Add missing subtype test

2026-04-30 19:26:02 +02:00 · 2021-05-18 09:38:35 +02:00
parent 347bd2ebc2
commit 34a55e77ef
2 changed files with 58 additions and 5 deletions
--- a/java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheckTest.java
+++ b/java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheckTest.java
@@ -1,11 +1,11 @@
-import io.jsonwebtoken.Jwts;
-import io.jsonwebtoken.JwtParser;
-import io.jsonwebtoken.Jwt;
-import io.jsonwebtoken.Jws;
 import io.jsonwebtoken.Header;
-import io.jsonwebtoken.JwtParserBuilder;
+import io.jsonwebtoken.Jws;
+import io.jsonwebtoken.Jwt;
 import io.jsonwebtoken.JwtHandlerAdapter;
+import io.jsonwebtoken.JwtParser;
+import io.jsonwebtoken.Jwts;
 import io.jsonwebtoken.impl.DefaultJwtParser;
+import io.jsonwebtoken.impl.DefaultJwtParserBuilder;

 public class MissingJWTSignatureCheckTest {

@@ -110,6 +110,10 @@ public class MissingJWTSignatureCheckTest {
        Jwts.parserBuilder().setSigningKey("someBase64EncodedKey").build().parse(token); // $hasMissingJwtSignatureCheck
    }

+    private void badJwtOnDefaultParserBuilder(String token) {
+        new DefaultJwtParserBuilder().setSigningKey("someBase64EncodedKey").build().parse(token); // $hasMissingJwtSignatureCheck
+    }
+
    private void badJwtHandlerOnParser(String token) {
        Jwts.parser().setSigningKey("someBase64EncodedKey").parse(token, // $hasMissingJwtSignatureCheck
                new JwtHandlerAdapter<Jwt<Header, String>>() {
--- a/java/ql/test/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/impl/DefaultJwtParserBuilder.java
+++ b/java/ql/test/stubs/jwtk-jjwt-0.11.2/io/jsonwebtoken/impl/DefaultJwtParserBuilder.java
@@ -0,0 +1,49 @@
+
+/*
+ * Copyright (C) 2019 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License
+ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package io.jsonwebtoken.impl;
+
+import java.security.Key;
+import io.jsonwebtoken.JwtParser;
+import io.jsonwebtoken.JwtParserBuilder;
+import io.jsonwebtoken.SigningKeyResolver;
+
+
+public class DefaultJwtParserBuilder implements JwtParserBuilder {
+
+    @Override
+    public JwtParserBuilder setSigningKey(byte[] key) {
+        return this;
+    }
+
+    @Override
+    public JwtParserBuilder setSigningKey(String base64EncodedSecretKey) {
+        return this;
+    }
+
+    @Override
+    public JwtParserBuilder setSigningKey(Key key) {
+        return this;
+    }
+
+    @Override
+    public JwtParserBuilder setSigningKeyResolver(SigningKeyResolver signingKeyResolver) {
+        return this;
+    }
+
+    @Override
+    public JwtParser build() {
+        return null;
+    }
+}