Fix: convert reflect.New panic to error in Unmarshal

[Copilot]

Unmarshal could panic with reflect: New of type that may not be allocated in heap (possibly undefined cgo C type) when processing certain input, crashing the caller instead of returning an error. The panic originates deep in the custom JSON unmarshalling stack (newValue → reflect.New) and escapes unhandled.

Changes

• apps/internal/json/json.go: Add a deferred recover() to Unmarshal using a named return, converting any panic into an error:

  func Unmarshal(b []byte, i interface{}) (err error) {
      defer func() {
          if r := recover(); r != nil {
              err = fmt.Errorf("json: panic during Unmarshal: %v", r)
          }
      }()
      // ...
  }

• apps/internal/json/json_test.go: Add TestUnmarshalPanicRecovery — uses a panicUnmarshaler type (whose UnmarshalJSON panics) to assert that Unmarshal returns an error rather than propagating the panic.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Bug] Panic with "reflect: New of type that may not be allocated in heap (possibly undefined cgo C type)"</issue_title>
<issue_description>Which version of MSAL Go are you using?
1.4.2

Where is the issue?

• Public client
  • Device code flow
  • Username/Password (ROPC grant)
  • Authorization code flow
• Confidential client
  • Authorization code flow
  • Client credentials:
    • client secret
    • client certificate
• Token cache serialization
  • In-memory cache
• Other (please describe)

Is this a new or an existing app?
The app is in production and I have upgraded to a new version of Microsoft Authentication Library for Go.

What version of Go are you using (go version)?

1.24.1

What operating system and processor architecture are you using (go env)?

Windows 11 AMD64

Repro

I don't know the steps to reproduce - this was captured by sentry. I could guess that the input data was malformed somehow, but looking at the backtrace can probably provide a clue as to how to reproduce.

Expected behavior
The library code should not panic when unmarshalling. Unmarshall returns an error so I expect it to error if there are issues with the input data. The struct it is unmarshalling to is defined by the library, so if that is at fault it should be fixed.

Actual behavior
Panic:

reflect: New of type that may not be allocated in heap (possibly undefined cgo C type)

reflect/value.go in New at line 3019
github.com/AzureAD/microsoft-authentication-library-for-go@v1.4.2/apps/internal/json/mapslice.go in newValue at line 332
github.com/AzureAD/microsoft-authentication-library-for-go@v1.4.2/apps/internal/json/mapslice.go in (*mapWalk).storeStruct at line 123
github.com/AzureAD/microsoft-authentication-library-for-go@v1.4.2/apps/internal/json/mapslice.go in (*mapWalk).run at line 37
github.com/AzureAD/microsoft-authentication-library-for-go@v1.4.2/apps/internal/json/mapslice.go in unmarshalMap at line 19
github.com/AzureAD/microsoft-authentication-library-for-go@v1.4.2/apps/internal/json/struct.go in (*decoder).storeValue at line 151
github.com/AzureAD/microsoft-authentication-library-for-go@v1.4.2/apps/internal/json/struct.go in (*decoder).run at line 57
github.com/AzureAD/microsoft-authentication-library-for-go@v1.4.2/apps/internal/json/struct.go in unmarshalStruct at line 38
github.com/AzureAD/microsoft-authentication-library-for-go@v1.4.2/apps/internal/json/json.go in Unmarshal at line 68
github.com/AzureAD/microsoft-authentication-library-for-go@v1.4.2/apps/internal/base/storage/storage.go in (*Manager).Unmarshal at line 581
</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [Bug] Panic with "reflect: New of type that may not be allocated in heap (possibly undefined cgo C type)" #579

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud