hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-02 04:05:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update javascript/ql/src/experimental/Security/CWE-347/JWTMissingSecretOrPublicKeyVerification.ql

Browse Source 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
This commit is contained in:
Toufik Airane
2020-06-23 12:28:21 +02:00
committed by GitHub
parent 37f44d98ce
commit 27f91b36b0
1 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
javascript/ql/src/experimental/Security/CWE-347/JWTMissingSecretOrPublicKeyVerification.ql
View File

@@ -11,10 +11,11 @@
import javascript
import DataFlow
import semmle.javascript.RestrictedLocations
from CallNode call
where
call = moduleMember("jsonwebtoken", "verify").getACall() and
unique(boolean b | b = call.getArgument(1).analyze().getABooleanValue()) = false
select call.getStartLine(), call,
select call.asExpr().(FirstLineOf),
"does not verify the JWT payload with a cryptographic secret or public key."