x/vulndb: add reports/GO-2022-0463.yaml for CVE-2022-31259
Fixes golang/vulndb#0463
Change-Id: Ic46c56ccb7c1d3c1bae7ef5a3de675ea9356320f
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/413054
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
diff --git a/reports/GO-2022-0463.yaml b/reports/GO-2022-0463.yaml
new file mode 100644
index 0000000..f45f452
--- /dev/null
+++ b/reports/GO-2022-0463.yaml
@@ -0,0 +1,213 @@
+packages:
+ - module: github.com/beego/beego
+ symbols:
+ - Tree.match
+ derived_symbols:
+ - App.Run
+ - ControllerRegister.FindPolicy
+ - ControllerRegister.FindRouter
+ - ControllerRegister.ServeHTTP
+ - FilterRouter.ValidRouter
+ - InitBeegoBeforeTest
+ - Run
+ - RunWithMiddleWares
+ - TestBeegoInit
+ - Tree.Match
+ - adminApp.Run
+ versions:
+ - fixed: 1.12.9
+ vulnerable_at: 1.12.8
+ - module: github.com/beego/beego/v2
+ package: github.com/beego/beego/v2/server/web
+ symbols:
+ - Tree.match
+ derived_symbols:
+ - AddNamespace
+ - Any
+ - AutoPrefix
+ - AutoRouter
+ - Compare
+ - CompareNot
+ - Controller.Bind
+ - Controller.BindForm
+ - Controller.BindXML
+ - Controller.BindYAML
+ - Controller.GetSecureCookie
+ - Controller.ParseForm
+ - Controller.Render
+ - Controller.RenderBytes
+ - Controller.RenderString
+ - Controller.Resp
+ - Controller.SaveToFile
+ - Controller.ServeFormatted
+ - Controller.ServeXML
+ - Controller.ServeYAML
+ - Controller.SetSecureCookie
+ - Controller.Trace
+ - Controller.URLFor
+ - Controller.XMLResp
+ - Controller.XSRFFormHTML
+ - Controller.XSRFToken
+ - Controller.YamlResp
+ - ControllerRegister.Add
+ - ControllerRegister.AddAuto
+ - ControllerRegister.AddAutoPrefix
+ - ControllerRegister.AddMethod
+ - ControllerRegister.AddRouterMethod
+ - ControllerRegister.Any
+ - ControllerRegister.CtrlAny
+ - ControllerRegister.CtrlDelete
+ - ControllerRegister.CtrlGet
+ - ControllerRegister.CtrlHead
+ - ControllerRegister.CtrlOptions
+ - ControllerRegister.CtrlPatch
+ - ControllerRegister.CtrlPost
+ - ControllerRegister.CtrlPut
+ - ControllerRegister.Delete
+ - ControllerRegister.FindPolicy
+ - ControllerRegister.FindRouter
+ - ControllerRegister.Get
+ - ControllerRegister.Handler
+ - ControllerRegister.Head
+ - ControllerRegister.Include
+ - ControllerRegister.Init
+ - ControllerRegister.InsertFilter
+ - ControllerRegister.Options
+ - ControllerRegister.Patch
+ - ControllerRegister.Post
+ - ControllerRegister.Put
+ - ControllerRegister.ServeHTTP
+ - ControllerRegister.URLFor
+ - CtrlAny
+ - CtrlDelete
+ - CtrlGet
+ - CtrlHead
+ - CtrlOptions
+ - CtrlPatch
+ - CtrlPost
+ - CtrlPut
+ - Delete
+ - ExecuteTemplate
+ - ExecuteViewPathTemplate
+ - FilterRouter.ValidRouter
+ - FlashData.Error
+ - FlashData.Notice
+ - FlashData.Set
+ - FlashData.Success
+ - FlashData.Warning
+ - Get
+ - GetConfig
+ - HTML2str
+ - Handler
+ - Head
+ - HttpServer.Any
+ - HttpServer.AutoPrefix
+ - HttpServer.AutoRouter
+ - HttpServer.CtrlAny
+ - HttpServer.CtrlDelete
+ - HttpServer.CtrlGet
+ - HttpServer.CtrlHead
+ - HttpServer.CtrlOptions
+ - HttpServer.CtrlPatch
+ - HttpServer.CtrlPost
+ - HttpServer.CtrlPut
+ - HttpServer.Delete
+ - HttpServer.Get
+ - HttpServer.Handler
+ - HttpServer.Head
+ - HttpServer.Include
+ - HttpServer.InsertFilter
+ - HttpServer.Options
+ - HttpServer.Patch
+ - HttpServer.Post
+ - HttpServer.PrintTree
+ - HttpServer.Put
+ - HttpServer.RESTRouter
+ - HttpServer.Router
+ - HttpServer.RouterWithOpts
+ - HttpServer.Run
+ - Include
+ - InitBeegoBeforeTest
+ - InsertFilter
+ - LoadAppConfig
+ - MapGet
+ - Namespace.Any
+ - Namespace.AutoPrefix
+ - Namespace.AutoRouter
+ - Namespace.Cond
+ - Namespace.CtrlAny
+ - Namespace.CtrlDelete
+ - Namespace.CtrlGet
+ - Namespace.CtrlHead
+ - Namespace.CtrlOptions
+ - Namespace.CtrlPatch
+ - Namespace.CtrlPost
+ - Namespace.CtrlPut
+ - Namespace.Delete
+ - Namespace.Filter
+ - Namespace.Get
+ - Namespace.Handler
+ - Namespace.Head
+ - Namespace.Include
+ - Namespace.Namespace
+ - Namespace.Options
+ - Namespace.Patch
+ - Namespace.Post
+ - Namespace.Put
+ - Namespace.Router
+ - NewControllerRegister
+ - NewControllerRegisterWithCfg
+ - NewHttpServerWithCfg
+ - NewHttpSever
+ - NewNamespace
+ - NotNil
+ - Options
+ - ParseForm
+ - Patch
+ - Policy
+ - Post
+ - PrintTree
+ - Put
+ - RESTRouter
+ - RenderForm
+ - Router
+ - RouterWithOpts
+ - Run
+ - RunWithMiddleWares
+ - TestBeegoInit
+ - Tree.AddRouter
+ - Tree.AddTree
+ - Tree.Match
+ - URLFor
+ - URLMap.GetMap
+ - URLMap.GetMapData
+ - adminApp.Run
+ - adminController.ListConf
+ - adminController.ProfIndex
+ - adminController.PrometheusMetrics
+ - adminController.QpsIndex
+ - adminController.TaskStatus
+ - beegoAppConfig.Bool
+ - beegoAppConfig.DefaultBool
+ - init
+ versions:
+ - fixed: 2.0.3
+ vulnerable_at: 2.0.2
+description: |
+ Routes in the beego HTTP router can match unintended patterns.
+ This overly-broad matching may permit an attacker to bypass access
+ controls.
+
+ For example, the pattern "/a/b/:name" can match the URL "/a.xml/b/".
+ This may bypass access control applied to the prefix "/a/".
+cves:
+ - CVE-2022-31259
+ghsas:
+ - GHSA-qx32-f6g6-fcfr
+links:
+ pr: https://github.com/beego/beego/pull/4958
+ commit: https://github.com/beego/beego/commit/64cf44d725c8cc35d782327d333df9cbeb1bf2dd
+ context:
+ - https://beego.vip
+ - https://github.com/beego/beego/issues/4946
+ - https://github.com/beego/beego/pull/4954