Merge pull request #3751 from toufik-airane/master

[javascript] CWE-347: JWT Missing Secret Or Public Key Verification

javascript/ql/src/experimental/Security/CWE-347/JWTMissingSecretOrPublicKeyVerification.help

@@ -0,0 +1,30 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd"> <qhelp>
+
+<overview>
+<p>Applications decoding JSON Web Token (JWT) may be misconfigured due to the none algorithm.</p>
+<p>The none algorithm is selected by calling the <code>verify()</code> function with a falsy value
+instead of a cryptographic secret or key. The none algorithm disables the integrity enforcement of
+a JWT payload and may allow a malicious actor to make any desired changes to a JWT payload leading
+to critical security issues like privilege escalation.</p>
+
+</overview>
+
+<recommendation>
+<p>Call to <code>verify()</code> functions should use a cryptographic secret or key to decode JWT payloads.</p>
+
+</recommendation>
+
+<example>
+<p>In the example, the first case is signing an object with a secret and a HS256 algorithm. In the
+second case, an empty string is provided, then an undefined value, and finally a false value. These
+three misconfigured calls to <code>jwt.verify()</code> can cause vulnerabilities.</p>
+
+<sample src="examples/JWTMissingSecretOrPublicKeyVerification.js" />
+
+</example>
+
+<references>
+<li>Auth0 Blog: <a href="https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/#Meet-the--None--Algorithm">Meet the "None" Algorithm</a>.</li>
+
+</references>
+</qhelp>

javascript/ql/src/experimental/Security/CWE-347/JWTMissingSecretOrPublicKeyVerification.ql

@@ -0,0 +1,21 @@
+/**
+ * @name JWT missing secret or public key verification
+ * @description The application does not verify the JWT payload with a cryptographic secret or public key.
+ * @kind problem
+ * @problem.severity warning
+ * @precision high
+ * @id js/jwt-missing-verification
+ * @tags security
+ *       external/cwe/cwe-347
+ */
+
+import javascript
+import DataFlow
+import semmle.javascript.RestrictedLocations
+
+from CallNode call
+where
+  call = moduleMember("jsonwebtoken", "verify").getACall() and
+  unique(boolean b | b = call.getArgument(1).analyze().getABooleanValue()) = false
+select call.asExpr().(FirstLineOf),
+  "does not verify the JWT payload with a cryptographic secret or public key."

javascript/ql/src/experimental/Security/CWE-347/examples/JWTMissingSecretOrPublicKeyVerification.js

@@ -0,0 +1,11 @@
+const jwt = require("jsonwebtoken");
+
+const secret = "buybtc";
+// #1
+var token = jwt.sign({ foo: 'bar' }, secret, { algorithm: "HS256" }) // alg:HS256
+jwt.verify(token, secret, { algorithms: ["HS256", "none"] }) // pass
+// #2
+var token = jwt.sign({ foo: 'bar' }, secret, { algorithm: "none" }) // alg:none (unsafe)
+jwt.verify(token, "", { algorithms: ["HS256", "none"] }) // detected
+jwt.verify(token, undefined, { algorithms: ["HS256", "none"] }) // detected
+jwt.verify(token, false, { algorithms: ["HS256", "none"] }) // detected