hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #14089 from am0o0/amammad-java-JWT

Browse Source 
Java: JWT decoding without verification
This commit is contained in:
Chris Smowton
2024-08-21 14:14:08 +01:00
committed by GitHub
parent a1a6fe45f1 b001c24dfc
commit 15989ce213
28 changed files with 760 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
java/ql/lib/ext/experimental/org.apache.shiro.authc.model.yml Normal file
View File

@@ -0,0 +1,6 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: sourceModel
data:
- ["org.apache.shiro.authc","AuthenticationToken",true,"getCredentials","()","","ReturnValue","remote","manual"]

31
java/ql/src/experimental/Security/CWE/CWE-347/Auth0NoVerifier.qhelp Normal file
View File

@@ -0,0 +1,31 @@
<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
<qhelp>
<overview>
<p>
A JSON Web Token (JWT) is used for authenticating and managing users in an application. It must be verified in order to ensure the JWT is genuine.
</p>
</overview>
<recommendation>
<p>
Don't use information from a JWT without verifying that JWT.
</p>
</recommendation>
<example>
<p>
The following example illustrates secure and insecure use of the Auth0 `java-jwt` library.
</p>
<sample src="Example.java" />
</example>
<references>
<li>
<a href="https://nvd.nist.gov/vuln/detail/CVE-2021-37580">The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication.</a>
</li>
</references>
</qhelp>

59
java/ql/src/experimental/Security/CWE/CWE-347/Auth0NoVerifier.ql Normal file
View File

@@ -0,0 +1,59 @@
/**
* @name Missing JWT signature check
* @description Failing to check the Json Web Token (JWT) signature may allow an attacker to forge their own tokens.
* @kind path-problem
* @problem.severity error
* @security-severity 7.8
* @precision high
* @id java/missing-jwt-signature-check-auth0
* @tags security
* external/cwe/cwe-347
*/
import java
import semmle.code.java.dataflow.FlowSources
import JwtAuth0 as JwtAuth0
module JwtDecodeConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
source instanceof RemoteFlowSource and
not FlowToJwtVerify::flow(source, _)
}
predicate isSink(DataFlow::Node sink) { sink.asExpr() = any(JwtAuth0::GetPayload a) }
predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
// Decode Should be one of the middle nodes
exists(JwtAuth0::Decode a |
nodeFrom.asExpr() = a.getArgument(0) and
nodeTo.asExpr() = a
)
or
exists(JwtAuth0::Verify a |
nodeFrom.asExpr() = a.getArgument(0) and
nodeTo.asExpr() = a
)
or
exists(JwtAuth0::GetPayload a |
nodeFrom.asExpr() = a.getQualifier() and
nodeTo.asExpr() = a
)
}
}
module FlowToJwtVerifyConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
predicate isSink(DataFlow::Node sink) { sink.asExpr() = any(JwtAuth0::Verify a).getArgument(0) }
}
module JwtDecode = TaintTracking::Global<JwtDecodeConfig>;
module FlowToJwtVerify = TaintTracking::Global<FlowToJwtVerifyConfig>;
import JwtDecode::PathGraph
from JwtDecode::PathNode source, JwtDecode::PathNode sink
where JwtDecode::flowPath(source, sink)
select sink.getNode(), source, sink, "This parses a $@, but the signature is not verified.",
source.getNode(), "JWT"

80
java/ql/src/experimental/Security/CWE/CWE-347/Example.java Normal file
View File

@@ -0,0 +1,80 @@
package com.example.JwtTest;
import java.io.*;
import java.security.NoSuchAlgorithmException;
import java.util.Objects;
import java.util.Optional;
import javax.crypto.KeyGenerator;
import javax.servlet.http.*;
import javax.servlet.annotation.*;
import com.auth0.jwt.JWT;
import com.auth0.jwt.JWTVerifier;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.exceptions.JWTCreationException;
import com.auth0.jwt.exceptions.JWTVerificationException;
import com.auth0.jwt.interfaces.DecodedJWT;
@WebServlet(name = "JwtTest1", value = "/Auth")
public class auth0 extends HttpServlet {
public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException {
response.setContentType("text/html");
PrintWriter out = response.getWriter();
// OK: first decode without signature verification
// and then verify with signature verification
String JwtToken1 = request.getParameter("JWT1");
String userName = decodeToken(JwtToken1);
verifyToken(JwtToken1, "A Securely generated Key");
if (Objects.equals(userName, "Admin")) {
out.println("<html><body>");
out.println("<h1>" + "heyyy Admin" + "</h1>");
out.println("</body></html>");
}
out.println("<html><body>");
out.println("<h1>" + "heyyy Nobody" + "</h1>");
out.println("</body></html>");
}
public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
response.setContentType("text/html");
PrintWriter out = response.getWriter();
// NOT OK: only decode, no verification
String JwtToken2 = request.getParameter("JWT2");
String userName = decodeToken(JwtToken2);
if (Objects.equals(userName, "Admin")) {
out.println("<html><body>");
out.println("<h1>" + "heyyy Admin" + "</h1>");
out.println("</body></html>");
}
// OK: no clue of the use of unsafe decoded JWT return value
JwtToken2 = request.getParameter("JWT2");
JWT.decode(JwtToken2);
out.println("<html><body>");
out.println("<h1>" + "heyyy Nobody" + "</h1>");
out.println("</body></html>");
}
public static boolean verifyToken(final String token, final String key) {
try {
JWTVerifier verifier = JWT.require(Algorithm.HMAC256(key)).build();
verifier.verify(token);
return true;
} catch (JWTVerificationException e) {
System.out.printf("jwt decode fail, token: %s", e);
}
return false;
}
public static String decodeToken(final String token) {
DecodedJWT jwt = JWT.decode(token);
return Optional.of(jwt).map(item -> item.getClaim("userName").asString()).orElse("");
}
}

43
java/ql/src/experimental/Security/CWE/CWE-347/JwtAuth0.qll Normal file
View File

@@ -0,0 +1,43 @@
import java
class PayloadType extends RefType {
PayloadType() { this.hasQualifiedName("com.auth0.jwt.interfaces", "Payload") }
}
class JwtType extends RefType {
JwtType() { this.hasQualifiedName("com.auth0.jwt", "JWT") }
}
class JwtVerifierType extends RefType {
JwtVerifierType() { this.hasQualifiedName("com.auth0.jwt", "JWTVerifier") }
}
/**
* A Method that returns a Decoded Claim of JWT
*/
class GetPayload extends MethodCall {
GetPayload() {
this.getCallee().getDeclaringType() instanceof PayloadType and
this.getCallee().hasName(["getClaim", "getIssuedAt"])
}
}
/**
* A Method that Decode JWT without signature verification
*/
class Decode extends MethodCall {
Decode() {
this.getCallee().getDeclaringType() instanceof JwtType and
this.getCallee().hasName("decode")
}
}
/**
* A Method that Decode JWT with signature verification
*/
class Verify extends MethodCall {
Verify() {
this.getCallee().getDeclaringType() instanceof JwtVerifierType and
this.getCallee().hasName("verify")
}
}

36
java/ql/test/experimental/query-tests/security/CWE-347/Auth0NoVerifier.expected Normal file
View File

@@ -0,0 +1,36 @@
#select
| JwtNoVerifier.java:91:45:91:69 | getClaim(...) | JwtNoVerifier.java:44:28:44:55 | getParameter(...) : String | JwtNoVerifier.java:91:45:91:69 | getClaim(...) | This parses a $@, but the signature is not verified. | JwtNoVerifier.java:44:28:44:55 | getParameter(...) | JWT |
| JwtNoVerifier.java:91:45:91:69 | getClaim(...) | JwtNoVerifier.java:58:37:58:62 | getCredentials(...) : Object | JwtNoVerifier.java:91:45:91:69 | getClaim(...) | This parses a $@, but the signature is not verified. | JwtNoVerifier.java:58:37:58:62 | getCredentials(...) | JWT |
edges
| JwtNoVerifier.java:44:28:44:55 | getParameter(...) : String | JwtNoVerifier.java:45:39:45:47 | JwtToken1 : String | provenance | Src:MaD:4 |
| JwtNoVerifier.java:45:39:45:47 | JwtToken1 : String | JwtNoVerifier.java:89:38:89:55 | token : String | provenance | |
| JwtNoVerifier.java:58:28:58:62 | (...)... : String | JwtNoVerifier.java:59:32:59:40 | JwtToken3 : String | provenance | |
| JwtNoVerifier.java:58:37:58:62 | getCredentials(...) : Object | JwtNoVerifier.java:58:28:58:62 | (...)... : String | provenance | Src:MaD:1 |
| JwtNoVerifier.java:59:32:59:40 | JwtToken3 : String | JwtNoVerifier.java:89:38:89:55 | token : String | provenance | |
| JwtNoVerifier.java:89:38:89:55 | token : String | JwtNoVerifier.java:90:37:90:41 | token : String | provenance | |
| JwtNoVerifier.java:90:26:90:42 | decode(...) : DecodedJWT | JwtNoVerifier.java:91:28:91:30 | jwt : DecodedJWT | provenance | |
| JwtNoVerifier.java:90:37:90:41 | token : String | JwtNoVerifier.java:90:26:90:42 | decode(...) : DecodedJWT | provenance | Config |
| JwtNoVerifier.java:91:16:91:31 | of(...) : Optional [<element>] : DecodedJWT | JwtNoVerifier.java:91:37:91:40 | item : DecodedJWT | provenance | MaD:2 |
| JwtNoVerifier.java:91:28:91:30 | jwt : DecodedJWT | JwtNoVerifier.java:91:16:91:31 | of(...) : Optional [<element>] : DecodedJWT | provenance | MaD:3 |
| JwtNoVerifier.java:91:37:91:40 | item : DecodedJWT | JwtNoVerifier.java:91:45:91:48 | item : DecodedJWT | provenance | |
| JwtNoVerifier.java:91:45:91:48 | item : DecodedJWT | JwtNoVerifier.java:91:45:91:69 | getClaim(...) | provenance | Config |
models
| 1 | Source: org.apache.shiro.authc; AuthenticationToken; true; getCredentials; (); ; ReturnValue; remote; manual |
| 2 | Summary: java.util; Optional; false; map; ; ; Argument[this].Element; Argument[0].Parameter[0]; value; manual |
| 3 | Summary: java.util; Optional; false; of; ; ; Argument[0]; ReturnValue.Element; value; manual |
| 4 | Source: javax.servlet; ServletRequest; false; getParameter; (String); ; ReturnValue; remote; manual |
nodes
| JwtNoVerifier.java:44:28:44:55 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JwtNoVerifier.java:45:39:45:47 | JwtToken1 : String | semmle.label | JwtToken1 : String |
| JwtNoVerifier.java:58:28:58:62 | (...)... : String | semmle.label | (...)... : String |
| JwtNoVerifier.java:58:37:58:62 | getCredentials(...) : Object | semmle.label | getCredentials(...) : Object |
| JwtNoVerifier.java:59:32:59:40 | JwtToken3 : String | semmle.label | JwtToken3 : String |
| JwtNoVerifier.java:89:38:89:55 | token : String | semmle.label | token : String |
| JwtNoVerifier.java:90:26:90:42 | decode(...) : DecodedJWT | semmle.label | decode(...) : DecodedJWT |
| JwtNoVerifier.java:90:37:90:41 | token : String | semmle.label | token : String |
| JwtNoVerifier.java:91:16:91:31 | of(...) : Optional [<element>] : DecodedJWT | semmle.label | of(...) : Optional [<element>] : DecodedJWT |
| JwtNoVerifier.java:91:28:91:30 | jwt : DecodedJWT | semmle.label | jwt : DecodedJWT |
| JwtNoVerifier.java:91:37:91:40 | item : DecodedJWT | semmle.label | item : DecodedJWT |
| JwtNoVerifier.java:91:45:91:48 | item : DecodedJWT | semmle.label | item : DecodedJWT |
| JwtNoVerifier.java:91:45:91:69 | getClaim(...) | semmle.label | getClaim(...) |
subpaths

2
java/ql/test/experimental/query-tests/security/CWE-347/Auth0NoVerifier.qlref Normal file
View File

@@ -0,0 +1,2 @@
query: experimental/Security/CWE/CWE-347/Auth0NoVerifier.ql
postprocess: TestUtilities/PrettyPrintModels.ql

137
java/ql/test/experimental/query-tests/security/CWE-347/JwtNoVerifier.java Normal file
View File

@@ -0,0 +1,137 @@
import java.io.*;
import java.security.NoSuchAlgorithmException;
import java.util.Objects;
import java.util.Optional;
import javax.crypto.KeyGenerator;
import javax.servlet.http.*;
import javax.servlet.annotation.*;
import com.auth0.jwt.JWT;
import com.auth0.jwt.JWTVerifier;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.exceptions.JWTVerificationException;
import com.auth0.jwt.interfaces.DecodedJWT;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.BearerToken;
public class JwtNoVerifier extends HttpServlet {
public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException {
response.setContentType("text/html");
PrintWriter out = response.getWriter();
// OK: first decode without signature verification
// and then verify with signature verification
String JwtToken1 = request.getParameter("JWT1");
String userName = decodeToken(JwtToken1);
verifyToken(JwtToken1, "A Securely generated Key");
if (Objects.equals(userName, "Admin")) {
out.println("<html><body>");
out.println("<h1>" + "heyyy Admin" + "</h1>");
out.println("</body></html>");
}
out.println("<html><body>");
out.println("<h1>" + "heyyy Nobody" + "</h1>");
out.println("</body></html>");
}
public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
response.setContentType("text/html");
PrintWriter out = response.getWriter();
// NOT OK: only decode, no verification
String JwtToken1 = request.getParameter("JWT2");
String userName = decodeToken(JwtToken1);
if (Objects.equals(userName, "Admin")) {
out.println("<html><body>");
out.println("<h1>" + "heyyy Admin" + "</h1>");
out.println("</body></html>");
}
AuthenticationToken authToken = new BearerToken("admin", "admin");
// OK: no clue of the use of unsafe decoded JWT return value
String JwtToken2 = request.getParameter("JWT2");
JWT.decode(JwtToken2);
// NOT OK: only decode, no verification
String JwtToken3 = (String) authToken.getCredentials();
userName = decodeToken(JwtToken3);
if (Objects.equals(userName, "Admin")) {
out.println("<html><body>");
out.println("<h1>" + "heyyy Admin" + "</h1>");
out.println("</body></html>");
}
// OK: no clue of the use of unsafe decoded JWT return value
String JwtToken4 = (String) authToken.getCredentials();
JWT.decode(JwtToken4);
out.println("<html><body>");
out.println("<h1>" + "heyyy Nobody" + "</h1>");
out.println("</body></html>");
}
public static boolean verifyToken(final String token, final String key) {
try {
JWTVerifier verifier = JWT.require(Algorithm.HMAC256(key)).build();
verifier.verify(token);
return true;
} catch (JWTVerificationException e) {
System.out.printf("jwt decode fail, token: %s", e);
}
return false;
}
public static String decodeToken(final String token) {
DecodedJWT jwt = JWT.decode(token);
return Optional.of(jwt).map(item -> item.getClaim("userName").asString()).orElse("");
}
private static String getSecureRandomKey() throws NoSuchAlgorithmException {
KeyGenerator keyGen = KeyGenerator.getInstance("AES");
keyGen.init(256); // for example
return keyGen.generateKey().toString();
}
static final String JWT_KEY = "KEY";
public static void NoNeedForTest(HttpServletRequest request) {
// constant key
String JwtToken3 = request.getParameter("JWT3");
verifyToken(JwtToken3, JWT_KEY);
// none algorithm
String JwtToken4 = request.getParameter("JWT4");
try {
verifyTokenNoneAlg(JwtToken4, getSecureRandomKey());
} catch (NoSuchAlgorithmException e) {
throw new RuntimeException(e);
}
}
public static String generateToken(final String userName, final String key) {
try {
return JWT.create().withClaim("userName", userName).sign(Algorithm.HMAC256(key));
} catch (IllegalArgumentException e) {
System.out.printf("JWTToken generate fail %s", e);
}
return "";
}
public static boolean verifyTokenNoneAlg(final String token, final String key) {
try {
JWTVerifier verifier = JWT.require(Algorithm.none()).build();
verifier.verify(token);
return true;
} catch (JWTVerificationException e) {
System.out.printf("jwt decode fail, token: %s", e);
}
return false;
}
}

1
java/ql/test/experimental/query-tests/security/CWE-347/options Normal file
View File

@@ -0,0 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/auth0-java-jwt-4.4.0:${testdir}/../../../../stubs/javax-servlet-2.5:${testdir}/../../../stubs/org-apache-shiro-authc-2.0.1

17
java/ql/test/experimental/stubs/auth0-java-jwt-4.4.0/com/auth0/jwt/JWT.java generated Normal file
View File

@@ -0,0 +1,17 @@
// Generated automatically from com.auth0.jwt.JWT for testing purposes
package com.auth0.jwt;
import com.auth0.jwt.JWTCreator;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.interfaces.DecodedJWT;
import com.auth0.jwt.interfaces.Verification;
public class JWT
{
public DecodedJWT decodeJwt(String p0){ return null; }
public JWT(){}
public static DecodedJWT decode(String p0){ return null; }
public static JWTCreator.Builder create(){ return null; }
public static Verification require(Algorithm p0){ return null; }
}

46
java/ql/test/experimental/stubs/auth0-java-jwt-4.4.0/com/auth0/jwt/JWTCreator.java generated Normal file
View File

@@ -0,0 +1,46 @@
// Generated automatically from com.auth0.jwt.JWTCreator for testing purposes
package com.auth0.jwt;
import com.auth0.jwt.algorithms.Algorithm;
import java.time.Instant;
import java.util.Date;
import java.util.List;
import java.util.Map;
public class JWTCreator
{
protected JWTCreator() {}
static public class Builder
{
public JWTCreator.Builder withArrayClaim(String p0, Integer[] p1){ return null; }
public JWTCreator.Builder withArrayClaim(String p0, Long[] p1){ return null; }
public JWTCreator.Builder withArrayClaim(String p0, String[] p1){ return null; }
public JWTCreator.Builder withAudience(String... p0){ return null; }
public JWTCreator.Builder withClaim(String p0, Boolean p1){ return null; }
public JWTCreator.Builder withClaim(String p0, Date p1){ return null; }
public JWTCreator.Builder withClaim(String p0, Double p1){ return null; }
public JWTCreator.Builder withClaim(String p0, Instant p1){ return null; }
public JWTCreator.Builder withClaim(String p0, Integer p1){ return null; }
public JWTCreator.Builder withClaim(String p0, List<? extends Object> p1){ return null; }
public JWTCreator.Builder withClaim(String p0, Long p1){ return null; }
public JWTCreator.Builder withClaim(String p0, Map<String, ? extends Object> p1){ return null; }
public JWTCreator.Builder withClaim(String p0, String p1){ return null; }
public JWTCreator.Builder withExpiresAt(Date p0){ return null; }
public JWTCreator.Builder withExpiresAt(Instant p0){ return null; }
public JWTCreator.Builder withHeader(Map<String, Object> p0){ return null; }
public JWTCreator.Builder withHeader(String p0){ return null; }
public JWTCreator.Builder withIssuedAt(Date p0){ return null; }
public JWTCreator.Builder withIssuedAt(Instant p0){ return null; }
public JWTCreator.Builder withIssuer(String p0){ return null; }
public JWTCreator.Builder withJWTId(String p0){ return null; }
public JWTCreator.Builder withKeyId(String p0){ return null; }
public JWTCreator.Builder withNotBefore(Date p0){ return null; }
public JWTCreator.Builder withNotBefore(Instant p0){ return null; }
public JWTCreator.Builder withNullClaim(String p0){ return null; }
public JWTCreator.Builder withPayload(Map<String, ? extends Object> p0){ return null; }
public JWTCreator.Builder withPayload(String p0){ return null; }
public JWTCreator.Builder withSubject(String p0){ return null; }
public String sign(Algorithm p0){ return null; }
}
}

12
java/ql/test/experimental/stubs/auth0-java-jwt-4.4.0/com/auth0/jwt/JWTVerifier.java generated Normal file
View File

@@ -0,0 +1,12 @@
// Generated automatically from com.auth0.jwt.JWTVerifier for testing purposes
package com.auth0.jwt;
import com.auth0.jwt.interfaces.DecodedJWT;
public class JWTVerifier implements com.auth0.jwt.interfaces.JWTVerifier
{
protected JWTVerifier() {}
public DecodedJWT verify(DecodedJWT p0){ return null; }
public DecodedJWT verify(String p0){ return null; }
}

50
java/ql/test/experimental/stubs/auth0-java-jwt-4.4.0/com/auth0/jwt/algorithms/Algorithm.java generated Normal file
View File

@@ -0,0 +1,50 @@
// Generated automatically from com.auth0.jwt.algorithms.Algorithm for testing purposes
package com.auth0.jwt.algorithms;
import com.auth0.jwt.interfaces.DecodedJWT;
import com.auth0.jwt.interfaces.ECDSAKeyProvider;
import com.auth0.jwt.interfaces.RSAKeyProvider;
import java.security.interfaces.ECKey;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAKey;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
abstract public class Algorithm
{
protected Algorithm() {}
protected Algorithm(String p0, String p1){}
public String getName(){ return null; }
public String getSigningKeyId(){ return null; }
public String toString(){ return null; }
public abstract byte[] sign(byte[] p0);
public abstract void verify(DecodedJWT p0);
public byte[] sign(byte[] p0, byte[] p1){ return null; }
public static Algorithm ECDSA256(ECDSAKeyProvider p0){ return null; }
public static Algorithm ECDSA256(ECKey p0){ return null; }
public static Algorithm ECDSA256(ECPublicKey p0, ECPrivateKey p1){ return null; }
public static Algorithm ECDSA384(ECDSAKeyProvider p0){ return null; }
public static Algorithm ECDSA384(ECKey p0){ return null; }
public static Algorithm ECDSA384(ECPublicKey p0, ECPrivateKey p1){ return null; }
public static Algorithm ECDSA512(ECDSAKeyProvider p0){ return null; }
public static Algorithm ECDSA512(ECKey p0){ return null; }
public static Algorithm ECDSA512(ECPublicKey p0, ECPrivateKey p1){ return null; }
public static Algorithm HMAC256(String p0){ return null; }
public static Algorithm HMAC256(byte[] p0){ return null; }
public static Algorithm HMAC384(String p0){ return null; }
public static Algorithm HMAC384(byte[] p0){ return null; }
public static Algorithm HMAC512(String p0){ return null; }
public static Algorithm HMAC512(byte[] p0){ return null; }
public static Algorithm RSA256(RSAKey p0){ return null; }
public static Algorithm RSA256(RSAKeyProvider p0){ return null; }
public static Algorithm RSA256(RSAPublicKey p0, RSAPrivateKey p1){ return null; }
public static Algorithm RSA384(RSAKey p0){ return null; }
public static Algorithm RSA384(RSAKeyProvider p0){ return null; }
public static Algorithm RSA384(RSAPublicKey p0, RSAPrivateKey p1){ return null; }
public static Algorithm RSA512(RSAKey p0){ return null; }
public static Algorithm RSA512(RSAKeyProvider p0){ return null; }
public static Algorithm RSA512(RSAPublicKey p0, RSAPrivateKey p1){ return null; }
public static Algorithm none(){ return null; }
}

15
java/ql/test/experimental/stubs/auth0-java-jwt-4.4.0/com/auth0/jwt/exceptions/JWTCreationException.java generated Normal file
View File

@@ -0,0 +1,15 @@
// Generated automatically from com.auth0.jwt.exceptions.JWTVerificationException for testing purposes
package com.auth0.jwt.exceptions;
public class JWTCreationException extends RuntimeException {
protected JWTCreationException() {
}
public JWTCreationException(String p0) {
}
public JWTCreationException(String p0, Throwable p1) {
}
}

11
java/ql/test/experimental/stubs/auth0-java-jwt-4.4.0/com/auth0/jwt/exceptions/JWTVerificationException.java generated Normal file
View File

@@ -0,0 +1,11 @@
// Generated automatically from com.auth0.jwt.exceptions.JWTVerificationException for testing purposes
package com.auth0.jwt.exceptions;
public class JWTVerificationException extends RuntimeException
{
protected JWTVerificationException() {}
public JWTVerificationException(String p0){}
public JWTVerificationException(String p0, Throwable p1){}
}

25
java/ql/test/experimental/stubs/auth0-java-jwt-4.4.0/com/auth0/jwt/interfaces/Claim.java generated Normal file
View File

@@ -0,0 +1,25 @@
// Generated automatically from com.auth0.jwt.interfaces.Claim for testing purposes
package com.auth0.jwt.interfaces;
import java.time.Instant;
import java.util.Date;
import java.util.List;
import java.util.Map;
public interface Claim
{
<T> T as(java.lang.Class<T> p0);
<T> T[] asArray(java.lang.Class<T> p0);
<T> java.util.List<T> asList(java.lang.Class<T> p0);
Boolean asBoolean();
Date asDate();
Double asDouble();
Integer asInt();
Long asLong();
Map<String, Object> asMap();
String asString();
boolean isMissing();
boolean isNull();
default Instant asInstant(){ return null; }
}

14
java/ql/test/experimental/stubs/auth0-java-jwt-4.4.0/com/auth0/jwt/interfaces/DecodedJWT.java generated Normal file
View File

@@ -0,0 +1,14 @@
// Generated automatically from com.auth0.jwt.interfaces.DecodedJWT for testing purposes
package com.auth0.jwt.interfaces;
import com.auth0.jwt.interfaces.Header;
import com.auth0.jwt.interfaces.Payload;
public interface DecodedJWT extends Header, Payload
{
String getHeader();
String getPayload();
String getSignature();
String getToken();
}

13
java/ql/test/experimental/stubs/auth0-java-jwt-4.4.0/com/auth0/jwt/interfaces/ECDSAKeyProvider.java generated Normal file
View File

@@ -0,0 +1,13 @@
// Generated automatically from com.auth0.jwt.interfaces.ECDSAKeyProvider for testing purposes
package com.auth0.jwt.interfaces;
import com.auth0.jwt.interfaces.KeyProvider;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.ECPublicKey;
public interface ECDSAKeyProvider extends KeyProvider<ECPublicKey, ECPrivateKey>
{
}

14
java/ql/test/experimental/stubs/auth0-java-jwt-4.4.0/com/auth0/jwt/interfaces/Header.java generated Normal file
View File

@@ -0,0 +1,14 @@
// Generated automatically from com.auth0.jwt.interfaces.Header for testing purposes
package com.auth0.jwt.interfaces;
import com.auth0.jwt.interfaces.Claim;
public interface Header
{
Claim getHeaderClaim(String p0);
String getAlgorithm();
String getContentType();
String getKeyId();
String getType();
}

11
java/ql/test/experimental/stubs/auth0-java-jwt-4.4.0/com/auth0/jwt/interfaces/JWTVerifier.java generated Normal file
View File

@@ -0,0 +1,11 @@
// Generated automatically from com.auth0.jwt.interfaces.JWTVerifier for testing purposes
package com.auth0.jwt.interfaces;
import com.auth0.jwt.interfaces.DecodedJWT;
public interface JWTVerifier
{
DecodedJWT verify(DecodedJWT p0);
DecodedJWT verify(String p0);
}

13
java/ql/test/experimental/stubs/auth0-java-jwt-4.4.0/com/auth0/jwt/interfaces/KeyProvider.java generated Normal file
View File

@@ -0,0 +1,13 @@
// Generated automatically from com.auth0.jwt.interfaces.KeyProvider for testing purposes
package com.auth0.jwt.interfaces;
import java.security.PrivateKey;
import java.security.PublicKey;
interface KeyProvider<U extends PublicKey, R extends PrivateKey>
{
R getPrivateKey();
String getPrivateKeyId();
U getPublicKeyById(String p0);
}

25
java/ql/test/experimental/stubs/auth0-java-jwt-4.4.0/com/auth0/jwt/interfaces/Payload.java generated Normal file
View File

@@ -0,0 +1,25 @@
// Generated automatically from com.auth0.jwt.interfaces.Payload for testing purposes
package com.auth0.jwt.interfaces;
import com.auth0.jwt.interfaces.Claim;
import java.time.Instant;
import java.util.Date;
import java.util.List;
import java.util.Map;
public interface Payload
{
Claim getClaim(String p0);
Date getExpiresAt();
Date getIssuedAt();
Date getNotBefore();
List<String> getAudience();
Map<String, Claim> getClaims();
String getId();
String getIssuer();
String getSubject();
default Instant getExpiresAtAsInstant(){ return null; }
default Instant getIssuedAtAsInstant(){ return null; }
default Instant getNotBeforeAsInstant(){ return null; }
}

13
java/ql/test/experimental/stubs/auth0-java-jwt-4.4.0/com/auth0/jwt/interfaces/RSAKeyProvider.java generated Normal file
View File

@@ -0,0 +1,13 @@
// Generated automatically from com.auth0.jwt.interfaces.RSAKeyProvider for testing purposes
package com.auth0.jwt.interfaces;
import com.auth0.jwt.interfaces.KeyProvider;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
public interface RSAKeyProvider extends KeyProvider<RSAPublicKey, RSAPrivateKey>
{
}

38
java/ql/test/experimental/stubs/auth0-java-jwt-4.4.0/com/auth0/jwt/interfaces/Verification.java generated Normal file
View File

@@ -0,0 +1,38 @@
// Generated automatically from com.auth0.jwt.interfaces.Verification for testing purposes
package com.auth0.jwt.interfaces;
import com.auth0.jwt.interfaces.Claim;
import com.auth0.jwt.interfaces.DecodedJWT;
import java.time.Instant;
import java.util.Date;
import java.util.function.BiPredicate;
public interface Verification
{
Verification acceptExpiresAt(long p0);
Verification acceptIssuedAt(long p0);
Verification acceptLeeway(long p0);
Verification acceptNotBefore(long p0);
Verification ignoreIssuedAt();
Verification withAnyOfAudience(String... p0);
Verification withArrayClaim(String p0, Integer... p1);
Verification withArrayClaim(String p0, Long... p1);
Verification withArrayClaim(String p0, String... p1);
Verification withAudience(String... p0);
Verification withClaim(String p0, BiPredicate<Claim, DecodedJWT> p1);
Verification withClaim(String p0, Boolean p1);
Verification withClaim(String p0, Date p1);
Verification withClaim(String p0, Double p1);
Verification withClaim(String p0, Integer p1);
Verification withClaim(String p0, Long p1);
Verification withClaim(String p0, String p1);
Verification withClaimPresence(String p0);
Verification withIssuer(String... p0);
Verification withJWTId(String p0);
Verification withNullClaim(String p0);
Verification withSubject(String p0);
com.auth0.jwt.JWTVerifier build();
default Verification withClaim(String p0, Instant p1){ return null; }
default Verification withIssuer(String p0){ return null; }
}

11
java/ql/test/experimental/stubs/auth0-java-jwt-4.4.0/com/github/luben/zstd/BufferPool.java generated Normal file
View File

@@ -0,0 +1,11 @@
// Generated automatically from com.github.luben.zstd.BufferPool for testing purposes
package com.github.luben.zstd;
import java.nio.ByteBuffer;
public interface BufferPool
{
ByteBuffer get(int p0);
void release(ByteBuffer p0);
}

11
java/ql/test/experimental/stubs/org-apache-shiro-authc-2.0.1/org/apache/shiro/authc/AuthenticationToken.java generated Normal file
View File

@@ -0,0 +1,11 @@
// Generated automatically from org.apache.shiro.authc.AuthenticationToken for testing purposes
package org.apache.shiro.authc;
import java.io.Serializable;
public interface AuthenticationToken extends Serializable
{
Object getCredentials();
Object getPrincipal();
}

16
java/ql/test/experimental/stubs/org-apache-shiro-authc-2.0.1/org/apache/shiro/authc/BearerToken.java generated Normal file
View File

@@ -0,0 +1,16 @@
// Generated automatically from org.apache.shiro.authc.BearerToken for testing purposes
package org.apache.shiro.authc;
import org.apache.shiro.authc.HostAuthenticationToken;
public class BearerToken implements HostAuthenticationToken
{
protected BearerToken() {}
public BearerToken(String p0){}
public BearerToken(String p0, String p1){}
public Object getCredentials(){ return null; }
public Object getPrincipal(){ return null; }
public String getHost(){ return null; }
public String getToken(){ return null; }
}

10
java/ql/test/experimental/stubs/org-apache-shiro-authc-2.0.1/org/apache/shiro/authc/HostAuthenticationToken.java generated Normal file
View File

@@ -0,0 +1,10 @@
// Generated automatically from org.apache.shiro.authc.HostAuthenticationToken for testing purposes
package org.apache.shiro.authc;
import org.apache.shiro.authc.AuthenticationToken;
public interface HostAuthenticationToken extends AuthenticationToken
{
String getHost();
}