Merge pull request #14666 from am0o0/amammad-js-hardcodedJWTKey

JS: Extends CredentialsNode class mostly related to JWT authentication packages
2026-03-16 20:46:49 +01:00 · 2024-08-08 10:20:45 +02:00
parent 2d3d46e0e2 b64cb4da09
commit 41506fbfef
8 changed files with 434 additions and 5 deletions
--- a/javascript/ql/lib/semmle/javascript/frameworks/Credentials.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/Credentials.qll
@@ -12,7 +12,7 @@ import javascript
 abstract class CredentialsNode extends DataFlow::Node {
  /**
   * Gets a description of the kind of credential this expression is used as,
-   * such as `"user name"`, `"password"`, `"key"`.
+   * such as `"user name"`, `"password"`, `"key"`, `"jwt key"`.
   */
  abstract string getCredentialsKind();
 }
--- a/javascript/ql/lib/semmle/javascript/frameworks/JWT.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/JWT.qll
@@ -40,11 +40,111 @@ private module JsonWebToken {
  }

  /**
-   * The private key for a JWT as a `CredentialsNode`.
+   * The secret or PrivateKey for a JWT as a `CredentialsNode`.
   */
  private class JwtKey extends CredentialsNode {
-    JwtKey() { this = DataFlow::moduleMember("jsonwebtoken", "sign").getACall().getArgument(1) }
+    JwtKey() {
+      this =
+        API::moduleImport("jsonwebtoken").getMember(["sign", "verify"]).getParameter(1).asSink()
+    }

-    override string getCredentialsKind() { result = "key" }
+    override string getCredentialsKind() { result = "jwt key" }
+  }
+}
+
+/**
+ * Provides classes and predicates modeling the `jose` library.
+ */
+private module Jose {
+  /**
+   * The asymmetric key or symmetric secret for verifying a JWT as a `CredentialsNode`.
+   */
+  private class JwtVerifyKey extends CredentialsNode {
+    JwtVerifyKey() {
+      this = API::moduleImport("jose").getMember("jwtVerify").getParameter(1).asSink()
+    }
+
+    override string getCredentialsKind() { result = "jwt key" }
+  }
+}
+
+/**
+ * Provides classes and predicates modeling the `jwt-simple` library.
+ */
+private module JwtSimple {
+  /**
+   * The asymmetric key or symmetric secret for a JWT as a `CredentialsNode`.
+   */
+  private class JwtKey extends CredentialsNode {
+    JwtKey() { this = API::moduleImport("jwt-simple").getMember("decode").getParameter(1).asSink() }
+
+    override string getCredentialsKind() { result = "jwt key" }
+  }
+}
+
+/**
+ * Provides classes and predicates modeling the `koa-jwt` library.
+ */
+private module KoaJwt {
+  /**
+   * The shared secret for a JWT as a `CredentialsNode`.
+   */
+  private class SharedSecret extends CredentialsNode {
+    SharedSecret() {
+      this = API::moduleImport("koa-jwt").getParameter(0).getMember("secret").asSink()
+    }
+
+    override string getCredentialsKind() { result = "jwt key" }
+  }
+}
+
+/**
+ * Provides classes and predicates modeling the `express-jwt` library.
+ */
+private module ExpressJwt {
+  /**
+   * The shared secret for a JWT as a `CredentialsNode`.
+   */
+  private class SharedSecret extends CredentialsNode {
+    SharedSecret() {
+      this =
+        API::moduleImport("express-jwt")
+            .getMember("expressjwt")
+            .getParameter(0)
+            .getMember("secret")
+            .asSink()
+    }
+
+    override string getCredentialsKind() { result = "jwt key" }
+  }
+}
+
+/**
+ * Provides classes and predicates modeling the `passport-jwt` library.
+ */
+private module PassportJwt {
+  /**
+   * The secret (symmetric) or PEM-encoded public key (asymmetric) for a JWT as a `CredentialsNode`.
+   */
+  private class JwtKey extends CredentialsNode {
+    JwtKey() {
+      this =
+        API::moduleImport("passport-jwt")
+            .getMember("Strategy")
+            .getParameter(0)
+            .getMember("secretOrKey")
+            .asSink()
+      or
+      this =
+        API::moduleImport("passport-jwt")
+            .getMember("Strategy")
+            .getParameter(0)
+            .getMember("secretOrKeyProvider")
+            .getParameter(2)
+            .getParameter(1)
+            .asSink()
+    }
+
+    override string getCredentialsKind() { result = "jwt key" }
  }
 }
--- a/javascript/ql/lib/semmle/javascript/frameworks/Next.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/Next.qll
@@ -255,4 +255,20 @@ module NextJS {
          .getMember("router")
          .asSource()
  }
+
+  /**
+   * Provides classes and predicates modeling the `next-auth` library.
+   */
+  private module NextAuth {
+    /**
+     * A random string used to hash tokens, sign cookies and generate cryptographic keys as a `CredentialsNode`.
+     */
+    private class SecretKey extends CredentialsNode {
+      SecretKey() {
+        this = API::moduleImport("next-auth").getParameter(0).getMember("secret").asSink()
+      }
+
+      override string getCredentialsKind() { result = "jwt key" }
+    }
+  }
 }