update tests, updated qldoc and examples, upgrade all libraries to path-problem, update jsonwebtoken source and sinks

2026-04-19 22:14:01 +02:00 · 2023-11-07 08:25:25 +01:00
parent a9c8bc082f
commit 0652afced3
22 changed files with 521 additions and 195 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-347-noVerification/JsonWebToken.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-347-noVerification/JsonWebToken.expected
@@ -0,0 +1,63 @@
+nodes
+| JsonWebToken.js:13:11:13:47 | UserToken |
+| JsonWebToken.js:13:23:13:47 | req.hea ... ization |
+| JsonWebToken.js:13:23:13:47 | req.hea ... ization |
+| JsonWebToken.js:16:28:16:36 | UserToken |
+| JsonWebToken.js:16:28:16:36 | UserToken |
+| JsonWebToken.js:20:11:20:47 | UserToken |
+| JsonWebToken.js:20:23:20:47 | req.hea ... ization |
+| JsonWebToken.js:20:23:20:47 | req.hea ... ization |
+| JsonWebToken.js:23:28:23:36 | UserToken |
+| JsonWebToken.js:23:28:23:36 | UserToken |
+| JsonWebToken.js:24:28:24:36 | UserToken |
+| JsonWebToken.js:24:28:24:36 | UserToken |
+| JsonWebToken.js:28:11:28:47 | UserToken |
+| JsonWebToken.js:28:23:28:47 | req.hea ... ization |
+| JsonWebToken.js:28:23:28:47 | req.hea ... ization |
+| JsonWebToken.js:31:28:31:36 | UserToken |
+| JsonWebToken.js:31:28:31:36 | UserToken |
+| JsonWebToken.js:35:11:35:47 | UserToken |
+| JsonWebToken.js:35:23:35:47 | req.hea ... ization |
+| JsonWebToken.js:35:23:35:47 | req.hea ... ization |
+| JsonWebToken.js:38:28:38:36 | UserToken |
+| JsonWebToken.js:38:28:38:36 | UserToken |
+| JsonWebToken.js:39:28:39:36 | UserToken |
+| JsonWebToken.js:39:28:39:36 | UserToken |
+| JsonWebToken.js:43:11:43:47 | UserToken |
+| JsonWebToken.js:43:23:43:47 | req.hea ... ization |
+| JsonWebToken.js:43:23:43:47 | req.hea ... ization |
+| JsonWebToken.js:46:28:46:36 | UserToken |
+| JsonWebToken.js:46:28:46:36 | UserToken |
+| JsonWebToken.js:47:28:47:36 | UserToken |
+| JsonWebToken.js:47:28:47:36 | UserToken |
+edges
+| JsonWebToken.js:13:11:13:47 | UserToken | JsonWebToken.js:16:28:16:36 | UserToken |
+| JsonWebToken.js:13:11:13:47 | UserToken | JsonWebToken.js:16:28:16:36 | UserToken |
+| JsonWebToken.js:13:23:13:47 | req.hea ... ization | JsonWebToken.js:13:11:13:47 | UserToken |
+| JsonWebToken.js:13:23:13:47 | req.hea ... ization | JsonWebToken.js:13:11:13:47 | UserToken |
+| JsonWebToken.js:20:11:20:47 | UserToken | JsonWebToken.js:23:28:23:36 | UserToken |
+| JsonWebToken.js:20:11:20:47 | UserToken | JsonWebToken.js:23:28:23:36 | UserToken |
+| JsonWebToken.js:20:11:20:47 | UserToken | JsonWebToken.js:24:28:24:36 | UserToken |
+| JsonWebToken.js:20:11:20:47 | UserToken | JsonWebToken.js:24:28:24:36 | UserToken |
+| JsonWebToken.js:20:23:20:47 | req.hea ... ization | JsonWebToken.js:20:11:20:47 | UserToken |
+| JsonWebToken.js:20:23:20:47 | req.hea ... ization | JsonWebToken.js:20:11:20:47 | UserToken |
+| JsonWebToken.js:28:11:28:47 | UserToken | JsonWebToken.js:31:28:31:36 | UserToken |
+| JsonWebToken.js:28:11:28:47 | UserToken | JsonWebToken.js:31:28:31:36 | UserToken |
+| JsonWebToken.js:28:23:28:47 | req.hea ... ization | JsonWebToken.js:28:11:28:47 | UserToken |
+| JsonWebToken.js:28:23:28:47 | req.hea ... ization | JsonWebToken.js:28:11:28:47 | UserToken |
+| JsonWebToken.js:35:11:35:47 | UserToken | JsonWebToken.js:38:28:38:36 | UserToken |
+| JsonWebToken.js:35:11:35:47 | UserToken | JsonWebToken.js:38:28:38:36 | UserToken |
+| JsonWebToken.js:35:11:35:47 | UserToken | JsonWebToken.js:39:28:39:36 | UserToken |
+| JsonWebToken.js:35:11:35:47 | UserToken | JsonWebToken.js:39:28:39:36 | UserToken |
+| JsonWebToken.js:35:23:35:47 | req.hea ... ization | JsonWebToken.js:35:11:35:47 | UserToken |
+| JsonWebToken.js:35:23:35:47 | req.hea ... ization | JsonWebToken.js:35:11:35:47 | UserToken |
+| JsonWebToken.js:43:11:43:47 | UserToken | JsonWebToken.js:46:28:46:36 | UserToken |
+| JsonWebToken.js:43:11:43:47 | UserToken | JsonWebToken.js:46:28:46:36 | UserToken |
+| JsonWebToken.js:43:11:43:47 | UserToken | JsonWebToken.js:47:28:47:36 | UserToken |
+| JsonWebToken.js:43:11:43:47 | UserToken | JsonWebToken.js:47:28:47:36 | UserToken |
+| JsonWebToken.js:43:23:43:47 | req.hea ... ization | JsonWebToken.js:43:11:43:47 | UserToken |
+| JsonWebToken.js:43:23:43:47 | req.hea ... ization | JsonWebToken.js:43:11:43:47 | UserToken |
+#select
+| JsonWebToken.js:13:23:13:47 | req.hea ... ization | JsonWebToken.js:13:23:13:47 | req.hea ... ization | JsonWebToken.js:16:28:16:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:16:28:16:36 | UserToken | without signature verification |
+| JsonWebToken.js:20:23:20:47 | req.hea ... ization | JsonWebToken.js:20:23:20:47 | req.hea ... ization | JsonWebToken.js:23:28:23:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:23:28:23:36 | UserToken | without signature verification |
+| JsonWebToken.js:20:23:20:47 | req.hea ... ization | JsonWebToken.js:20:23:20:47 | req.hea ... ization | JsonWebToken.js:24:28:24:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:24:28:24:36 | UserToken | without signature verification |
--- a/javascript/ql/test/query-tests/Security/CWE-347-noVerification/JsonWebToken.js
+++ b/javascript/ql/test/query-tests/Security/CWE-347-noVerification/JsonWebToken.js
@@ -0,0 +1,52 @@
+const express = require('express')
+const app = express()
+const jwtJsonwebtoken = require('jsonwebtoken');
+const jwt_decode = require('jwt-decode');
+const jwt_simple = require('jwt-simple');
+const jose = require('jose')
+const port = 3000
+
+function getSecret() {
+    return "A Safe generated random key"
+}
+app.get('/jwtJsonwebtoken1', (req, res) => {
+    const UserToken = req.headers.authorization;
+
+    // BAD: no signature verification
+    jwtJsonwebtoken.decode(UserToken)
+})
+
+app.get('/jwtJsonwebtoken2', (req, res) => {
+    const UserToken = req.headers.authorization;
+
+    // BAD: no signature verification
+    jwtJsonwebtoken.decode(UserToken)
+    jwtJsonwebtoken.verify(UserToken, getSecret(), { algorithms: ["HS256", "none"] })
+})
+
+app.get('/jwtJsonwebtoken3', (req, res) => {
+    const UserToken = req.headers.authorization;
+
+    // GOOD: with signature verification
+    jwtJsonwebtoken.verify(UserToken, getSecret())
+})
+
+app.get('/jwtJsonwebtoken4', (req, res) => {
+    const UserToken = req.headers.authorization;
+
+    // GOOD: first without signature verification then with signature verification for same UserToken
+    jwtJsonwebtoken.decode(UserToken)
+    jwtJsonwebtoken.verify(UserToken, getSecret())
+})
+
+app.get('/jwtJsonwebtoken5', (req, res) => {
+    const UserToken = req.headers.authorization;
+
+    // GOOD: first without signature verification then with signature verification for same UserToken
+    jwtJsonwebtoken.decode(UserToken)
+    jwtJsonwebtoken.verify(UserToken, getSecret(), { algorithms: ["HS256"] })
+})
+
+app.listen(port, () => {
+    console.log(`Example app listening on port ${port}`)
+})
--- a/javascript/ql/test/query-tests/Security/CWE-347-noVerification/jwtNoVerification.qlref
+++ b/javascript/ql/test/query-tests/Security/CWE-347-noVerification/jwtNoVerification.qlref
--- a/javascript/ql/test/query-tests/Security/CWE-347-noVerification/NoVerification.js
+++ b/javascript/ql/test/query-tests/Security/CWE-347-noVerification/NoVerification.js
@@ -1,84 +0,0 @@
-const express = require('express')
-const app = express()
-const jwtJsonwebtoken = require('jsonwebtoken');
-const { getSecret } = require('./Config.js');
-const jwt_decode = require('jwt-decode');
-const jwt_simple = require('jwt-simple');
-const jose = require('jose')
-const port = 3000
-
-async function startSymmetric(token) {
-    const { payload, protectedHeader } = await jose.jwtVerify(token, new TextEncoder().encode(getSecret()))
-    return {
-        payload, protectedHeader
-    }
-}
-
-app.get('/jose', (req, res) => {
-    const UserToken = req.headers.authorization;
-
-    // jose
-    jose.decodeJwt(UserToken)    // NOT OK: no signature verification
-
-    startSymmetric(UserToken).then(result => console.log(result)) // OK: with signature verification
-
-
-})
-
-
-app.get('/jwtDecode', (req, res) => {
-    const UserToken = req.headers.authorization;
-
-    // jwt-decode
-    jwt_decode(UserToken) // NOT OK: no signature verification
-})
-
-app.get('/jwtSimple', (req, res) => {
-    const UserToken = req.headers.authorization;
-
-    // jwt-simple
-    // jwt.decode(token, key, noVerify, algorithm)
-    jwt_simple.decode(UserToken, getSecret(), true); // NOT OK: no signature verification
-})
-
-app.get('/jwtSimple2', (req, res) => {
-    const UserToken = req.headers.authorization;
-
-    // jwt-simple
-    // jwt.decode(token, key, noVerify, algorithm)
-    jwt_simple.decode(UserToken, getSecret(), false); // OK: with signature verification
-    jwt_simple.decode(UserToken, getSecret()); // OK: with signature verification
-})
-
-app.get('/jwtSimple3', (req, res) => {
-    const UserToken = req.headers.authorization;
-
-    // jwt-simple
-    // jwt.decode(token, key, noVerify, algorithm)
-    jwt_simple.decode(UserToken, getSecret(), true); // OK: verify the signature of same token in next line
-    jwt_simple.decode(UserToken, getSecret()); // OK
-})
-
-app.get('/jwtJsonwebtoken', (req, res) => {
-    const UserToken = req.headers.authorization;
-
-    jwtJsonwebtoken.decode(UserToken) // NOT OK: no signature verification 
-    jwtJsonwebtoken.verify(UserToken, false, { algorithms: ["HS256", "none"] }) // NOT OK: no signature verification
-})
-
-app.get('/jwtJsonwebtoken2', (req, res) => {
-    const UserToken = req.headers.authorization;
-
-    jwtJsonwebtoken.verify(UserToken, getSecret()) // OK: with signature verification
-})
-
-app.get('/jwtJsonwebtoken3', (req, res) => {
-    const UserToken = req.headers.authorization;
-
-    jwtJsonwebtoken.decode(UserToken) // OK: verify the signature of same token in next line
-    jwtJsonwebtoken.verify(UserToken, getSecret()) // OK
-})
-
-app.listen(port, () => {
-    console.log(`Example app listening on port ${port}`)
-})
--- a/javascript/ql/test/query-tests/Security/CWE-347-noVerification/jose.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-347-noVerification/jose.expected
@@ -0,0 +1,35 @@
+nodes
+| jose.js:14:11:14:47 | UserToken |
+| jose.js:14:23:14:47 | req.hea ... ization |
+| jose.js:14:23:14:47 | req.hea ... ization |
+| jose.js:16:20:16:28 | UserToken |
+| jose.js:16:20:16:28 | UserToken |
+| jose.js:21:11:21:47 | UserToken |
+| jose.js:21:23:21:47 | req.hea ... ization |
+| jose.js:21:23:21:47 | req.hea ... ization |
+| jose.js:23:26:23:34 | UserToken |
+| jose.js:23:26:23:34 | UserToken |
+| jose.js:27:11:27:47 | UserToken |
+| jose.js:27:23:27:47 | req.hea ... ization |
+| jose.js:27:23:27:47 | req.hea ... ization |
+| jose.js:29:20:29:28 | UserToken |
+| jose.js:29:20:29:28 | UserToken |
+| jose.js:30:26:30:34 | UserToken |
+| jose.js:30:26:30:34 | UserToken |
+edges
+| jose.js:14:11:14:47 | UserToken | jose.js:16:20:16:28 | UserToken |
+| jose.js:14:11:14:47 | UserToken | jose.js:16:20:16:28 | UserToken |
+| jose.js:14:23:14:47 | req.hea ... ization | jose.js:14:11:14:47 | UserToken |
+| jose.js:14:23:14:47 | req.hea ... ization | jose.js:14:11:14:47 | UserToken |
+| jose.js:21:11:21:47 | UserToken | jose.js:23:26:23:34 | UserToken |
+| jose.js:21:11:21:47 | UserToken | jose.js:23:26:23:34 | UserToken |
+| jose.js:21:23:21:47 | req.hea ... ization | jose.js:21:11:21:47 | UserToken |
+| jose.js:21:23:21:47 | req.hea ... ization | jose.js:21:11:21:47 | UserToken |
+| jose.js:27:11:27:47 | UserToken | jose.js:29:20:29:28 | UserToken |
+| jose.js:27:11:27:47 | UserToken | jose.js:29:20:29:28 | UserToken |
+| jose.js:27:11:27:47 | UserToken | jose.js:30:26:30:34 | UserToken |
+| jose.js:27:11:27:47 | UserToken | jose.js:30:26:30:34 | UserToken |
+| jose.js:27:23:27:47 | req.hea ... ization | jose.js:27:11:27:47 | UserToken |
+| jose.js:27:23:27:47 | req.hea ... ization | jose.js:27:11:27:47 | UserToken |
+#select
+| jose.js:14:23:14:47 | req.hea ... ization | jose.js:14:23:14:47 | req.hea ... ization | jose.js:16:20:16:28 | UserToken | Decoding JWT $@. | jose.js:16:20:16:28 | UserToken | without signature verification |
--- a/javascript/ql/test/query-tests/Security/CWE-347-noVerification/jose.js
+++ b/javascript/ql/test/query-tests/Security/CWE-347-noVerification/jose.js
@@ -0,0 +1,35 @@
+const express = require('express')
+const app = express()
+const jwtJsonwebtoken = require('jsonwebtoken');
+const jwt_decode = require('jwt-decode');
+const jwt_simple = require('jwt-simple');
+const jose = require('jose')
+const port = 3000
+
+function getSecret() {
+    return "A Safe generated random key"
+}
+
+app.get('/jose1', (req, res) => {
+    const UserToken = req.headers.authorization;
+    // BAD: no signature verification
+    jose.decodeJwt(UserToken)
+})
+
+
+app.get('/jose2', async (req, res) => {
+    const UserToken = req.headers.authorization;
+    // GOOD: with signature verification
+    await jose.jwtVerify(UserToken, new TextEncoder().encode(getSecret()))
+})
+
+app.get('/jose3', async (req, res) => {
+    const UserToken = req.headers.authorization;
+    // GOOD: first without signature verification then with signature verification for same UserToken
+    jose.decodeJwt(UserToken)
+    await jose.jwtVerify(UserToken, new TextEncoder().encode(getSecret()))
+})
+
+app.listen(port, () => {
+    console.log(`Example app listening on port ${port}`)
+})
--- a/javascript/ql/test/query-tests/Security/CWE-347-noVerification/jose.qlref
+++ b/javascript/ql/test/query-tests/Security/CWE-347-noVerification/jose.qlref
@@ -0,0 +1 @@
+Security/CWE-347-noVerification/jose.ql
--- a/javascript/ql/test/query-tests/Security/CWE-347-noVerification/jwtDecode.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-347-noVerification/jwtDecode.expected
@@ -0,0 +1,13 @@
+nodes
+| jwtDecode.js:14:11:14:47 | UserToken |
+| jwtDecode.js:14:23:14:47 | req.hea ... ization |
+| jwtDecode.js:14:23:14:47 | req.hea ... ization |
+| jwtDecode.js:18:16:18:24 | UserToken |
+| jwtDecode.js:18:16:18:24 | UserToken |
+edges
+| jwtDecode.js:14:11:14:47 | UserToken | jwtDecode.js:18:16:18:24 | UserToken |
+| jwtDecode.js:14:11:14:47 | UserToken | jwtDecode.js:18:16:18:24 | UserToken |
+| jwtDecode.js:14:23:14:47 | req.hea ... ization | jwtDecode.js:14:11:14:47 | UserToken |
+| jwtDecode.js:14:23:14:47 | req.hea ... ization | jwtDecode.js:14:11:14:47 | UserToken |
+#select
+| jwtDecode.js:14:23:14:47 | req.hea ... ization | jwtDecode.js:14:23:14:47 | req.hea ... ization | jwtDecode.js:18:16:18:24 | UserToken | Decoding JWT $@. | jwtDecode.js:18:16:18:24 | UserToken | without signature verification |
--- a/javascript/ql/test/query-tests/Security/CWE-347-noVerification/jwtDecode.js
+++ b/javascript/ql/test/query-tests/Security/CWE-347-noVerification/jwtDecode.js
@@ -0,0 +1,23 @@
+const express = require('express')
+const app = express()
+const jwtJsonwebtoken = require('jsonwebtoken');
+const jwt_decode = require('jwt-decode');
+const jwt_simple = require('jwt-simple');
+const jose = require('jose')
+const port = 3000
+
+function getSecret() {
+    return "A Safe generated random key"
+}
+
+app.get('/jwtDecode', (req, res) => {
+    const UserToken = req.headers.authorization;
+
+    // jwt-decode
+    // BAD: no signature verification
+    jwt_decode(UserToken)
+})
+
+app.listen(port, () => {
+    console.log(`Example app listening on port ${port}`)
+})
--- a/javascript/ql/test/query-tests/Security/CWE-347-noVerification/jwtDecode.qlref
+++ b/javascript/ql/test/query-tests/Security/CWE-347-noVerification/jwtDecode.qlref
@@ -0,0 +1 @@
+Security/CWE-347-noVerification/jwtDecode.ql
--- a/javascript/ql/test/query-tests/Security/CWE-347-noVerification/jwtNoVerification.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-347-noVerification/jwtNoVerification.expected
@@ -1,38 +0,0 @@
-nodes
-| NoVerification.js:63:11:63:47 | UserToken |
-| NoVerification.js:63:23:63:47 | req.hea ... ization |
-| NoVerification.js:63:23:63:47 | req.hea ... ization |
-| NoVerification.js:65:28:65:36 | UserToken |
-| NoVerification.js:65:28:65:36 | UserToken |
-| NoVerification.js:66:28:66:36 | UserToken |
-| NoVerification.js:66:28:66:36 | UserToken |
-| NoVerification.js:70:11:70:47 | UserToken |
-| NoVerification.js:70:23:70:47 | req.hea ... ization |
-| NoVerification.js:70:23:70:47 | req.hea ... ization |
-| NoVerification.js:72:28:72:36 | UserToken |
-| NoVerification.js:72:28:72:36 | UserToken |
-| NoVerification.js:76:11:76:47 | UserToken |
-| NoVerification.js:76:23:76:47 | req.hea ... ization |
-| NoVerification.js:76:23:76:47 | req.hea ... ization |
-| NoVerification.js:78:28:78:36 | UserToken |
-| NoVerification.js:78:28:78:36 | UserToken |
-| NoVerification.js:79:28:79:36 | UserToken |
-| NoVerification.js:79:28:79:36 | UserToken |
-edges
-| NoVerification.js:63:11:63:47 | UserToken | NoVerification.js:65:28:65:36 | UserToken |
-| NoVerification.js:63:11:63:47 | UserToken | NoVerification.js:65:28:65:36 | UserToken |
-| NoVerification.js:63:11:63:47 | UserToken | NoVerification.js:66:28:66:36 | UserToken |
-| NoVerification.js:63:11:63:47 | UserToken | NoVerification.js:66:28:66:36 | UserToken |
-| NoVerification.js:63:23:63:47 | req.hea ... ization | NoVerification.js:63:11:63:47 | UserToken |
-| NoVerification.js:63:23:63:47 | req.hea ... ization | NoVerification.js:63:11:63:47 | UserToken |
-| NoVerification.js:70:11:70:47 | UserToken | NoVerification.js:72:28:72:36 | UserToken |
-| NoVerification.js:70:11:70:47 | UserToken | NoVerification.js:72:28:72:36 | UserToken |
-| NoVerification.js:70:23:70:47 | req.hea ... ization | NoVerification.js:70:11:70:47 | UserToken |
-| NoVerification.js:70:23:70:47 | req.hea ... ization | NoVerification.js:70:11:70:47 | UserToken |
-| NoVerification.js:76:11:76:47 | UserToken | NoVerification.js:78:28:78:36 | UserToken |
-| NoVerification.js:76:11:76:47 | UserToken | NoVerification.js:78:28:78:36 | UserToken |
-| NoVerification.js:76:11:76:47 | UserToken | NoVerification.js:79:28:79:36 | UserToken |
-| NoVerification.js:76:11:76:47 | UserToken | NoVerification.js:79:28:79:36 | UserToken |
-| NoVerification.js:76:23:76:47 | req.hea ... ization | NoVerification.js:76:11:76:47 | UserToken |
-| NoVerification.js:76:23:76:47 | req.hea ... ization | NoVerification.js:76:11:76:47 | UserToken |
-#select
--- a/javascript/ql/test/query-tests/Security/CWE-347-noVerification/jwtSimple.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-347-noVerification/jwtSimple.expected
@@ -0,0 +1,39 @@
+nodes
+| jwtSimple.js:13:11:13:47 | UserToken |
+| jwtSimple.js:13:23:13:47 | req.hea ... ization |
+| jwtSimple.js:13:23:13:47 | req.hea ... ization |
+| jwtSimple.js:18:23:18:31 | UserToken |
+| jwtSimple.js:18:23:18:31 | UserToken |
+| jwtSimple.js:22:11:22:47 | UserToken |
+| jwtSimple.js:22:23:22:47 | req.hea ... ization |
+| jwtSimple.js:22:23:22:47 | req.hea ... ization |
+| jwtSimple.js:27:23:27:31 | UserToken |
+| jwtSimple.js:27:23:27:31 | UserToken |
+| jwtSimple.js:28:23:28:31 | UserToken |
+| jwtSimple.js:28:23:28:31 | UserToken |
+| jwtSimple.js:32:11:32:47 | UserToken |
+| jwtSimple.js:32:23:32:47 | req.hea ... ization |
+| jwtSimple.js:32:23:32:47 | req.hea ... ization |
+| jwtSimple.js:37:23:37:31 | UserToken |
+| jwtSimple.js:37:23:37:31 | UserToken |
+| jwtSimple.js:38:23:38:31 | UserToken |
+| jwtSimple.js:38:23:38:31 | UserToken |
+edges
+| jwtSimple.js:13:11:13:47 | UserToken | jwtSimple.js:18:23:18:31 | UserToken |
+| jwtSimple.js:13:11:13:47 | UserToken | jwtSimple.js:18:23:18:31 | UserToken |
+| jwtSimple.js:13:23:13:47 | req.hea ... ization | jwtSimple.js:13:11:13:47 | UserToken |
+| jwtSimple.js:13:23:13:47 | req.hea ... ization | jwtSimple.js:13:11:13:47 | UserToken |
+| jwtSimple.js:22:11:22:47 | UserToken | jwtSimple.js:27:23:27:31 | UserToken |
+| jwtSimple.js:22:11:22:47 | UserToken | jwtSimple.js:27:23:27:31 | UserToken |
+| jwtSimple.js:22:11:22:47 | UserToken | jwtSimple.js:28:23:28:31 | UserToken |
+| jwtSimple.js:22:11:22:47 | UserToken | jwtSimple.js:28:23:28:31 | UserToken |
+| jwtSimple.js:22:23:22:47 | req.hea ... ization | jwtSimple.js:22:11:22:47 | UserToken |
+| jwtSimple.js:22:23:22:47 | req.hea ... ization | jwtSimple.js:22:11:22:47 | UserToken |
+| jwtSimple.js:32:11:32:47 | UserToken | jwtSimple.js:37:23:37:31 | UserToken |
+| jwtSimple.js:32:11:32:47 | UserToken | jwtSimple.js:37:23:37:31 | UserToken |
+| jwtSimple.js:32:11:32:47 | UserToken | jwtSimple.js:38:23:38:31 | UserToken |
+| jwtSimple.js:32:11:32:47 | UserToken | jwtSimple.js:38:23:38:31 | UserToken |
+| jwtSimple.js:32:23:32:47 | req.hea ... ization | jwtSimple.js:32:11:32:47 | UserToken |
+| jwtSimple.js:32:23:32:47 | req.hea ... ization | jwtSimple.js:32:11:32:47 | UserToken |
+#select
+| jwtSimple.js:13:23:13:47 | req.hea ... ization | jwtSimple.js:13:23:13:47 | req.hea ... ization | jwtSimple.js:18:23:18:31 | UserToken | Decoding JWT $@. | jwtSimple.js:18:23:18:31 | UserToken | without signature verification |
--- a/javascript/ql/test/query-tests/Security/CWE-347-noVerification/jwtSimple.js
+++ b/javascript/ql/test/query-tests/Security/CWE-347-noVerification/jwtSimple.js
@@ -0,0 +1,43 @@
+const express = require('express')
+const app = express()
+const jwtJsonwebtoken = require('jsonwebtoken');
+const jwt_decode = require('jwt-decode');
+const jwt_simple = require('jwt-simple');
+const jose = require('jose')
+const port = 3000
+
+function getSecret() {
+    return "A Safe generated random key"
+}
+app.get('/jwtSimple1', (req, res) => {
+    const UserToken = req.headers.authorization;
+
+    // jwt-simple
+    // jwt.decode(token, key, noVerify, algorithm)
+    // BAD: no signature verification
+    jwt_simple.decode(UserToken, getSecret(), true);
+})
+
+app.get('/jwtSimple2', (req, res) => {
+    const UserToken = req.headers.authorization;
+
+    // jwt-simple
+    // jwt.decode(token, key, noVerify, algorithm)
+    // GOOD: with signature verification
+    jwt_simple.decode(UserToken, getSecret(), false);
+    jwt_simple.decode(UserToken, getSecret());
+})
+
+app.get('/jwtSimple3', (req, res) => {
+    const UserToken = req.headers.authorization;
+
+    // jwt-simple
+    // jwt.decode(token, key, noVerify, algorithm)
+    // GOOD: first without signature verification then with signature verification for same UserToken
+    jwt_simple.decode(UserToken, getSecret(), true);
+    jwt_simple.decode(UserToken, getSecret());
+})
+
+app.listen(port, () => {
+    console.log(`Example app listening on port ${port}`)
+})
--- a/javascript/ql/test/query-tests/Security/CWE-347-noVerification/jwtSimple.qlref
+++ b/javascript/ql/test/query-tests/Security/CWE-347-noVerification/jwtSimple.qlref
@@ -0,0 +1 @@
+Security/CWE-347-noVerification/jwtSimple.ql
				`@@ -0,0 +1 @@`
				`Security/CWE-347-noVerification/jwtDecode.ql`
				`@@ -0,0 +1 @@`
				`Security/CWE-347-noVerification/jwtSimple.ql`