circle-ir 3.34.0 → 3.36.0

package/configs/sinks/code_injection.yaml

@@ -514,6 +514,118 @@
       "severity": "critical",
       "note": "Jenkins Groovy sandbox static call interception"
     },
+    {
+      "method": "onGetProperty",
+      "class": "SandboxInterceptor",
+      "type": "code_injection",
+      "cwe": "CWE-094",
+      "severity": "critical",
+      "note": "Jenkins Groovy sandbox property read interception (issue #17)"
+    },
+    {
+      "method": "onSetProperty",
+      "class": "SandboxInterceptor",
+      "type": "code_injection",
+      "cwe": "CWE-094",
+      "severity": "critical",
+      "note": "Jenkins Groovy sandbox property write interception (issue #17)"
+    },
+    {
+      "method": "onGetAttribute",
+      "class": "SandboxInterceptor",
+      "type": "code_injection",
+      "cwe": "CWE-094",
+      "severity": "critical",
+      "note": "Jenkins Groovy sandbox attribute read interception (issue #17)"
+    },
+    {
+      "method": "onSetAttribute",
+      "class": "SandboxInterceptor",
+      "type": "code_injection",
+      "cwe": "CWE-094",
+      "severity": "critical",
+      "note": "Jenkins Groovy sandbox attribute write interception (issue #17)"
+    },
+    {
+      "method": "onMethodPointer",
+      "class": "SandboxInterceptor",
+      "type": "code_injection",
+      "cwe": "CWE-094",
+      "severity": "critical",
+      "note": "Jenkins Groovy sandbox method-pointer interception (issue #17)"
+    },
+    {
+      "method": "onSuperCall",
+      "class": "SandboxInterceptor",
+      "type": "code_injection",
+      "cwe": "CWE-094",
+      "severity": "critical",
+      "note": "Jenkins Groovy sandbox super-call interception (issue #17)"
+    },
+    {
+      "method": "onSuperConstructor",
+      "class": "SandboxInterceptor",
+      "type": "code_injection",
+      "cwe": "CWE-094",
+      "severity": "critical",
+      "note": "Jenkins Groovy sandbox super-constructor interception (issue #17)"
+    },
+    {
+      "method": "onMethodCall",
+      "class": "GroovyInterceptor",
+      "type": "code_injection",
+      "cwe": "CWE-094",
+      "severity": "critical",
+      "note": "Groovy sandbox parent class — some plugins extend GroovyInterceptor directly (issue #17)"
+    },
+    {
+      "method": "onNewInstance",
+      "class": "GroovyInterceptor",
+      "type": "code_injection",
+      "cwe": "CWE-094",
+      "severity": "critical",
+      "note": "Groovy sandbox parent class — constructor interception (issue #17)"
+    },
+    {
+      "method": "onStaticCall",
+      "class": "GroovyInterceptor",
+      "type": "code_injection",
+      "cwe": "CWE-094",
+      "severity": "critical",
+      "note": "Groovy sandbox parent class — static-call interception (issue #17)"
+    },
+    {
+      "method": "onGetProperty",
+      "class": "GroovyInterceptor",
+      "type": "code_injection",
+      "cwe": "CWE-094",
+      "severity": "critical",
+      "note": "Groovy sandbox parent class — property read (issue #17)"
+    },
+    {
+      "method": "onSetProperty",
+      "class": "GroovyInterceptor",
+      "type": "code_injection",
+      "cwe": "CWE-094",
+      "severity": "critical",
+      "note": "Groovy sandbox parent class — property write (issue #17)"
+    },
+    {
+      "method": "call",
+      "class": "SandboxTransformer",
+      "type": "code_injection",
+      "cwe": "CWE-094",
+      "severity": "critical",
+      "note": "Groovy AST transformer that wires interceptor callbacks — bypass target (issue #17, CVE-2023-24422)"
+    },
+    {
+      "method": "runInSandbox",
+      "class": "GroovySandbox",
+      "type": "code_injection",
+      "cwe": "CWE-094",
+      "severity": "critical",
+      "note": "Jenkins script-security outer sandbox wrapper (issue #17)"
+    },
     {
       "method": "render",
       "class": "XWikiRenderer",

package/dist/analysis/config-loader.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,GACrB,WAAW,CAQb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EA4a1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,EAwpCtC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,gBAAgB,EA6LhD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAM9C;AAMD;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,EAAE,UAAU,EA8F5C,CAAC"}
+{"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../src/analysis/config-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,UAAU,EACV,WAAW,EACX,aAAa,EACb,WAAW,EACX,gBAAgB,EAChB,UAAU,EACX,MAAM,oBAAoB,CAAC;AAE5B;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC,CAEjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAiB1E;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG;IACtD,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,UAAU,EAAE,gBAAgB,EAAE,CAAC;CAChC,CAcA;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,GACrB,WAAW,CAQb;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EA4a1C,CAAC;AAEF,eAAO,MAAM,aAAa,EAAE,WAAW,EAkrCtC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,gBAAgB,EA6LhD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,WAAW,CAM9C;AAMD;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,EAAE,UAAU,EA8F5C,CAAC"}

package/dist/analysis/config-loader.js

@@ -873,6 +873,32 @@ export const DEFAULT_SINKS = [
     { method: 'parse', class: 'GroovyShell', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
     { method: 'parseClass', class: 'GroovyClassLoader', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
     { method: 'run', class: 'GroovyScriptEngine', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
+    // Jenkins script-security plugin — Groovy sandbox attack surface (issue #17, CVE-2023-24422).
+    // The sandbox is a documented-bypassable security control; the dispatch points that
+    // route tainted Groovy through the sandbox runtime are code-injection sinks, not
+    // sanitizers. SandboxInterceptor.onNewInstance already lives in command_injection above;
+    // these add the missing dispatch surface plus the parent GroovyInterceptor class and
+    // the AST transformer / outer GroovySandbox wrapper.
+    { method: 'onMethodCall', class: 'SandboxInterceptor', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [] },
+    { method: 'onStaticCall', class: 'SandboxInterceptor', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [] },
+    { method: 'onGetProperty', class: 'SandboxInterceptor', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [] },
+    { method: 'onSetProperty', class: 'SandboxInterceptor', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [] },
+    { method: 'onGetAttribute', class: 'SandboxInterceptor', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [] },
+    { method: 'onSetAttribute', class: 'SandboxInterceptor', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [] },
+    { method: 'onMethodPointer', class: 'SandboxInterceptor', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [] },
+    { method: 'onSuperCall', class: 'SandboxInterceptor', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [] },
+    { method: 'onSuperConstructor', class: 'SandboxInterceptor', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [] },
+    // Parent class — some plugins extend GroovyInterceptor directly.
+    { method: 'onMethodCall', class: 'GroovyInterceptor', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [] },
+    { method: 'onNewInstance', class: 'GroovyInterceptor', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [] },
+    { method: 'onStaticCall', class: 'GroovyInterceptor', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [] },
+    { method: 'onGetProperty', class: 'GroovyInterceptor', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [] },
+    { method: 'onSetProperty', class: 'GroovyInterceptor', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [] },
+    // AST transformer — converts unsafe Groovy AST into interceptor callbacks; bypasses target this.
+    { method: 'call', class: 'SandboxTransformer', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [] },
+    // GroovySandbox.runInSandbox — Jenkins script-security outer wrapper (real API; the
+    // "sandbox" entry in command.yaml is fictional).
+    { method: 'runInSandbox', class: 'GroovySandbox', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [] },
     // JavaScript engine (Nashorn/Rhino)
     { method: 'eval', class: 'Bindings', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },
     { method: 'eval', class: 'ScriptContext', type: 'code_injection', cwe: 'CWE-94', severity: 'critical', arg_positions: [0] },