hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 02:35:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

update tests, add test cases for query with local sources

Browse Source
This commit is contained in:
am0o0
2024-05-25 18:17:56 +02:00
parent 8fde8c2db4
commit 14daf58767
18 changed files with 276 additions and 212 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerificationLocalSource.ql
View File

@@ -18,12 +18,7 @@ class Configuration extends TaintTracking::Configuration {
Configuration() { this = "jsonwebtoken without any signature verification" }
override predicate isSource(DataFlow::Node source) {
source =
API::moduleImport("jsonwebtoken")
.getMember("decode")
.getParameter(0)
.asSink()
.getALocalSource()
source = [unverifiedDecode(), verifiedDecode()].getALocalSource()
}
override predicate isSink(DataFlow::Node sink) {

59
javascript/ql/test/experimental/Security/CWE-347/JsonWebToken.js
View File

@@ -13,40 +13,83 @@ app.get('/jwtJsonwebtoken1', (req, res) => {
const UserToken = req.headers.authorization;
// BAD: no signature verification
jwtJsonwebtoken.decode(UserToken)
jwtJsonwebtoken.decode(UserToken) // NOT OK
})
app.get('/jwtJsonwebtoken2', (req, res) => {
const UserToken = req.headers.authorization;
// BAD: no signature verification
jwtJsonwebtoken.decode(UserToken)
jwtJsonwebtoken.verify(UserToken, getSecret(), { algorithms: ["HS256", "none"] })
jwtJsonwebtoken.decode(UserToken) // NOT OK
jwtJsonwebtoken.verify(UserToken, getSecret(), { algorithms: ["HS256", "none"] }) // NOT OK
})
app.get('/jwtJsonwebtoken3', (req, res) => {
const UserToken = req.headers.authorization;
// GOOD: with signature verification
jwtJsonwebtoken.verify(UserToken, getSecret())
jwtJsonwebtoken.verify(UserToken, getSecret()) // OK
})
app.get('/jwtJsonwebtoken4', (req, res) => {
const UserToken = req.headers.authorization;
// GOOD: first without signature verification then with signature verification for same UserToken
jwtJsonwebtoken.decode(UserToken)
jwtJsonwebtoken.verify(UserToken, getSecret())
jwtJsonwebtoken.decode(UserToken) // OK
jwtJsonwebtoken.verify(UserToken, getSecret()) // OK
})
app.get('/jwtJsonwebtoken5', (req, res) => {
const UserToken = req.headers.authorization;
// GOOD: first without signature verification then with signature verification for same UserToken
jwtJsonwebtoken.decode(UserToken)
jwtJsonwebtoken.verify(UserToken, getSecret(), { algorithms: ["HS256"] })
jwtJsonwebtoken.decode(UserToken) // OK
jwtJsonwebtoken.verify(UserToken, getSecret(), { algorithms: ["HS256"] }) // OK
})
app.listen(port, () => {
console.log(`Example app listening on port ${port}`)
})
function aJWT() {
return "A JWT provided by user"
}
(function () {
const UserToken = aJwt()
// BAD: no signature verification
jwtJsonwebtoken.decode(UserToken) // NOT OK
})();
(function () {
const UserToken = aJwt()
// BAD: no signature verification
jwtJsonwebtoken.decode(UserToken) // NOT OK
jwtJsonwebtoken.verify(UserToken, getSecret(), { algorithms: ["HS256", "none"] }) // NOT OK
})();
(function () {
const UserToken = aJwt()
// GOOD: with signature verification
jwtJsonwebtoken.verify(UserToken, getSecret()) // OK
})();
(function () {
const UserToken = aJwt()
// GOOD: first without signature verification then with signature verification for same UserToken
jwtJsonwebtoken.decode(UserToken) // OK
jwtJsonwebtoken.verify(UserToken, getSecret()) // OK
})();
(function () {
const UserToken = aJwt()
// GOOD: first without signature verification then with signature verification for same UserToken
jwtJsonwebtoken.decode(UserToken) // OK
jwtJsonwebtoken.verify(UserToken, getSecret(), { algorithms: ["HS256"] }) // OK
})();

1
javascript/ql/test/experimental/Security/CWE-347/JsonWebToken.qlref
View File

@@ -1 +0,0 @@
experimental/Security/CWE-347-noVerification/JsonWebToken.ql

75
javascript/ql/test/experimental/Security/CWE-347/JsonWebTokenNotWorking.expected
View File

@@ -1,75 +0,0 @@
nodes
| JsonWebToken.js:13:11:13:47 | UserToken |
| JsonWebToken.js:13:23:13:47 | req.hea ... ization |
| JsonWebToken.js:13:23:13:47 | req.hea ... ization |
| JsonWebToken.js:16:28:16:36 | UserToken |
| JsonWebToken.js:16:28:16:36 | UserToken |
| JsonWebToken.js:20:11:20:47 | UserToken |
| JsonWebToken.js:20:23:20:47 | req.hea ... ization |
| JsonWebToken.js:20:23:20:47 | req.hea ... ization |
| JsonWebToken.js:23:28:23:36 | UserToken |
| JsonWebToken.js:23:28:23:36 | UserToken |
| JsonWebToken.js:24:28:24:36 | UserToken |
| JsonWebToken.js:24:28:24:36 | UserToken |
| JsonWebToken.js:28:11:28:47 | UserToken |
| JsonWebToken.js:28:23:28:47 | req.hea ... ization |
| JsonWebToken.js:28:23:28:47 | req.hea ... ization |
| JsonWebToken.js:31:28:31:36 | UserToken |
| JsonWebToken.js:31:28:31:36 | UserToken |
| JsonWebToken.js:35:11:35:47 | UserToken |
| JsonWebToken.js:35:11:35:47 | UserToken |
| JsonWebToken.js:35:23:35:47 | req.hea ... ization |
| JsonWebToken.js:35:23:35:47 | req.hea ... ization |
| JsonWebToken.js:35:23:35:47 | req.hea ... ization |
| JsonWebToken.js:35:23:35:47 | req.hea ... ization |
| JsonWebToken.js:38:28:38:36 | UserToken |
| JsonWebToken.js:38:28:38:36 | UserToken |
| JsonWebToken.js:39:28:39:36 | UserToken |
| JsonWebToken.js:39:28:39:36 | UserToken |
| JsonWebToken.js:43:11:43:47 | UserToken |
| JsonWebToken.js:43:11:43:47 | UserToken |
| JsonWebToken.js:43:23:43:47 | req.hea ... ization |
| JsonWebToken.js:43:23:43:47 | req.hea ... ization |
| JsonWebToken.js:43:23:43:47 | req.hea ... ization |
| JsonWebToken.js:43:23:43:47 | req.hea ... ization |
| JsonWebToken.js:46:28:46:36 | UserToken |
| JsonWebToken.js:46:28:46:36 | UserToken |
| JsonWebToken.js:47:28:47:36 | UserToken |
| JsonWebToken.js:47:28:47:36 | UserToken |
edges
| JsonWebToken.js:13:11:13:47 | UserToken | JsonWebToken.js:16:28:16:36 | UserToken |
| JsonWebToken.js:13:11:13:47 | UserToken | JsonWebToken.js:16:28:16:36 | UserToken |
| JsonWebToken.js:13:23:13:47 | req.hea ... ization | JsonWebToken.js:13:11:13:47 | UserToken |
| JsonWebToken.js:13:23:13:47 | req.hea ... ization | JsonWebToken.js:13:11:13:47 | UserToken |
| JsonWebToken.js:20:11:20:47 | UserToken | JsonWebToken.js:23:28:23:36 | UserToken |
| JsonWebToken.js:20:11:20:47 | UserToken | JsonWebToken.js:23:28:23:36 | UserToken |
| JsonWebToken.js:20:11:20:47 | UserToken | JsonWebToken.js:24:28:24:36 | UserToken |
| JsonWebToken.js:20:11:20:47 | UserToken | JsonWebToken.js:24:28:24:36 | UserToken |
| JsonWebToken.js:20:23:20:47 | req.hea ... ization | JsonWebToken.js:20:11:20:47 | UserToken |
| JsonWebToken.js:20:23:20:47 | req.hea ... ization | JsonWebToken.js:20:11:20:47 | UserToken |
| JsonWebToken.js:28:11:28:47 | UserToken | JsonWebToken.js:31:28:31:36 | UserToken |
| JsonWebToken.js:28:11:28:47 | UserToken | JsonWebToken.js:31:28:31:36 | UserToken |
| JsonWebToken.js:28:23:28:47 | req.hea ... ization | JsonWebToken.js:28:11:28:47 | UserToken |
| JsonWebToken.js:28:23:28:47 | req.hea ... ization | JsonWebToken.js:28:11:28:47 | UserToken |
| JsonWebToken.js:35:11:35:47 | UserToken | JsonWebToken.js:38:28:38:36 | UserToken |
| JsonWebToken.js:35:11:35:47 | UserToken | JsonWebToken.js:38:28:38:36 | UserToken |
| JsonWebToken.js:35:11:35:47 | UserToken | JsonWebToken.js:39:28:39:36 | UserToken |
| JsonWebToken.js:35:11:35:47 | UserToken | JsonWebToken.js:39:28:39:36 | UserToken |
| JsonWebToken.js:35:23:35:47 | req.hea ... ization | JsonWebToken.js:35:11:35:47 | UserToken |
| JsonWebToken.js:35:23:35:47 | req.hea ... ization | JsonWebToken.js:35:11:35:47 | UserToken |
| JsonWebToken.js:35:23:35:47 | req.hea ... ization | JsonWebToken.js:35:11:35:47 | UserToken |
| JsonWebToken.js:35:23:35:47 | req.hea ... ization | JsonWebToken.js:35:11:35:47 | UserToken |
| JsonWebToken.js:43:11:43:47 | UserToken | JsonWebToken.js:46:28:46:36 | UserToken |
| JsonWebToken.js:43:11:43:47 | UserToken | JsonWebToken.js:46:28:46:36 | UserToken |
| JsonWebToken.js:43:11:43:47 | UserToken | JsonWebToken.js:47:28:47:36 | UserToken |
| JsonWebToken.js:43:11:43:47 | UserToken | JsonWebToken.js:47:28:47:36 | UserToken |
| JsonWebToken.js:43:23:43:47 | req.hea ... ization | JsonWebToken.js:43:11:43:47 | UserToken |
| JsonWebToken.js:43:23:43:47 | req.hea ... ization | JsonWebToken.js:43:11:43:47 | UserToken |
| JsonWebToken.js:43:23:43:47 | req.hea ... ization | JsonWebToken.js:43:11:43:47 | UserToken |
| JsonWebToken.js:43:23:43:47 | req.hea ... ization | JsonWebToken.js:43:11:43:47 | UserToken |
#select
| JsonWebToken.js:13:23:13:47 | req.hea ... ization | JsonWebToken.js:13:23:13:47 | req.hea ... ization | JsonWebToken.js:16:28:16:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:16:28:16:36 | UserToken | without signature verification |
| JsonWebToken.js:20:23:20:47 | req.hea ... ization | JsonWebToken.js:20:23:20:47 | req.hea ... ization | JsonWebToken.js:23:28:23:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:23:28:23:36 | UserToken | without signature verification |
| JsonWebToken.js:20:23:20:47 | req.hea ... ization | JsonWebToken.js:20:23:20:47 | req.hea ... ization | JsonWebToken.js:24:28:24:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:24:28:24:36 | UserToken | without signature verification |
| JsonWebToken.js:35:23:35:47 | req.hea ... ization | JsonWebToken.js:35:23:35:47 | req.hea ... ization | JsonWebToken.js:38:28:38:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:38:28:38:36 | UserToken | without signature verification |
| JsonWebToken.js:43:23:43:47 | req.hea ... ization | JsonWebToken.js:43:23:43:47 | req.hea ... ization | JsonWebToken.js:46:28:46:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:46:28:46:36 | UserToken | without signature verification |

1
javascript/ql/test/experimental/Security/CWE-347/JsonWebTokenNotWorking.qlref
View File

@@ -1 +0,0 @@
experimental/Security/CWE-347-noVerification/JsonWebTokenNotWorking.ql

141
javascript/ql/test/experimental/Security/CWE-347/decodeJwtWithoutVerification.expected Normal file
View File

@@ -0,0 +1,141 @@
nodes
| JsonWebToken.js:13:11:13:47 | UserToken |
| JsonWebToken.js:13:23:13:47 | req.hea ... ization |
| JsonWebToken.js:13:23:13:47 | req.hea ... ization |
| JsonWebToken.js:16:28:16:36 | UserToken |
| JsonWebToken.js:16:28:16:36 | UserToken |
| JsonWebToken.js:20:11:20:47 | UserToken |
| JsonWebToken.js:20:23:20:47 | req.hea ... ization |
| JsonWebToken.js:20:23:20:47 | req.hea ... ization |
| JsonWebToken.js:23:28:23:36 | UserToken |
| JsonWebToken.js:23:28:23:36 | UserToken |
| JsonWebToken.js:24:28:24:36 | UserToken |
| JsonWebToken.js:24:28:24:36 | UserToken |
| JsonWebToken.js:28:11:28:47 | UserToken |
| JsonWebToken.js:28:23:28:47 | req.hea ... ization |
| JsonWebToken.js:28:23:28:47 | req.hea ... ization |
| JsonWebToken.js:31:28:31:36 | UserToken |
| JsonWebToken.js:31:28:31:36 | UserToken |
| JsonWebToken.js:35:11:35:47 | UserToken |
| JsonWebToken.js:35:23:35:47 | req.hea ... ization |
| JsonWebToken.js:35:23:35:47 | req.hea ... ization |
| JsonWebToken.js:38:28:38:36 | UserToken |
| JsonWebToken.js:38:28:38:36 | UserToken |
| JsonWebToken.js:39:28:39:36 | UserToken |
| JsonWebToken.js:39:28:39:36 | UserToken |
| JsonWebToken.js:43:11:43:47 | UserToken |
| JsonWebToken.js:43:23:43:47 | req.hea ... ization |
| JsonWebToken.js:43:23:43:47 | req.hea ... ization |
| JsonWebToken.js:46:28:46:36 | UserToken |
| JsonWebToken.js:46:28:46:36 | UserToken |
| JsonWebToken.js:47:28:47:36 | UserToken |
| JsonWebToken.js:47:28:47:36 | UserToken |
| jose.js:14:11:14:47 | UserToken |
| jose.js:14:23:14:47 | req.hea ... ization |
| jose.js:14:23:14:47 | req.hea ... ization |
| jose.js:16:20:16:28 | UserToken |
| jose.js:16:20:16:28 | UserToken |
| jose.js:21:11:21:47 | UserToken |
| jose.js:21:23:21:47 | req.hea ... ization |
| jose.js:21:23:21:47 | req.hea ... ization |
| jose.js:23:26:23:34 | UserToken |
| jose.js:23:26:23:34 | UserToken |
| jose.js:27:11:27:47 | UserToken |
| jose.js:27:23:27:47 | req.hea ... ization |
| jose.js:27:23:27:47 | req.hea ... ization |
| jose.js:29:20:29:28 | UserToken |
| jose.js:29:20:29:28 | UserToken |
| jose.js:30:26:30:34 | UserToken |
| jose.js:30:26:30:34 | UserToken |
| jwtDecode.js:14:11:14:47 | UserToken |
| jwtDecode.js:14:23:14:47 | req.hea ... ization |
| jwtDecode.js:14:23:14:47 | req.hea ... ization |
| jwtDecode.js:18:16:18:24 | UserToken |
| jwtDecode.js:18:16:18:24 | UserToken |
| jwtSimple.js:13:11:13:47 | UserToken |
| jwtSimple.js:13:23:13:47 | req.hea ... ization |
| jwtSimple.js:13:23:13:47 | req.hea ... ization |
| jwtSimple.js:18:23:18:31 | UserToken |
| jwtSimple.js:18:23:18:31 | UserToken |
| jwtSimple.js:22:11:22:47 | UserToken |
| jwtSimple.js:22:23:22:47 | req.hea ... ization |
| jwtSimple.js:22:23:22:47 | req.hea ... ization |
| jwtSimple.js:27:23:27:31 | UserToken |
| jwtSimple.js:27:23:27:31 | UserToken |
| jwtSimple.js:28:23:28:31 | UserToken |
| jwtSimple.js:28:23:28:31 | UserToken |
| jwtSimple.js:32:11:32:47 | UserToken |
| jwtSimple.js:32:23:32:47 | req.hea ... ization |
| jwtSimple.js:32:23:32:47 | req.hea ... ization |
| jwtSimple.js:37:23:37:31 | UserToken |
| jwtSimple.js:37:23:37:31 | UserToken |
| jwtSimple.js:38:23:38:31 | UserToken |
| jwtSimple.js:38:23:38:31 | UserToken |
edges
| JsonWebToken.js:13:11:13:47 | UserToken | JsonWebToken.js:16:28:16:36 | UserToken |
| JsonWebToken.js:13:11:13:47 | UserToken | JsonWebToken.js:16:28:16:36 | UserToken |
| JsonWebToken.js:13:23:13:47 | req.hea ... ization | JsonWebToken.js:13:11:13:47 | UserToken |
| JsonWebToken.js:13:23:13:47 | req.hea ... ization | JsonWebToken.js:13:11:13:47 | UserToken |
| JsonWebToken.js:20:11:20:47 | UserToken | JsonWebToken.js:23:28:23:36 | UserToken |
| JsonWebToken.js:20:11:20:47 | UserToken | JsonWebToken.js:23:28:23:36 | UserToken |
| JsonWebToken.js:20:11:20:47 | UserToken | JsonWebToken.js:24:28:24:36 | UserToken |
| JsonWebToken.js:20:11:20:47 | UserToken | JsonWebToken.js:24:28:24:36 | UserToken |
| JsonWebToken.js:20:23:20:47 | req.hea ... ization | JsonWebToken.js:20:11:20:47 | UserToken |
| JsonWebToken.js:20:23:20:47 | req.hea ... ization | JsonWebToken.js:20:11:20:47 | UserToken |
| JsonWebToken.js:28:11:28:47 | UserToken | JsonWebToken.js:31:28:31:36 | UserToken |
| JsonWebToken.js:28:11:28:47 | UserToken | JsonWebToken.js:31:28:31:36 | UserToken |
| JsonWebToken.js:28:23:28:47 | req.hea ... ization | JsonWebToken.js:28:11:28:47 | UserToken |
| JsonWebToken.js:28:23:28:47 | req.hea ... ization | JsonWebToken.js:28:11:28:47 | UserToken |
| JsonWebToken.js:35:11:35:47 | UserToken | JsonWebToken.js:38:28:38:36 | UserToken |
| JsonWebToken.js:35:11:35:47 | UserToken | JsonWebToken.js:38:28:38:36 | UserToken |
| JsonWebToken.js:35:11:35:47 | UserToken | JsonWebToken.js:39:28:39:36 | UserToken |
| JsonWebToken.js:35:11:35:47 | UserToken | JsonWebToken.js:39:28:39:36 | UserToken |
| JsonWebToken.js:35:23:35:47 | req.hea ... ization | JsonWebToken.js:35:11:35:47 | UserToken |
| JsonWebToken.js:35:23:35:47 | req.hea ... ization | JsonWebToken.js:35:11:35:47 | UserToken |
| JsonWebToken.js:43:11:43:47 | UserToken | JsonWebToken.js:46:28:46:36 | UserToken |
| JsonWebToken.js:43:11:43:47 | UserToken | JsonWebToken.js:46:28:46:36 | UserToken |
| JsonWebToken.js:43:11:43:47 | UserToken | JsonWebToken.js:47:28:47:36 | UserToken |
| JsonWebToken.js:43:11:43:47 | UserToken | JsonWebToken.js:47:28:47:36 | UserToken |
| JsonWebToken.js:43:23:43:47 | req.hea ... ization | JsonWebToken.js:43:11:43:47 | UserToken |
| JsonWebToken.js:43:23:43:47 | req.hea ... ization | JsonWebToken.js:43:11:43:47 | UserToken |
| jose.js:14:11:14:47 | UserToken | jose.js:16:20:16:28 | UserToken |
| jose.js:14:11:14:47 | UserToken | jose.js:16:20:16:28 | UserToken |
| jose.js:14:23:14:47 | req.hea ... ization | jose.js:14:11:14:47 | UserToken |
| jose.js:14:23:14:47 | req.hea ... ization | jose.js:14:11:14:47 | UserToken |
| jose.js:21:11:21:47 | UserToken | jose.js:23:26:23:34 | UserToken |
| jose.js:21:11:21:47 | UserToken | jose.js:23:26:23:34 | UserToken |
| jose.js:21:23:21:47 | req.hea ... ization | jose.js:21:11:21:47 | UserToken |
| jose.js:21:23:21:47 | req.hea ... ization | jose.js:21:11:21:47 | UserToken |
| jose.js:27:11:27:47 | UserToken | jose.js:29:20:29:28 | UserToken |
| jose.js:27:11:27:47 | UserToken | jose.js:29:20:29:28 | UserToken |
| jose.js:27:11:27:47 | UserToken | jose.js:30:26:30:34 | UserToken |
| jose.js:27:11:27:47 | UserToken | jose.js:30:26:30:34 | UserToken |
| jose.js:27:23:27:47 | req.hea ... ization | jose.js:27:11:27:47 | UserToken |
| jose.js:27:23:27:47 | req.hea ... ization | jose.js:27:11:27:47 | UserToken |
| jwtDecode.js:14:11:14:47 | UserToken | jwtDecode.js:18:16:18:24 | UserToken |
| jwtDecode.js:14:11:14:47 | UserToken | jwtDecode.js:18:16:18:24 | UserToken |
| jwtDecode.js:14:23:14:47 | req.hea ... ization | jwtDecode.js:14:11:14:47 | UserToken |
| jwtDecode.js:14:23:14:47 | req.hea ... ization | jwtDecode.js:14:11:14:47 | UserToken |
| jwtSimple.js:13:11:13:47 | UserToken | jwtSimple.js:18:23:18:31 | UserToken |
| jwtSimple.js:13:11:13:47 | UserToken | jwtSimple.js:18:23:18:31 | UserToken |
| jwtSimple.js:13:23:13:47 | req.hea ... ization | jwtSimple.js:13:11:13:47 | UserToken |
| jwtSimple.js:13:23:13:47 | req.hea ... ization | jwtSimple.js:13:11:13:47 | UserToken |
| jwtSimple.js:22:11:22:47 | UserToken | jwtSimple.js:27:23:27:31 | UserToken |
| jwtSimple.js:22:11:22:47 | UserToken | jwtSimple.js:27:23:27:31 | UserToken |
| jwtSimple.js:22:11:22:47 | UserToken | jwtSimple.js:28:23:28:31 | UserToken |
| jwtSimple.js:22:11:22:47 | UserToken | jwtSimple.js:28:23:28:31 | UserToken |
| jwtSimple.js:22:23:22:47 | req.hea ... ization | jwtSimple.js:22:11:22:47 | UserToken |
| jwtSimple.js:22:23:22:47 | req.hea ... ization | jwtSimple.js:22:11:22:47 | UserToken |
| jwtSimple.js:32:11:32:47 | UserToken | jwtSimple.js:37:23:37:31 | UserToken |
| jwtSimple.js:32:11:32:47 | UserToken | jwtSimple.js:37:23:37:31 | UserToken |
| jwtSimple.js:32:11:32:47 | UserToken | jwtSimple.js:38:23:38:31 | UserToken |
| jwtSimple.js:32:11:32:47 | UserToken | jwtSimple.js:38:23:38:31 | UserToken |
| jwtSimple.js:32:23:32:47 | req.hea ... ization | jwtSimple.js:32:11:32:47 | UserToken |
| jwtSimple.js:32:23:32:47 | req.hea ... ization | jwtSimple.js:32:11:32:47 | UserToken |
#select
| JsonWebToken.js:13:23:13:47 | req.hea ... ization | JsonWebToken.js:13:23:13:47 | req.hea ... ization | JsonWebToken.js:16:28:16:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:16:28:16:36 | UserToken | without signature verification |
| JsonWebToken.js:20:23:20:47 | req.hea ... ization | JsonWebToken.js:20:23:20:47 | req.hea ... ization | JsonWebToken.js:23:28:23:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:23:28:23:36 | UserToken | without signature verification |
| JsonWebToken.js:20:23:20:47 | req.hea ... ization | JsonWebToken.js:20:23:20:47 | req.hea ... ization | JsonWebToken.js:24:28:24:36 | UserToken | Decoding JWT $@. | JsonWebToken.js:24:28:24:36 | UserToken | without signature verification |
| jose.js:14:23:14:47 | req.hea ... ization | jose.js:14:23:14:47 | req.hea ... ization | jose.js:16:20:16:28 | UserToken | Decoding JWT $@. | jose.js:16:20:16:28 | UserToken | without signature verification |
| jwtDecode.js:14:23:14:47 | req.hea ... ization | jwtDecode.js:14:23:14:47 | req.hea ... ization | jwtDecode.js:18:16:18:24 | UserToken | Decoding JWT $@. | jwtDecode.js:18:16:18:24 | UserToken | without signature verification |
| jwtSimple.js:13:23:13:47 | req.hea ... ization | jwtSimple.js:13:23:13:47 | req.hea ... ization | jwtSimple.js:18:23:18:31 | UserToken | Decoding JWT $@. | jwtSimple.js:18:23:18:31 | UserToken | without signature verification |

1
javascript/ql/test/experimental/Security/CWE-347/decodeJwtWithoutVerification.qlref Normal file
View File

@@ -0,0 +1 @@
experimental/Security/CWE-347/decodeJwtWithoutVerification.ql

9
javascript/ql/test/experimental/Security/CWE-347/JsonWebToken.expected → javascript/ql/test/experimental/Security/CWE-347/decodeJwtWithoutVerificationLocalSource.expected
View File

@@ -11,11 +11,6 @@ nodes
| JsonWebToken.js:23:28:23:36 | UserToken |
| JsonWebToken.js:24:28:24:36 | UserToken |
| JsonWebToken.js:24:28:24:36 | UserToken |
| JsonWebToken.js:28:11:28:47 | UserToken |
| JsonWebToken.js:28:23:28:47 | req.hea ... ization |
| JsonWebToken.js:28:23:28:47 | req.hea ... ization |
| JsonWebToken.js:31:28:31:36 | UserToken |
| JsonWebToken.js:31:28:31:36 | UserToken |
| JsonWebToken.js:35:11:35:47 | UserToken |
| JsonWebToken.js:35:23:35:47 | req.hea ... ization |
| JsonWebToken.js:35:23:35:47 | req.hea ... ization |
@@ -41,10 +36,6 @@ edges
| JsonWebToken.js:20:11:20:47 | UserToken | JsonWebToken.js:24:28:24:36 | UserToken |
| JsonWebToken.js:20:23:20:47 | req.hea ... ization | JsonWebToken.js:20:11:20:47 | UserToken |
| JsonWebToken.js:20:23:20:47 | req.hea ... ization | JsonWebToken.js:20:11:20:47 | UserToken |
| JsonWebToken.js:28:11:28:47 | UserToken | JsonWebToken.js:31:28:31:36 | UserToken |
| JsonWebToken.js:28:11:28:47 | UserToken | JsonWebToken.js:31:28:31:36 | UserToken |
| JsonWebToken.js:28:23:28:47 | req.hea ... ization | JsonWebToken.js:28:11:28:47 | UserToken |
| JsonWebToken.js:28:23:28:47 | req.hea ... ization | JsonWebToken.js:28:11:28:47 | UserToken |
| JsonWebToken.js:35:11:35:47 | UserToken | JsonWebToken.js:38:28:38:36 | UserToken |
| JsonWebToken.js:35:11:35:47 | UserToken | JsonWebToken.js:38:28:38:36 | UserToken |
| JsonWebToken.js:35:11:35:47 | UserToken | JsonWebToken.js:39:28:39:36 | UserToken |

1
javascript/ql/test/experimental/Security/CWE-347/decodeJwtWithoutVerificationLocalSource.qlref Normal file
View File

@@ -0,0 +1 @@
experimental/Security/CWE-347/decodeJwtWithoutVerificationLocalSource.ql

35
javascript/ql/test/experimental/Security/CWE-347/jose.expected
View File

@@ -1,35 +0,0 @@
nodes
| jose.js:14:11:14:47 | UserToken |
| jose.js:14:23:14:47 | req.hea ... ization |
| jose.js:14:23:14:47 | req.hea ... ization |
| jose.js:16:20:16:28 | UserToken |
| jose.js:16:20:16:28 | UserToken |
| jose.js:21:11:21:47 | UserToken |
| jose.js:21:23:21:47 | req.hea ... ization |
| jose.js:21:23:21:47 | req.hea ... ization |
| jose.js:23:26:23:34 | UserToken |
| jose.js:23:26:23:34 | UserToken |
| jose.js:27:11:27:47 | UserToken |
| jose.js:27:23:27:47 | req.hea ... ization |
| jose.js:27:23:27:47 | req.hea ... ization |
| jose.js:29:20:29:28 | UserToken |
| jose.js:29:20:29:28 | UserToken |
| jose.js:30:26:30:34 | UserToken |
| jose.js:30:26:30:34 | UserToken |
edges
| jose.js:14:11:14:47 | UserToken | jose.js:16:20:16:28 | UserToken |
| jose.js:14:11:14:47 | UserToken | jose.js:16:20:16:28 | UserToken |
| jose.js:14:23:14:47 | req.hea ... ization | jose.js:14:11:14:47 | UserToken |
| jose.js:14:23:14:47 | req.hea ... ization | jose.js:14:11:14:47 | UserToken |
| jose.js:21:11:21:47 | UserToken | jose.js:23:26:23:34 | UserToken |
| jose.js:21:11:21:47 | UserToken | jose.js:23:26:23:34 | UserToken |
| jose.js:21:23:21:47 | req.hea ... ization | jose.js:21:11:21:47 | UserToken |
| jose.js:21:23:21:47 | req.hea ... ization | jose.js:21:11:21:47 | UserToken |
| jose.js:27:11:27:47 | UserToken | jose.js:29:20:29:28 | UserToken |
| jose.js:27:11:27:47 | UserToken | jose.js:29:20:29:28 | UserToken |
| jose.js:27:11:27:47 | UserToken | jose.js:30:26:30:34 | UserToken |
| jose.js:27:11:27:47 | UserToken | jose.js:30:26:30:34 | UserToken |
| jose.js:27:23:27:47 | req.hea ... ization | jose.js:27:11:27:47 | UserToken |
| jose.js:27:23:27:47 | req.hea ... ization | jose.js:27:11:27:47 | UserToken |
#select
| jose.js:14:23:14:47 | req.hea ... ization | jose.js:14:23:14:47 | req.hea ... ization | jose.js:16:20:16:28 | UserToken | Decoding JWT $@. | jose.js:16:20:16:28 | UserToken | without signature verification |

40
javascript/ql/test/experimental/Security/CWE-347/jose.js
View File

@@ -12,24 +12,50 @@ function getSecret() {
app.get('/jose1', (req, res) => {
const UserToken = req.headers.authorization;
// BAD: no signature verification
jose.decodeJwt(UserToken)
// no signature verification
jose.decodeJwt(UserToken) // NOT OK
})
app.get('/jose2', async (req, res) => {
const UserToken = req.headers.authorization;
// GOOD: with signature verification
await jose.jwtVerify(UserToken, new TextEncoder().encode(getSecret()))
// with signature verification
await jose.jwtVerify(UserToken, new TextEncoder().encode(getSecret())) // OK
})
app.get('/jose3', async (req, res) => {
const UserToken = req.headers.authorization;
// GOOD: first without signature verification then with signature verification for same UserToken
jose.decodeJwt(UserToken)
await jose.jwtVerify(UserToken, new TextEncoder().encode(getSecret()))
// first without signature verification then with signature verification for same UserToken
jose.decodeJwt(UserToken) // OK
await jose.jwtVerify(UserToken, new TextEncoder().encode(getSecret())) // OK
})
app.listen(port, () => {
console.log(`Example app listening on port ${port}`)
})
function aJWT() {
return "A JWT provided by user"
}
(function () {
const UserToken = aJwt()
// no signature verification
jose.decodeJwt(UserToken) // NOT OK
})();
(async function () {
const UserToken = aJwt()
// first without signature verification then with signature verification for same UserToken
jose.decodeJwt(UserToken) // OK
await jose.jwtVerify(UserToken, new TextEncoder().encode(getSecret())) // OK
})();
(async function () {
const UserToken = aJwt()
// with signature verification
await jose.jwtVerify(UserToken, new TextEncoder().encode(getSecret())) // OK
})();

1
javascript/ql/test/experimental/Security/CWE-347/jose.qlref
View File

@@ -1 +0,0 @@
experimental/Security/CWE-347-noVerification/jose.ql

13
javascript/ql/test/experimental/Security/CWE-347/jwtDecode.expected
View File

@@ -1,13 +0,0 @@
nodes
| jwtDecode.js:14:11:14:47 | UserToken |
| jwtDecode.js:14:23:14:47 | req.hea ... ization |
| jwtDecode.js:14:23:14:47 | req.hea ... ization |
| jwtDecode.js:18:16:18:24 | UserToken |
| jwtDecode.js:18:16:18:24 | UserToken |
edges
| jwtDecode.js:14:11:14:47 | UserToken | jwtDecode.js:18:16:18:24 | UserToken |
| jwtDecode.js:14:11:14:47 | UserToken | jwtDecode.js:18:16:18:24 | UserToken |
| jwtDecode.js:14:23:14:47 | req.hea ... ization | jwtDecode.js:14:11:14:47 | UserToken |
| jwtDecode.js:14:23:14:47 | req.hea ... ization | jwtDecode.js:14:11:14:47 | UserToken |
#select
| jwtDecode.js:14:23:14:47 | req.hea ... ization | jwtDecode.js:14:23:14:47 | req.hea ... ization | jwtDecode.js:18:16:18:24 | UserToken | Decoding JWT $@. | jwtDecode.js:18:16:18:24 | UserToken | without signature verification |

16
javascript/ql/test/experimental/Security/CWE-347/jwtDecode.js
View File

@@ -14,10 +14,22 @@ app.get('/jwtDecode', (req, res) => {
const UserToken = req.headers.authorization;
// jwt-decode
// BAD: no signature verification
jwt_decode(UserToken)
// no signature verification
jwt_decode(UserToken) // NOT OK
})
app.listen(port, () => {
console.log(`Example app listening on port ${port}`)
})
function aJWT() {
return "A JWT provided by user"
}
(function () {
const UserToken = aJwt()
// jwt-decode
// no signature verification
jwt_decode(UserToken) // NOT OK
})();

1
javascript/ql/test/experimental/Security/CWE-347/jwtDecode.qlref
View File

@@ -1 +0,0 @@
experimental/Security/CWE-347-noVerification/jwtDecode.ql

39
javascript/ql/test/experimental/Security/CWE-347/jwtSimple.expected
View File

@@ -1,39 +0,0 @@
nodes
| jwtSimple.js:13:11:13:47 | UserToken |
| jwtSimple.js:13:23:13:47 | req.hea ... ization |
| jwtSimple.js:13:23:13:47 | req.hea ... ization |
| jwtSimple.js:18:23:18:31 | UserToken |
| jwtSimple.js:18:23:18:31 | UserToken |
| jwtSimple.js:22:11:22:47 | UserToken |
| jwtSimple.js:22:23:22:47 | req.hea ... ization |
| jwtSimple.js:22:23:22:47 | req.hea ... ization |
| jwtSimple.js:27:23:27:31 | UserToken |
| jwtSimple.js:27:23:27:31 | UserToken |
| jwtSimple.js:28:23:28:31 | UserToken |
| jwtSimple.js:28:23:28:31 | UserToken |
| jwtSimple.js:32:11:32:47 | UserToken |
| jwtSimple.js:32:23:32:47 | req.hea ... ization |
| jwtSimple.js:32:23:32:47 | req.hea ... ization |
| jwtSimple.js:37:23:37:31 | UserToken |
| jwtSimple.js:37:23:37:31 | UserToken |
| jwtSimple.js:38:23:38:31 | UserToken |
| jwtSimple.js:38:23:38:31 | UserToken |
edges
| jwtSimple.js:13:11:13:47 | UserToken | jwtSimple.js:18:23:18:31 | UserToken |
| jwtSimple.js:13:11:13:47 | UserToken | jwtSimple.js:18:23:18:31 | UserToken |
| jwtSimple.js:13:23:13:47 | req.hea ... ization | jwtSimple.js:13:11:13:47 | UserToken |
| jwtSimple.js:13:23:13:47 | req.hea ... ization | jwtSimple.js:13:11:13:47 | UserToken |
| jwtSimple.js:22:11:22:47 | UserToken | jwtSimple.js:27:23:27:31 | UserToken |
| jwtSimple.js:22:11:22:47 | UserToken | jwtSimple.js:27:23:27:31 | UserToken |
| jwtSimple.js:22:11:22:47 | UserToken | jwtSimple.js:28:23:28:31 | UserToken |
| jwtSimple.js:22:11:22:47 | UserToken | jwtSimple.js:28:23:28:31 | UserToken |
| jwtSimple.js:22:23:22:47 | req.hea ... ization | jwtSimple.js:22:11:22:47 | UserToken |
| jwtSimple.js:22:23:22:47 | req.hea ... ization | jwtSimple.js:22:11:22:47 | UserToken |
| jwtSimple.js:32:11:32:47 | UserToken | jwtSimple.js:37:23:37:31 | UserToken |
| jwtSimple.js:32:11:32:47 | UserToken | jwtSimple.js:37:23:37:31 | UserToken |
| jwtSimple.js:32:11:32:47 | UserToken | jwtSimple.js:38:23:38:31 | UserToken |
| jwtSimple.js:32:11:32:47 | UserToken | jwtSimple.js:38:23:38:31 | UserToken |
| jwtSimple.js:32:23:32:47 | req.hea ... ization | jwtSimple.js:32:11:32:47 | UserToken |
| jwtSimple.js:32:23:32:47 | req.hea ... ization | jwtSimple.js:32:11:32:47 | UserToken |
#select
| jwtSimple.js:13:23:13:47 | req.hea ... ization | jwtSimple.js:13:23:13:47 | req.hea ... ization | jwtSimple.js:18:23:18:31 | UserToken | Decoding JWT $@. | jwtSimple.js:18:23:18:31 | UserToken | without signature verification |

47
javascript/ql/test/experimental/Security/CWE-347/jwtSimple.js
View File

@@ -12,32 +12,53 @@ function getSecret() {
app.get('/jwtSimple1', (req, res) => {
const UserToken = req.headers.authorization;
// jwt-simple
// jwt.decode(token, key, noVerify, algorithm)
// BAD: no signature verification
jwt_simple.decode(UserToken, getSecret(), true);
// no signature verification
jwt_simple.decode(UserToken, getSecret(), true); // NOT OK
})
app.get('/jwtSimple2', (req, res) => {
const UserToken = req.headers.authorization;
// jwt-simple
// jwt.decode(token, key, noVerify, algorithm)
// GOOD: with signature verification
jwt_simple.decode(UserToken, getSecret(), false);
jwt_simple.decode(UserToken, getSecret());
// GOOD: all with with signature verification
jwt_simple.decode(UserToken, getSecret(), false); // OK
jwt_simple.decode(UserToken, getSecret()); // OK
})
app.get('/jwtSimple3', (req, res) => {
const UserToken = req.headers.authorization;
// jwt-simple
// jwt.decode(token, key, noVerify, algorithm)
// GOOD: first without signature verification then with signature verification for same UserToken
jwt_simple.decode(UserToken, getSecret(), true);
jwt_simple.decode(UserToken, getSecret());
jwt_simple.decode(UserToken, getSecret(), true); // OK
jwt_simple.decode(UserToken, getSecret()); // OK
})
app.listen(port, () => {
console.log(`Example app listening on port ${port}`)
})
function aJWT() {
return "A JWT provided by user"
}
(function () {
const UserToken = aJwt()
// BAD: no signature verification
jwt_simple.decode(UserToken, getSecret(), true); // NOT OK
})();
(function () {
const UserToken = aJwt()
// GOOD: all with with signature verification
jwt_simple.decode(UserToken, getSecret(), false); // OK
jwt_simple.decode(UserToken, getSecret()); // OK
})();
(function () {
const UserToken = aJwt()
// GOOD: first without signature verification then with signature verification for same UserToken
jwt_simple.decode(UserToken, getSecret(), true); // OK
jwt_simple.decode(UserToken, getSecret()); // OK
})();

1
javascript/ql/test/experimental/Security/CWE-347/jwtSimple.qlref
View File

@@ -1 +0,0 @@
experimental/Security/CWE-347-noVerification/jwtSimple.ql