hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 09:15:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add JWT Security Queries

Browse Source
This commit is contained in:
Maiky
2023-08-25 21:28:53 +02:00
parent cf53956d39
commit 17565cde75
17 changed files with 312 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
ruby/ql/test/query-tests/experimental/cwe-347/EmptyJWTSecret.expected Normal file
View File

@@ -0,0 +1,3 @@
| EmptyJWTSecret.rb:9:21:9:34 | call to [] | This JWT encoding uses empty key or none algorithm. |
| EmptyJWTSecret.rb:12:21:12:34 | call to [] | This JWT encoding uses empty key or none algorithm. |
| MissingJWTVerification.rb:6:38:6:44 | payload | This JWT encoding uses empty key or none algorithm. |

1
ruby/ql/test/query-tests/experimental/cwe-347/EmptyJWTSecret.qlref Normal file
View File

@@ -0,0 +1 @@
experimental/cwe-347/EmptyJWTSecret.ql

15
ruby/ql/test/query-tests/experimental/cwe-347/EmptyJWTSecret.rb Normal file
View File

@@ -0,0 +1,15 @@
require 'jwt'
payload = { foo: 'bar' }
# BAD: the token is not signed
token1 = JWT.encode({ foo: 'bar' }, "secret", 'none')
# BAD: the secret used is empty
token2 = JWT.encode({ foo: 'bar' }, nil, 'HS256')
# BAD: the secret used is empty
token3 = JWT.encode({ foo: 'bar' }, "", 'HS256')
# GOOD: the token is signed
token4 = JWT.encode({ foo: 'bar' }, "secret", 'HS256')

3
ruby/ql/test/query-tests/experimental/cwe-347/MissingJWTVerification.expected Normal file
View File

@@ -0,0 +1,3 @@
| MissingJWTVerification.rb:12:29:12:51 | token_without_signature | is not verified with a cryptographic secret or public key. |
| MissingJWTVerification.rb:15:29:15:51 | token_without_signature | is not verified with a cryptographic secret or public key. |
| MissingJWTVerification.rb:18:29:18:51 | token_without_signature | is not verified with a cryptographic secret or public key. |

1
ruby/ql/test/query-tests/experimental/cwe-347/MissingJWTVerification.qlref Normal file
View File

@@ -0,0 +1 @@
experimental/cwe-347/MissingJWTVerification.ql

24
ruby/ql/test/query-tests/experimental/cwe-347/MissingJWTVerification.rb Normal file
View File

@@ -0,0 +1,24 @@
require 'jwt'
payload = { foo: 'bar' }
# Unsecure token
token_without_signature = JWT.encode(payload, nil, 'none')
# Secure token
token = JWT.encode(payload, "secret", 'HS256')
# BAD: it does not verify
decoded_token1 = JWT.decode(token_without_signature, nil, false, algorithm: 'HS256')
# BAD: it's using none
decoded_token3 = JWT.decode(token_without_signature, secret, true, algorithm: 'none')
# BAD: it's using none
decoded_token4 = JWT.decode(token_without_signature, secret, true, { algorithm: 'none' })
# GOOD: it does verify
decoded_token5 = JWT.decode(token, secret, 'HS256')
# GOOD: it does verify
decoded_token2 = JWT.decode(token,secret)