circle-ir@3.35.0 — Jenkins Groovy sandbox sink coverage (#17)

Highlights

Closes #17 (CVE-2023-24422). Broadens default code_injection sink coverage for the Jenkins Groovy sandbox dispatch surface from a single method (SandboxInterceptor.onNewInstance) to the full dispatch API — 16 new sink entries.

Added

• SandboxInterceptor (9 methods, all code_injection / CWE-94 / critical): onMethodCall, onStaticCall, onGetProperty, onSetProperty, onGetAttribute, onSetAttribute, onMethodPointer, onSuperCall, onSuperConstructor.
• GroovyInterceptor (parent class — 5 methods): onMethodCall, onNewInstance, onStaticCall, onGetProperty, onSetProperty. Plugins extending the parent class directly were previously uncovered.
• SandboxTransformer.call — AST transformer (CVE bypasses typically target this rewriting step).
• GroovySandbox.runInSandbox — Jenkins outer wrapper (replaces a fictional GroovySandbox.sandbox entry).
• All entries mirrored in both src/analysis/config-loader.ts (DEFAULT_SINKS) and configs/sinks/code_injection.yaml.
• 9 regression tests covering each new dispatch hook, parent-class entries, AST transformer, outer wrapper, property/attribute batch, a negative control, and an end-to-end CVE-2023-24422 shape with HTTP param + header sources.

Notes

The reporter's original "modeled as sanitizer" premise was incorrect on verification — SANITIZER_METHODS contains zero interceptor entries. The real defect was a registry split: getDefaultConfig() only reads the embedded DEFAULT_SINKS array, so YAML-only entries for onMethodCall/onStaticCall were dead-letter. This release closes that split for the Jenkins Groovy surface rather than landing a one-off CVE patch.

Tests

• 1904 / 1904 pass (1895 baseline + 9 new)

Install

npm install circle-ir@3.35.0