==========================================
+ Hits         1090     1128      +38     
+ Misses       6016     5984      -32     
- Partials       85       88       +3

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@dapr-bot

dapr-bot commented May 24, 2026

Copy link
Copy Markdown
Collaborator

This pull request has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions!

@dapr-bot dapr-bot added stale and removed stale labels May 24, 2026
@dapr-bot

dapr-bot commented Jun 25, 2026

Copy link
Copy Markdown
Collaborator

This pull request has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions!

@dapr-bot dapr-bot added the stale label Jun 25, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update go code stale

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dapr-bot