reports/GO-2022-0463.yaml

packages:
  - module: github.com/beego/beego
    symbols:
      - Tree.match
    derived_symbols:
      - App.Run
      - ControllerRegister.FindPolicy
      - ControllerRegister.FindRouter
      - ControllerRegister.ServeHTTP
      - FilterRouter.ValidRouter
      - InitBeegoBeforeTest
      - Run
      - RunWithMiddleWares
      - TestBeegoInit
      - Tree.Match
      - adminApp.Run
    versions:
      - fixed: 1.12.9
    vulnerable_at: 1.12.8
  - module: github.com/beego/beego/v2
    package: github.com/beego/beego/v2/server/web
    symbols:
      - Tree.match
    derived_symbols:
      - AddNamespace
      - Any
      - AutoPrefix
      - AutoRouter
      - Compare
      - CompareNot
      - Controller.Bind
      - Controller.BindForm
      - Controller.BindXML
      - Controller.BindYAML
      - Controller.GetSecureCookie
      - Controller.ParseForm
      - Controller.Render
      - Controller.RenderBytes
      - Controller.RenderString
      - Controller.Resp
      - Controller.SaveToFile
      - Controller.ServeFormatted
      - Controller.ServeXML
      - Controller.ServeYAML
      - Controller.SetSecureCookie
      - Controller.Trace
      - Controller.URLFor
      - Controller.XMLResp
      - Controller.XSRFFormHTML
      - Controller.XSRFToken
      - Controller.YamlResp
      - ControllerRegister.Add
      - ControllerRegister.AddAuto
      - ControllerRegister.AddAutoPrefix
      - ControllerRegister.AddMethod
      - ControllerRegister.AddRouterMethod
      - ControllerRegister.Any
      - ControllerRegister.CtrlAny
      - ControllerRegister.CtrlDelete
      - ControllerRegister.CtrlGet
      - ControllerRegister.CtrlHead
      - ControllerRegister.CtrlOptions
      - ControllerRegister.CtrlPatch
      - ControllerRegister.CtrlPost
      - ControllerRegister.CtrlPut
      - ControllerRegister.Delete
      - ControllerRegister.FindPolicy
      - ControllerRegister.FindRouter
      - ControllerRegister.Get
      - ControllerRegister.Handler
      - ControllerRegister.Head
      - ControllerRegister.Include
      - ControllerRegister.Init
      - ControllerRegister.InsertFilter
      - ControllerRegister.Options
      - ControllerRegister.Patch
      - ControllerRegister.Post
      - ControllerRegister.Put
      - ControllerRegister.ServeHTTP
      - ControllerRegister.URLFor
      - CtrlAny
      - CtrlDelete
      - CtrlGet
      - CtrlHead
      - CtrlOptions
      - CtrlPatch
      - CtrlPost
      - CtrlPut
      - Delete
      - ExecuteTemplate
      - ExecuteViewPathTemplate
      - FilterRouter.ValidRouter
      - FlashData.Error
      - FlashData.Notice
      - FlashData.Set
      - FlashData.Success
      - FlashData.Warning
      - Get
      - GetConfig
      - HTML2str
      - Handler
      - Head
      - HttpServer.Any
      - HttpServer.AutoPrefix
      - HttpServer.AutoRouter
      - HttpServer.CtrlAny
      - HttpServer.CtrlDelete
      - HttpServer.CtrlGet
      - HttpServer.CtrlHead
      - HttpServer.CtrlOptions
      - HttpServer.CtrlPatch
      - HttpServer.CtrlPost
      - HttpServer.CtrlPut
      - HttpServer.Delete
      - HttpServer.Get
      - HttpServer.Handler
      - HttpServer.Head
      - HttpServer.Include
      - HttpServer.InsertFilter
      - HttpServer.Options
      - HttpServer.Patch
      - HttpServer.Post
      - HttpServer.PrintTree
      - HttpServer.Put
      - HttpServer.RESTRouter
      - HttpServer.Router
      - HttpServer.RouterWithOpts
      - HttpServer.Run
      - Include
      - InitBeegoBeforeTest
      - InsertFilter
      - LoadAppConfig
      - MapGet
      - Namespace.Any
      - Namespace.AutoPrefix
      - Namespace.AutoRouter
      - Namespace.Cond
      - Namespace.CtrlAny
      - Namespace.CtrlDelete
      - Namespace.CtrlGet
      - Namespace.CtrlHead
      - Namespace.CtrlOptions
      - Namespace.CtrlPatch
      - Namespace.CtrlPost
      - Namespace.CtrlPut
      - Namespace.Delete
      - Namespace.Filter
      - Namespace.Get
      - Namespace.Handler
      - Namespace.Head
      - Namespace.Include
      - Namespace.Namespace
      - Namespace.Options
      - Namespace.Patch
      - Namespace.Post
      - Namespace.Put
      - Namespace.Router
      - NewControllerRegister
      - NewControllerRegisterWithCfg
      - NewHttpServerWithCfg
      - NewHttpSever
      - NewNamespace
      - NotNil
      - Options
      - ParseForm
      - Patch
      - Policy
      - Post
      - PrintTree
      - Put
      - RESTRouter
      - RenderForm
      - Router
      - RouterWithOpts
      - Run
      - RunWithMiddleWares
      - TestBeegoInit
      - Tree.AddRouter
      - Tree.AddTree
      - Tree.Match
      - URLFor
      - URLMap.GetMap
      - URLMap.GetMapData
      - adminApp.Run
      - adminController.ListConf
      - adminController.ProfIndex
      - adminController.PrometheusMetrics
      - adminController.QpsIndex
      - adminController.TaskStatus
      - beegoAppConfig.Bool
      - beegoAppConfig.DefaultBool
      - init
    versions:
      - fixed: 2.0.3
    vulnerable_at: 2.0.2
description: |
    Routes in the beego HTTP router can match unintended patterns.
    This overly-broad matching may permit an attacker to bypass access
    controls.

    For example, the pattern "/a/b/:name" can match the URL "/a.xml/b/".
    This may bypass access control applied to the prefix "/a/".
cves:
  - CVE-2022-31259
ghsas:
  - GHSA-qx32-f6g6-fcfr
links:
    pr: https://github.com/beego/beego/pull/4958
    commit: https://github.com/beego/beego/commit/64cf44d725c8cc35d782327d333df9cbeb1bf2dd
    context:
      - https://beego.vip
      - https://github.com/beego/beego/issues/4946
      - https://github.com/beego/beego/pull/4954