Fix graphql vuln module metadata and add GitLab and Ivanti EPM CVE detection modules

[Phantom-Fort]

Proposed change

This PR includes one bug fix and two new detection modules, all
discovered during GSoC 2026 codebase review.

1. Fix: graphql_vuln.yaml

   • description and reference fields were empty, leaving the
     module undocumented with no security context
   • endpoint list contained a garbled path (1239b01720/graphql)
     replaced with four real-world GraphQL endpoint paths:
     graphql, api/graphql, v1/graphql, query

2. New module: gitlab_cve_2021_39935_vuln.yaml

   • Detects GitLab CE and EE versions 10.5 through 14.5.1
     vulnerable to unauthenticated SSRF via the CI Lint API
   • Two-step detection: version check via /api/v4/version
     then unauthenticated CI Lint API access confirmation
   • CISA KEV confirmed, federal patch deadline February 24 2026

3. New module: ivanti_epm_cve_2026_1603_vuln.yaml

   • Detects Ivanti EPM versions prior to 2024 SU5 vulnerable
     to authentication bypass via magic number 64 header
   • Accesses EPM credential vault containing Domain Admin
     password hashes without authentication
   • CISA KEV confirmed, federal patch deadline March 23 2026

No linked issue - all three discovered during GSoC 2026 codebase review.

Type of change

• New core framework functionality
• Bugfix (non-breaking change which fixes an issue)
• Code refactoring without any functionality changes
• New or existing module/payload change
• Documentation/localization improvement
• Test coverage improvement
• Dependency upgrade
• Other improvement (best practice, cleanup, optimization, etc)

Checklist

• I've followed the contributing guidelines
• I have digitally signed all my commits in this PR
• I've run make pre-commit and confirm it didn't generate any warnings/changes
• I've run make test, I confirm all tests passed locally
• I've added/updated any relevant documentation in the docs/ folder
• I've linked this PR with an open issue
• I've tested and verified that my code works as intended and resolves the issue as described
• I have attached screenshots demonstrating my code works as intended
• I've checked all other open PRs to avoid submitting duplicate work
• I confirm that the code and comments in this PR are not direct unreviewed outputs of AI
• I confirm that I am the Sole Responsible Author for every line of code, comment, and design decision

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 4329a543-5735-4431-b0af-b0852c5704a5

📥 Commits

Reviewing files that changed from the base of the PR and between d075174 and 55fc7b5.

📒 Files selected for processing (1)

• nettacker/modules/vuln/graphql.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• nettacker/modules/vuln/graphql.yaml

---

Summary by CodeRabbit

• New Features

  • Added vulnerability detection modules for GitLab (CVE-2021-39935) and Ivanti EPM (CVE-2026-1603).

• Improvements

  • Enhanced GraphQL introspection detection with broader endpoint coverage, refined query/response matching, and added reference links.

• Chores

  • Updated ignore patterns to exclude generated report files.

Walkthrough

Added report.html to .gitignore; added two new Nettacker vulnerability modules (gitlab_cve_2021_39935_vuln, ivanti_epm_cve_2026_1603); and updated the GraphQL vuln module (description, references, endpoints, query, and response matching).

Changes

Cohort / File(s)	Summary
Ignore rules /.gitignore	Added report.html to ignore patterns.
New vuln modules nettacker/modules/vuln/gitlab_cve_2021_39935.yaml, nettacker/modules/vuln/ivanti_epm_cve_2026_1603.yaml	Added two HTTP-based detection modules: GitLab module checks /api/v4/version for vulnerable versions then conditionally POSTs to /api/v4/ci/lint; Ivanti EPM module probes multiple auth-related paths with X-Ivanti-Magic: 64 header and matches EPM-specific response content.
Updated vuln module nettacker/modules/vuln/graphql.yaml	Expanded info.description and info.reference; added multiple endpoint candidates (graphql, api/graphql, v1/graphql, query); simplified introspection json.query; tightened response regex to target __schema/types patterns.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

new module

Suggested reviewers

• arkid15r
• securestep9

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely summarizes the three main changes: fixing the GraphQL module metadata and adding two new CVE detection modules for GitLab and Ivanti EPM.
Description check	✅ Passed	The description comprehensively explains all changes in the PR, detailing the GraphQL fix, GitLab module, and Ivanti EPM module with relevant CVE information and deadlines.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 5

🧹 Nitpick comments (1)

.gitignore (1)

34-34: @Phantom-Fort Please keep signed commits enabled for any follow-up pushes.

In OWASP/Nettacker, unsigned commits fail pre-merge checks, so every new commit on this PR should be GPG/SSH signed.

Based on learnings: "When reviewing any pull request in the OWASP/Nettacker repository, always remind the PR author to use signed commits and explicitly state that the PR fails pre-merge checks if any commits are unsigned."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.gitignore at line 34, Ensure all follow-up commits on this PR are GPG/SSH
signed (keep signed commits enabled) because the repository pre-merge checks
reject unsigned commits; for clarity, mention this requirement in your next
commit message and avoid altering files like "report.html" in .gitignore without
signing your push so CI will accept the update.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@nettacker/modules/vuln/gitlab_cve_2021_39935.yaml`:
- Around line 56-58: The version regex in content.regex currently uses
"1[0-3]\\." which incorrectly matches 10.0–10.4; update content.regex in
nettacker/modules/vuln/gitlab_cve_2021_39935.yaml to explicitly match the
vulnerable 10.x range (10.5–10.9 and 10.10–10.13), keep 11.x–13.x, include
14.0–14.4 and the specific 14.5.0/14.5.1 entries, and leave reverse:false
unchanged so the check no longer produces false positives for 10.0–10.4.
- Around line 12-16: In the YAML reference list in
nettacker/modules/vuln/gitlab_cve_2021_39935.yaml (the "reference" entry),
replace the incorrect GitLab release URL
"https://about.gitlab.com/releases/2021/02/11/security-release-gitlab-13-8-4-released/"
with the correct security release URL for CVE-2021-39935:
"https://about.gitlab.com/releases/2021/12/06/security-release-gitlab-14-5-2-released/";
keep the other references intact and ensure the updated URL is added to the
reference list for the CVE entry.
- Around line 28-93: Add a temp-event dependency between the two steps so the
POST (CI Lint) only runs when the GET version check finds a vulnerable version:
in the GET step's response (the first step that checks /api/v4/version) add
save_to_temp_events_only: "gitlab_vuln_check" and in the POST step's response
(the CI lint step that posts to /api/v4/ci/lint) add dependent_on_temp_event:
"gitlab_vuln_check" so the second step is executed only when the first step
produced the named temp event.

In `@nettacker/modules/vuln/graphql.yaml`:
- Around line 54-55: The current regex setting in vuln/graphql.yaml is too
permissive (regex: data|errors) and treats the mere presence of "errors" as a
vuln signal; update the regex under the "regex" key to require a positive
GraphQL introspection indicator (e.g., match "__schema" or "__type" in the
response body or "data.__schema") instead of matching "errors" so only actual
exposed introspection endpoints are flagged; locate the "regex" entry in the
GraphQL module and replace the pattern accordingly to look for "__schema" or
"__type" tokens.

In `@nettacker/modules/vuln/ivanti_epm_cve_2026_1603.yaml`:
- Around line 61-62: The regex in the YAML under the key `content: regex`
incorrectly uses a bare dot in `Endpoint.Manager` which matches any character;
update the pattern to escape the dot (use `Endpoint\.Manager`) so it only
matches the literal string "Endpoint.Manager" while leaving the other
alternations (`Ivanti`, `EPM`, `LanDesk`, `credential`) unchanged.

---

Nitpick comments:
In @.gitignore:
- Line 34: Ensure all follow-up commits on this PR are GPG/SSH signed (keep
signed commits enabled) because the repository pre-merge checks reject unsigned
commits; for clarity, mention this requirement in your next commit message and
avoid altering files like "report.html" in .gitignore without signing your push
so CI will accept the update.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: dfd43864-cf13-4a70-9fb4-2157d17a5ccb

📥 Commits

Reviewing files that changed from the base of the PR and between 74d89e2 and 87b4ebd.

📒 Files selected for processing (4)

• .gitignore
• nettacker/modules/vuln/gitlab_cve_2021_39935.yaml
• nettacker/modules/vuln/graphql.yaml
• nettacker/modules/vuln/ivanti_epm_cve_2026_1603.yaml

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

nettacker/modules/vuln/graphql.yaml (1)

53-55: Regex is improved but may still allow false positives.

The change from data|errors to __schema|types.*name addresses the previous review concern about matching errors. However, types.*name is still relatively loose and could match unrelated responses containing those words.

Consider tightening to require both markers appear together, ensuring the response actually contains GraphQL schema data:

Proposed stricter regex

             content:
-              regex: "__schema|types.*name"
+              regex: "__schema.*types|types.*name.*kind"
               reverse: false

Alternatively, for even stricter matching:

              regex: '"__schema"\s*:\s*\{.*"types"'

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@nettacker/modules/vuln/graphql.yaml` around lines 53 - 55, The current
content.regex in the GraphQL probe (the content.regex entry using
"__schema|types.*name") is too loose and may yield false positives; update the
content.regex in graphql.yaml (the content.regex setting) to require the
"__schema" and "types" markers appear together (for example by matching
"__schema" followed by an opening object/brace and then "types", and include
"name" in the same match) so the pattern only matches actual GraphQL schema
responses rather than any response containing those words separately.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@nettacker/modules/vuln/gitlab_cve_2021_39935.yaml`:
- Around line 94-96: The current content.regex value "__schema|types.*name" in
gitlab_cve_2021_39935.yaml (the content.regex field) is a GraphQL pattern and
will never match the GitLab CI Lint API JSON response; update content.regex to
match the CI Lint JSON structure (for example a regex that looks for the status
key like "\"status\"\\s*:\\s*\"valid\"" or a looser "status\\s*:\\s*\"valid\""
pattern) so the module correctly detects a reachable/valid CI Lint endpoint.

In `@nettacker/modules/vuln/graphql.yaml`:
- Around line 44-46: The GraphQL introspection query in graphql.yaml is using
double braces and will be sent literally; update the json.query value to use
valid GraphQL syntax by replacing "{{__schema{{types{{name}}}}}}" with a
single-braced introspection string "{__schema{types{name}}}" so the schema
introspection executes correctly (look for the json -> query entry in
nettacker/modules/vuln/graphql.yaml).

---

Nitpick comments:
In `@nettacker/modules/vuln/graphql.yaml`:
- Around line 53-55: The current content.regex in the GraphQL probe (the
content.regex entry using "__schema|types.*name") is too loose and may yield
false positives; update the content.regex in graphql.yaml (the content.regex
setting) to require the "__schema" and "types" markers appear together (for
example by matching "__schema" followed by an opening object/brace and then
"types", and include "name" in the same match) so the pattern only matches
actual GraphQL schema responses rather than any response containing those words
separately.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: c7abacfd-6c3f-413e-8631-49b1de62f69e

📥 Commits

Reviewing files that changed from the base of the PR and between 87b4ebd and 7ca1fd7.

📒 Files selected for processing (3)

• nettacker/modules/vuln/gitlab_cve_2021_39935.yaml
• nettacker/modules/vuln/graphql.yaml
• nettacker/modules/vuln/ivanti_epm_cve_2026_1603.yaml

✅ Files skipped from review due to trivial changes (1)

• nettacker/modules/vuln/ivanti_epm_cve_2026_1603.yaml

[coderabbitai]

🧹 Nitpick comments (1)

nettacker/modules/vuln/graphql.yaml (1)

54-55: Consider using (?s) flag for multiline JSON responses.

The regex __schema|types.*name may fail to match when types and name are on separate lines in prettified JSON responses. Per nettacker/core/lib/http.py (lines 50-74), re.compile is called without re.DOTALL, so .* won't match newlines.

Most GraphQL servers return minified JSON (single line), so this likely works in practice, but a dot-all pattern would be more robust.

♻️ Optional: Use inline DOTALL flag

            content:
-              regex: "__schema|types.*name"
+              regex: "(?s)__schema|types.*name"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@nettacker/modules/vuln/graphql.yaml` around lines 54 - 55, The YAML's regex
value " __schema|types.*name " can fail on prettified JSON because the dot
doesn't match newlines; update the pattern used for GraphQL detection (the regex
field value) to enable dot-all matching (e.g., prepend the inline (?s) flag or
replace .* with [\\s\\S]*) so "types" and "name" can be matched across line
breaks in multiline JSON responses.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@nettacker/modules/vuln/graphql.yaml`:
- Around line 54-55: The YAML's regex value " __schema|types.*name " can fail on
prettified JSON because the dot doesn't match newlines; update the pattern used
for GraphQL detection (the regex field value) to enable dot-all matching (e.g.,
prepend the inline (?s) flag or replace .* with [\\s\\S]*) so "types" and "name"
can be matched across line breaks in multiline JSON responses.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 911ea64c-0b4f-4765-aea2-6e075760de89

📥 Commits

Reviewing files that changed from the base of the PR and between 7ca1fd7 and d075174.

📒 Files selected for processing (2)

• nettacker/modules/vuln/gitlab_cve_2021_39935.yaml
• nettacker/modules/vuln/graphql.yaml