id: GO-2022-0463
modules:
  - module: github.com/astaxie/beego
    vulnerable_at: 1.12.3
    packages:
      - package: github.com/astaxie/beego
        symbols:
          - Tree.Match
        derived_symbols:
          - App.Run
          - ControllerRegister.FindPolicy
          - ControllerRegister.FindRouter
          - ControllerRegister.ServeHTTP
          - FilterRouter.ValidRouter
          - InitBeegoBeforeTest
          - Run
          - RunWithMiddleWares
          - TestBeegoInit
          - adminApp.Run
  - module: github.com/beego/beego
    versions:
      - fixed: 1.12.9
    vulnerable_at: 1.12.8
    packages:
      - package: github.com/beego/beego
        symbols:
          - Tree.match
        derived_symbols:
          - App.Run
          - ControllerRegister.FindPolicy
          - ControllerRegister.FindRouter
          - ControllerRegister.ServeHTTP
          - FilterRouter.ValidRouter
          - InitBeegoBeforeTest
          - Run
          - RunWithMiddleWares
          - TestBeegoInit
          - Tree.Match
          - adminApp.Run
  - module: github.com/beego/beego/v2
    versions:
      - fixed: 2.0.3
    vulnerable_at: 2.0.2
    packages:
      - package: github.com/beego/beego/v2/server/web
        symbols:
          - Tree.match
        derived_symbols:
          - AddNamespace
          - AddViewPath
          - Any
          - AutoPrefix
          - AutoRouter
          - BuildTemplate
          - Compare
          - CompareNot
          - Controller.Abort
          - Controller.Bind
          - Controller.BindForm
          - Controller.BindJSON
          - Controller.BindProtobuf
          - Controller.BindXML
          - Controller.BindYAML
          - Controller.CheckXSRFCookie
          - Controller.CustomAbort
          - Controller.Delete
          - Controller.DestroySession
          - Controller.Get
          - Controller.GetBool
          - Controller.GetFile
          - Controller.GetFloat
          - Controller.GetInt
          - Controller.GetInt16
          - Controller.GetInt32
          - Controller.GetInt64
          - Controller.GetInt8
          - Controller.GetSecureCookie
          - Controller.GetString
          - Controller.GetStrings
          - Controller.GetUint16
          - Controller.GetUint32
          - Controller.GetUint64
          - Controller.GetUint8
          - Controller.Head
          - Controller.Input
          - Controller.IsAjax
          - Controller.JSONResp
          - Controller.Options
          - Controller.ParseForm
          - Controller.Patch
          - Controller.Post
          - Controller.Put
          - Controller.Redirect
          - Controller.Render
          - Controller.RenderBytes
          - Controller.RenderString
          - Controller.Resp
          - Controller.SaveToFile
          - Controller.SaveToFileWithBuffer
          - Controller.ServeFormatted
          - Controller.ServeJSON
          - Controller.ServeJSONP
          - Controller.ServeXML
          - Controller.ServeYAML
          - Controller.SessionRegenerateID
          - Controller.SetData
          - Controller.SetSecureCookie
          - Controller.Trace
          - Controller.URLFor
          - Controller.XMLResp
          - Controller.XSRFFormHTML
          - Controller.XSRFToken
          - Controller.YamlResp
          - ControllerRegister.Add
          - ControllerRegister.AddAuto
          - ControllerRegister.AddAutoPrefix
          - ControllerRegister.AddMethod
          - ControllerRegister.AddRouterMethod
          - ControllerRegister.Any
          - ControllerRegister.CtrlAny
          - ControllerRegister.CtrlDelete
          - ControllerRegister.CtrlGet
          - ControllerRegister.CtrlHead
          - ControllerRegister.CtrlOptions
          - ControllerRegister.CtrlPatch
          - ControllerRegister.CtrlPost
          - ControllerRegister.CtrlPut
          - ControllerRegister.Delete
          - ControllerRegister.FindPolicy
          - ControllerRegister.FindRouter
          - ControllerRegister.Get
          - ControllerRegister.GetContext
          - ControllerRegister.Handler
          - ControllerRegister.Head
          - ControllerRegister.Include
          - ControllerRegister.Init
          - ControllerRegister.InsertFilter
          - ControllerRegister.Options
          - ControllerRegister.Patch
          - ControllerRegister.Post
          - ControllerRegister.Put
          - ControllerRegister.ServeHTTP
          - ControllerRegister.URLFor
          - CtrlAny
          - CtrlDelete
          - CtrlGet
          - CtrlHead
          - CtrlOptions
          - CtrlPatch
          - CtrlPost
          - CtrlPut
          - Date
          - DateFormat
          - DateParse
          - Delete
          - Exception
          - ExecuteTemplate
          - ExecuteViewPathTemplate
          - FileSystem.Open
          - FilterRouter.ValidRouter
          - FlashData.Error
          - FlashData.Notice
          - FlashData.Set
          - FlashData.Store
          - FlashData.Success
          - FlashData.Warning
          - Get
          - GetConfig
          - HTML2str
          - Handler
          - Head
          - Htmlquote
          - Htmlunquote
          - HttpServer.Any
          - HttpServer.AutoPrefix
          - HttpServer.AutoRouter
          - HttpServer.CtrlAny
          - HttpServer.CtrlDelete
          - HttpServer.CtrlGet
          - HttpServer.CtrlHead
          - HttpServer.CtrlOptions
          - HttpServer.CtrlPatch
          - HttpServer.CtrlPost
          - HttpServer.CtrlPut
          - HttpServer.Delete
          - HttpServer.Get
          - HttpServer.Handler
          - HttpServer.Head
          - HttpServer.Include
          - HttpServer.InsertFilter
          - HttpServer.LogAccess
          - HttpServer.Options
          - HttpServer.Patch
          - HttpServer.Post
          - HttpServer.PrintTree
          - HttpServer.Put
          - HttpServer.RESTRouter
          - HttpServer.Router
          - HttpServer.RouterWithOpts
          - HttpServer.Run
          - Include
          - InitBeegoBeforeTest
          - InsertFilter
          - LoadAppConfig
          - LogAccess
          - MapGet
          - Namespace.Any
          - Namespace.AutoPrefix
          - Namespace.AutoRouter
          - Namespace.Cond
          - Namespace.CtrlAny
          - Namespace.CtrlDelete
          - Namespace.CtrlGet
          - Namespace.CtrlHead
          - Namespace.CtrlOptions
          - Namespace.CtrlPatch
          - Namespace.CtrlPost
          - Namespace.CtrlPut
          - Namespace.Delete
          - Namespace.Filter
          - Namespace.Get
          - Namespace.Handler
          - Namespace.Head
          - Namespace.Include
          - Namespace.Namespace
          - Namespace.Options
          - Namespace.Patch
          - Namespace.Post
          - Namespace.Put
          - Namespace.Router
          - NewControllerRegister
          - NewControllerRegisterWithCfg
          - NewHttpServerWithCfg
          - NewHttpSever
          - NewNamespace
          - NotNil
          - Options
          - ParseForm
          - Patch
          - Policy
          - Post
          - PrintTree
          - Put
          - RESTRouter
          - ReadFromRequest
          - RenderForm
          - Router
          - RouterWithOpts
          - Run
          - RunWithMiddleWares
          - TestBeegoInit
          - Tree.AddRouter
          - Tree.AddTree
          - Tree.Match
          - URLFor
          - URLMap.GetMap
          - URLMap.GetMapData
          - Walk
          - adminApp.Run
          - adminController.AdminIndex
          - adminController.Healthcheck
          - adminController.ListConf
          - adminController.ProfIndex
          - adminController.PrometheusMetrics
          - adminController.QpsIndex
          - adminController.TaskStatus
          - beegoAppConfig.Bool
          - beegoAppConfig.DefaultBool
summary: 'TODO(https://go.dev/issue/56443): fill in summary field'
description: |
    Routes in the beego HTTP router can match unintended patterns.
    This overly-broad matching may permit an attacker to bypass access
    controls.

    For example, the pattern "/a/b/:name" can match the URL "/a.xml/b/".
    This may bypass access control applied to the prefix "/a/".
published: 2022-07-01T20:06:59Z
cves:
  - CVE-2022-31259
ghsas:
  - GHSA-qx32-f6g6-fcfr
references:
  - fix: https://github.com/beego/beego/pull/4958
  - fix: https://github.com/beego/beego/commit/64cf44d725c8cc35d782327d333df9cbeb1bf2dd
  - web: https://beego.vip
  - web: https://github.com/beego/beego/issues/4946
  - web: https://github.com/beego/beego/pull/4954
