build(deps): bump github.com/dapr/dapr from 1.17.0 to 1.17.5 in /test/magpiego

[dependabot]

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

---

Bumps github.com/dapr/dapr from 1.17.0 to 1.17.5.

Release notes

Sourced from github.com/dapr/dapr's releases.

Dapr Runtime v1.17.5

Dapr 1.17.5

This update contains a critical security fix:

• Security: Service invocation path traversal bypasses access control policies

Security: Service invocation path traversal bypasses access control policies

Problem

Reserved URL characters and path traversal sequences in service invocation method paths could bypass access control policies. An attacker with access to the Dapr HTTP or gRPC API could invoke operations on a target application that the ACL was configured to deny.

Impact

Any deployment using access control policies for service invocation is affected. An attacker who can reach the Dapr API (HTTP or gRPC) could:

• Use encoded path traversal (admin%2F..%2Fpublic) to reach an allowed path (/public) while the method started from a denied prefix (/admin).
• Use encoded fragment (%23) or query (%3F) characters to cause the ACL to evaluate a different path than what was delivered to the target application.
• Use a bare % to crash the ACL normalization, potentially bypassing the policy entirely.

The gRPC API was the more dangerous vector because gRPC passes the method as a raw string with no client-side URL sanitization — #, ?, %, ../, and control characters were all delivered literally.

Root Cause

The method path was normalized independently in two places:

1. The ACL used purell.NormalizeURLString which treated the method as a URL — decoding %XX, resolving ../, and stripping # as a fragment delimiter and ? as a query delimiter.
2. The dispatch layer (constructRequest for HTTP, gRPC passthrough) used the raw method string.

This created a mismatch: the ACL authorized one path while the target application received a different one. For example, admin%2F..%2Fpublic was normalized by the ACL to public (allowed), but the target application received the raw admin/../public.

Solution

The method path is now normalized at the service invocation edge — in directMessaging.Invoke for HTTP and gRPC public API calls, in callLocalValidateACL for gRPC internal calls, and in the gRPC proxy handler for proxied calls. The normalized form is used for both the ACL check and the outbound dispatch, eliminating the mismatch. The ACL is a pure policy evaluation layer and performs no normalization of its own.

For HTTP, Go's net/http server decodes percent-encoding in r.URL.Path before the method is extracted. For gRPC, method strings are raw (no percent-decoding) and are treated as opaque — percent-encoded sequences like %2F are literal characters, not path separators.

Normalization uses path.Clean to resolve ../ and duplicate slashes, and rejects method paths containing #, ?, null bytes, or control characters. The purell dependency has been removed from the ACL path.

As defense-in-depth, constructRequest in the HTTP channel applies path.Clean to the method before building the outbound URL.

Users are strongly encouraged to upgrade to this release.

Dapr Runtime v1.17.4

Dapr 1.17.4

This update contains bug fixes:

• Pulsar pub/sub ignores processMode from component metadata and lacks async backpressure
• Cross-app workflow stuck in PENDING when the first action is a remote activity or child workflow call to an offline app

... (truncated)

Commits

• 3974797 fix service invocation path traversal ACL bypass (#9804)
• 55aa098 Scheduler: fix reconnection of streaming connections (#9776) (#9777)
• 4415333 [Backport release-1.17] Fix daprd sidecar placement dissemination timeout han...
• 232d85a [Backport release-1.17] Workflow: Fix carry over events for ContiueAsNew (#9773)
• 0ae47ca Fix workflow event loss during ContinueAsNew under high event volume (#9760) ...
• 5924cc9 strip hop-by-hop headers when proxying HTTP (#9759) (#9761)
• c0b19be [Backport release-1.17] Add e2e test for scheduler quorum recovery after pod ...
• cf45390 Fix cross-app workflow stuck in PENDING when remote app is offline (#9738) (#...
• 817749b [1.17] Update component contrib for pulsar changes (#9718)
• 6828ba9 Fix stale Content-Length header forwarded (#9670) (#9707)
• Additional commits viewable in compare view

[github-actions]

Unit Tests

    2 files    415 suites   5m 43s ⏱️
4 872 tests 4 870 ✅ 2 💤 0 ❌
5 774 runs  5 772 ✅ 2 💤 0 ❌

Results for commit 1b0db38.

♻️ This comment has been updated with latest results.

[radius-functional-tests]

Radius functional test overview

🔍 Go to test action run

Click here to see the test run details

Name	Value
Repository	radius-project/radius
Commit ref	1b0db38
Unique ID	func1346fcc487
Image tag	pr-func1346fcc487

• gotestsum 1.13.0
• KinD: v0.29.0
• Dapr: 1.14.4
• Azure KeyVault CSI driver: 1.4.2
• Azure Workload identity webhook: 1.3.0
• Bicep recipe location ghcr.io/radius-project/dev/test/testrecipes/test-bicep-recipes/<name>:pr-func1346fcc487
• Terraform recipe location http://tf-module-server.radius-test-tf-module-server.svc.cluster.local/<name>.zip (in cluster)
• applications-rp test image location: ghcr.io/radius-project/dev/applications-rp:pr-func1346fcc487
• dynamic-rp test image location: ghcr.io/radius-project/dev/dynamic-rp:pr-func1346fcc487
• controller test image location: ghcr.io/radius-project/dev/controller:pr-func1346fcc487
• ucp test image location: ghcr.io/radius-project/dev/ucpd:pr-func1346fcc487
• deployment-engine test image location: ghcr.io/radius-project/deployment-engine:latest

Test Status

⌛ Building Radius and pushing container images for functional tests...
✅ Container images build succeeded
⌛ Publishing Bicep Recipes for functional tests...
✅ Recipe publishing succeeded
⌛ Starting ucp-cloud functional tests...
⌛ Starting corerp-cloud functional tests...
✅ ucp-cloud functional tests succeeded
✅ corerp-cloud functional tests succeeded

[lakshmimsft]

@dependabot rebase