Merge pull request #14666 from am0o0/amammad-js-hardcodedJWTKey

JS: Extends CredentialsNode class mostly related to JWT authentication packages

javascript/ql/lib/semmle/javascript/frameworks/Credentials.qll

@@ -12,7 +12,7 @@ import javascript
 abstract class CredentialsNode extends DataFlow::Node {
   /**
    * Gets a description of the kind of credential this expression is used as,
-   * such as `"user name"`, `"password"`, `"key"`.
+   * such as `"user name"`, `"password"`, `"key"`, `"jwt key"`.
    */
   abstract string getCredentialsKind();
 }

javascript/ql/lib/semmle/javascript/frameworks/JWT.qll

@@ -40,11 +40,111 @@ private module JsonWebToken {
   }
 
   /**
-   * The private key for a JWT as a `CredentialsNode`.
+   * The secret or PrivateKey for a JWT as a `CredentialsNode`.
    */
   private class JwtKey extends CredentialsNode {
-    JwtKey() { this = DataFlow::moduleMember("jsonwebtoken", "sign").getACall().getArgument(1) }
+    JwtKey() {
+      this =
+        API::moduleImport("jsonwebtoken").getMember(["sign", "verify"]).getParameter(1).asSink()
+    }
 
-    override string getCredentialsKind() { result = "key" }
+    override string getCredentialsKind() { result = "jwt key" }
+  }
+}
+
+/**
+ * Provides classes and predicates modeling the `jose` library.
+ */
+private module Jose {
+  /**
+   * The asymmetric key or symmetric secret for verifying a JWT as a `CredentialsNode`.
+   */
+  private class JwtVerifyKey extends CredentialsNode {
+    JwtVerifyKey() {
+      this = API::moduleImport("jose").getMember("jwtVerify").getParameter(1).asSink()
+    }
+
+    override string getCredentialsKind() { result = "jwt key" }
+  }
+}
+
+/**
+ * Provides classes and predicates modeling the `jwt-simple` library.
+ */
+private module JwtSimple {
+  /**
+   * The asymmetric key or symmetric secret for a JWT as a `CredentialsNode`.
+   */
+  private class JwtKey extends CredentialsNode {
+    JwtKey() { this = API::moduleImport("jwt-simple").getMember("decode").getParameter(1).asSink() }
+
+    override string getCredentialsKind() { result = "jwt key" }
+  }
+}
+
+/**
+ * Provides classes and predicates modeling the `koa-jwt` library.
+ */
+private module KoaJwt {
+  /**
+   * The shared secret for a JWT as a `CredentialsNode`.
+   */
+  private class SharedSecret extends CredentialsNode {
+    SharedSecret() {
+      this = API::moduleImport("koa-jwt").getParameter(0).getMember("secret").asSink()
+    }
+
+    override string getCredentialsKind() { result = "jwt key" }
+  }
+}
+
+/**
+ * Provides classes and predicates modeling the `express-jwt` library.
+ */
+private module ExpressJwt {
+  /**
+   * The shared secret for a JWT as a `CredentialsNode`.
+   */
+  private class SharedSecret extends CredentialsNode {
+    SharedSecret() {
+      this =
+        API::moduleImport("express-jwt")
+            .getMember("expressjwt")
+            .getParameter(0)
+            .getMember("secret")
+            .asSink()
+    }
+
+    override string getCredentialsKind() { result = "jwt key" }
+  }
+}
+
+/**
+ * Provides classes and predicates modeling the `passport-jwt` library.
+ */
+private module PassportJwt {
+  /**
+   * The secret (symmetric) or PEM-encoded public key (asymmetric) for a JWT as a `CredentialsNode`.
+   */
+  private class JwtKey extends CredentialsNode {
+    JwtKey() {
+      this =
+        API::moduleImport("passport-jwt")
+            .getMember("Strategy")
+            .getParameter(0)
+            .getMember("secretOrKey")
+            .asSink()
+      or
+      this =
+        API::moduleImport("passport-jwt")
+            .getMember("Strategy")
+            .getParameter(0)
+            .getMember("secretOrKeyProvider")
+            .getParameter(2)
+            .getParameter(1)
+            .asSink()
+    }
+
+    override string getCredentialsKind() { result = "jwt key" }
   }
 }

javascript/ql/lib/semmle/javascript/frameworks/Next.qll

@@ -255,4 +255,20 @@ module NextJS {
           .getMember("router")
           .asSource()
   }
+
+  /**
+   * Provides classes and predicates modeling the `next-auth` library.
+   */
+  private module NextAuth {
+    /**
+     * A random string used to hash tokens, sign cookies and generate cryptographic keys as a `CredentialsNode`.
+     */
+    private class SecretKey extends CredentialsNode {
+      SecretKey() {
+        this = API::moduleImport("next-auth").getParameter(0).getMember("secret").asSink()
+      }
+
+      override string getCredentialsKind() { result = "jwt key" }
+    }
+  }
 }

javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedCredentialsCustomizations.qll

@@ -4,6 +4,7 @@
  * own.
  */
 
+import semmle.javascript.filters.ClassifyFiles
 import javascript
 private import semmle.javascript.security.SensitiveActions
 
@@ -38,5 +39,9 @@ module HardcodedCredentials {
    */
   class DefaultCredentialsSink extends Sink instanceof CredentialsNode {
     override string getKind() { result = super.getCredentialsKind() }
+
+    DefaultCredentialsSink() {
+      not (super.getCredentialsKind() = "jwt key" and isTestFile(this.getFile()))
+    }
   }
 }

javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedCredentialsQuery.qll

@@ -35,5 +35,43 @@ class Configuration extends DataFlow::Configuration {
       trg = bufferFrom and
       src = bufferFrom.getArgument(0)
     )
+    or
+    exists(API::Node n |
+      n = API::moduleImport("jose").getMember(["importSPKI", "importPKCS8", "importX509"])
+    |
+      src = n.getACall().getArgument(0) and
+      trg = n.getReturn().getPromised().asSource()
+    )
+    or
+    exists(API::Node n |
+      n = API::moduleImport("jose").getMember(["importSPKI", "importPKCS8", "importX509"])
+    |
+      src = n.getACall().getArgument(0) and
+      trg = n.getReturn().getPromised().asSource()
+    )
+    or
+    exists(API::Node n | n = API::moduleImport("jose").getMember("importJWK") |
+      src = n.getParameter(0).getMember(["x", "y", "n"]).asSink() and
+      trg = n.getReturn().getPromised().asSource()
+    )
+    or
+    exists(DataFlow::CallNode n |
+      n = DataFlow::globalVarRef("TextEncoder").getAnInstantiation().getAMemberCall("encode")
+    |
+      src = n.getArgument(0) and
+      trg = n
+    )
+    or
+    exists(DataFlow::CallNode n | n = DataFlow::globalVarRef("Buffer").getAMemberCall("from") |
+      src = n.getArgument(0) and
+      trg = [n, n.getAChainedMethodCall(["toString", "toJSON"])]
+    )
+    or
+    exists(API::Node n |
+      n = API::moduleImport("jose").getMember("base64url").getMember(["decode", "encode"])
+    |
+      src = n.getACall().getArgument(0) and
+      trg = n.getACall()
+    )
   }
 }

javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected

@@ -213,6 +213,11 @@ nodes
 | HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" |
 | HardcodedCredentials.js:246:42:246:51 | privateKey |
 | HardcodedCredentials.js:246:42:246:51 | privateKey |
+| HardcodedCredentials.js:248:9:248:42 | publicKey |
+| HardcodedCredentials.js:248:21:248:42 | "myHard ... licKey" |
+| HardcodedCredentials.js:248:21:248:42 | "myHard ... licKey" |
+| HardcodedCredentials.js:249:23:249:31 | publicKey |
+| HardcodedCredentials.js:249:23:249:31 | publicKey |
 | HardcodedCredentials.js:260:30:260:40 | `Basic foo` |
 | HardcodedCredentials.js:260:30:260:40 | `Basic foo` |
 | HardcodedCredentials.js:260:30:260:40 | `Basic foo` |
@@ -283,6 +288,62 @@ nodes
 | HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' |
 | HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' |
 | HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' |
+| HardcodedCredentials.js:308:9:308:44 | privateKey |
+| HardcodedCredentials.js:308:22:308:44 | "myHard ... ateKey" |
+| HardcodedCredentials.js:308:22:308:44 | "myHard ... ateKey" |
+| HardcodedCredentials.js:309:34:309:43 | privateKey |
+| HardcodedCredentials.js:309:34:309:43 | privateKey |
+| HardcodedCredentials.js:316:9:316:44 | privateKey |
+| HardcodedCredentials.js:316:22:316:44 | "myHard ... ateKey" |
+| HardcodedCredentials.js:316:22:316:44 | "myHard ... ateKey" |
+| HardcodedCredentials.js:317:27:317:62 | new Tex ... ateKey) |
+| HardcodedCredentials.js:317:27:317:62 | new Tex ... ateKey) |
+| HardcodedCredentials.js:317:52:317:61 | privateKey |
+| HardcodedCredentials.js:319:11:321:29 | spki |
+| HardcodedCredentials.js:319:18:321:29 | `-----B ... Y-----` |
+| HardcodedCredentials.js:319:18:321:29 | `-----B ... Y-----` |
+| HardcodedCredentials.js:322:9:322:56 | publicKey |
+| HardcodedCredentials.js:322:21:322:56 | await j ... RS256') |
+| HardcodedCredentials.js:322:43:322:46 | spki |
+| HardcodedCredentials.js:323:27:323:35 | publicKey |
+| HardcodedCredentials.js:323:27:323:35 | publicKey |
+| HardcodedCredentials.js:328:12:328:55 | 'whYOFK ... -6f...' |
+| HardcodedCredentials.js:328:12:328:55 | 'whYOFK ... -6f...' |
+| HardcodedCredentials.js:331:5:331:46 | publicKey |
+| HardcodedCredentials.js:331:17:331:46 | await j ... k, alg) |
+| HardcodedCredentials.js:335:31:335:39 | publicKey |
+| HardcodedCredentials.js:335:31:335:39 | publicKey |
+| HardcodedCredentials.js:344:9:344:43 | secretKey |
+| HardcodedCredentials.js:344:21:344:43 | "myHard ... ateKey" |
+| HardcodedCredentials.js:344:21:344:43 | "myHard ... ateKey" |
+| HardcodedCredentials.js:349:21:349:29 | secretKey |
+| HardcodedCredentials.js:349:21:349:29 | secretKey |
+| HardcodedCredentials.js:360:21:360:52 | Buffer. ... ase64") |
+| HardcodedCredentials.js:360:21:360:52 | Buffer. ... ase64") |
+| HardcodedCredentials.js:360:33:360:41 | secretKey |
+| HardcodedCredentials.js:375:9:375:43 | secretKey |
+| HardcodedCredentials.js:375:21:375:43 | "myHard ... ateKey" |
+| HardcodedCredentials.js:375:21:375:43 | "myHard ... ateKey" |
+| HardcodedCredentials.js:378:24:378:32 | secretKey |
+| HardcodedCredentials.js:378:24:378:32 | secretKey |
+| HardcodedCredentials.js:385:31:385:39 | secretKey |
+| HardcodedCredentials.js:385:31:385:39 | secretKey |
+| HardcodedCredentials.js:396:9:396:43 | secretKey |
+| HardcodedCredentials.js:396:21:396:43 | "myHard ... ateKey" |
+| HardcodedCredentials.js:396:21:396:43 | "myHard ... ateKey" |
+| HardcodedCredentials.js:399:17:399:25 | secretKey |
+| HardcodedCredentials.js:399:17:399:25 | secretKey |
+| HardcodedCredentials.js:414:9:414:43 | secretKey |
+| HardcodedCredentials.js:414:21:414:43 | "myHard ... ateKey" |
+| HardcodedCredentials.js:414:21:414:43 | "myHard ... ateKey" |
+| HardcodedCredentials.js:416:27:416:35 | secretKey |
+| HardcodedCredentials.js:416:27:416:35 | secretKey |
+| __tests__/HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' |
+| __tests__/HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' |
+| __tests__/HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' |
+| __tests__/HardcodedCredentialsDemo.js:8:19:8:28 | 'hgfedcba' |
+| __tests__/HardcodedCredentialsDemo.js:8:19:8:28 | 'hgfedcba' |
+| __tests__/HardcodedCredentialsDemo.js:8:19:8:28 | 'hgfedcba' |
 edges
 | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' |
 | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' |
@@ -384,10 +445,15 @@ edges
 | HardcodedCredentials.js:237:35:237:91 | Buffer. ... ase64') | HardcodedCredentials.js:237:24:237:91 | 'Basic  ... ase64') |
 | HardcodedCredentials.js:237:47:237:54 | username | HardcodedCredentials.js:237:47:237:71 | usernam ... assword |
 | HardcodedCredentials.js:237:47:237:71 | usernam ... assword | HardcodedCredentials.js:237:35:237:72 | Buffer. ... ssword) |
+| HardcodedCredentials.js:237:47:237:71 | usernam ... assword | HardcodedCredentials.js:237:35:237:91 | Buffer. ... ase64') |
 | HardcodedCredentials.js:245:9:245:44 | privateKey | HardcodedCredentials.js:246:42:246:51 | privateKey |
 | HardcodedCredentials.js:245:9:245:44 | privateKey | HardcodedCredentials.js:246:42:246:51 | privateKey |
 | HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" | HardcodedCredentials.js:245:9:245:44 | privateKey |
 | HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" | HardcodedCredentials.js:245:9:245:44 | privateKey |
+| HardcodedCredentials.js:248:9:248:42 | publicKey | HardcodedCredentials.js:249:23:249:31 | publicKey |
+| HardcodedCredentials.js:248:9:248:42 | publicKey | HardcodedCredentials.js:249:23:249:31 | publicKey |
+| HardcodedCredentials.js:248:21:248:42 | "myHard ... licKey" | HardcodedCredentials.js:248:9:248:42 | publicKey |
+| HardcodedCredentials.js:248:21:248:42 | "myHard ... licKey" | HardcodedCredentials.js:248:9:248:42 | publicKey |
 | HardcodedCredentials.js:260:30:260:40 | `Basic foo` | HardcodedCredentials.js:260:30:260:40 | `Basic foo` |
 | HardcodedCredentials.js:268:33:268:56 | foo ? ' ... 'OAuth' | HardcodedCredentials.js:268:30:268:73 | `${foo  ... Token}` |
 | HardcodedCredentials.js:268:33:268:56 | foo ? ' ... 'OAuth' | HardcodedCredentials.js:268:30:268:73 | `${foo  ... Token}` |
@@ -415,6 +481,50 @@ edges
 | HardcodedCredentials.js:300:44:300:56 | 'SampleToken' | HardcodedCredentials.js:300:44:300:56 | 'SampleToken' |
 | HardcodedCredentials.js:301:44:301:55 | 'MyPassword' | HardcodedCredentials.js:301:44:301:55 | 'MyPassword' |
 | HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' | HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' |
+| HardcodedCredentials.js:308:9:308:44 | privateKey | HardcodedCredentials.js:309:34:309:43 | privateKey |
+| HardcodedCredentials.js:308:9:308:44 | privateKey | HardcodedCredentials.js:309:34:309:43 | privateKey |
+| HardcodedCredentials.js:308:22:308:44 | "myHard ... ateKey" | HardcodedCredentials.js:308:9:308:44 | privateKey |
+| HardcodedCredentials.js:308:22:308:44 | "myHard ... ateKey" | HardcodedCredentials.js:308:9:308:44 | privateKey |
+| HardcodedCredentials.js:316:9:316:44 | privateKey | HardcodedCredentials.js:317:52:317:61 | privateKey |
+| HardcodedCredentials.js:316:22:316:44 | "myHard ... ateKey" | HardcodedCredentials.js:316:9:316:44 | privateKey |
+| HardcodedCredentials.js:316:22:316:44 | "myHard ... ateKey" | HardcodedCredentials.js:316:9:316:44 | privateKey |
+| HardcodedCredentials.js:317:52:317:61 | privateKey | HardcodedCredentials.js:317:27:317:62 | new Tex ... ateKey) |
+| HardcodedCredentials.js:317:52:317:61 | privateKey | HardcodedCredentials.js:317:27:317:62 | new Tex ... ateKey) |
+| HardcodedCredentials.js:319:11:321:29 | spki | HardcodedCredentials.js:322:43:322:46 | spki |
+| HardcodedCredentials.js:319:18:321:29 | `-----B ... Y-----` | HardcodedCredentials.js:319:11:321:29 | spki |
+| HardcodedCredentials.js:319:18:321:29 | `-----B ... Y-----` | HardcodedCredentials.js:319:11:321:29 | spki |
+| HardcodedCredentials.js:322:9:322:56 | publicKey | HardcodedCredentials.js:323:27:323:35 | publicKey |
+| HardcodedCredentials.js:322:9:322:56 | publicKey | HardcodedCredentials.js:323:27:323:35 | publicKey |
+| HardcodedCredentials.js:322:21:322:56 | await j ... RS256') | HardcodedCredentials.js:322:9:322:56 | publicKey |
+| HardcodedCredentials.js:322:43:322:46 | spki | HardcodedCredentials.js:322:21:322:56 | await j ... RS256') |
+| HardcodedCredentials.js:328:12:328:55 | 'whYOFK ... -6f...' | HardcodedCredentials.js:331:17:331:46 | await j ... k, alg) |
+| HardcodedCredentials.js:328:12:328:55 | 'whYOFK ... -6f...' | HardcodedCredentials.js:331:17:331:46 | await j ... k, alg) |
+| HardcodedCredentials.js:331:5:331:46 | publicKey | HardcodedCredentials.js:335:31:335:39 | publicKey |
+| HardcodedCredentials.js:331:5:331:46 | publicKey | HardcodedCredentials.js:335:31:335:39 | publicKey |
+| HardcodedCredentials.js:331:17:331:46 | await j ... k, alg) | HardcodedCredentials.js:331:5:331:46 | publicKey |
+| HardcodedCredentials.js:344:9:344:43 | secretKey | HardcodedCredentials.js:349:21:349:29 | secretKey |
+| HardcodedCredentials.js:344:9:344:43 | secretKey | HardcodedCredentials.js:349:21:349:29 | secretKey |
+| HardcodedCredentials.js:344:9:344:43 | secretKey | HardcodedCredentials.js:360:33:360:41 | secretKey |
+| HardcodedCredentials.js:344:21:344:43 | "myHard ... ateKey" | HardcodedCredentials.js:344:9:344:43 | secretKey |
+| HardcodedCredentials.js:344:21:344:43 | "myHard ... ateKey" | HardcodedCredentials.js:344:9:344:43 | secretKey |
+| HardcodedCredentials.js:360:33:360:41 | secretKey | HardcodedCredentials.js:360:21:360:52 | Buffer. ... ase64") |
+| HardcodedCredentials.js:360:33:360:41 | secretKey | HardcodedCredentials.js:360:21:360:52 | Buffer. ... ase64") |
+| HardcodedCredentials.js:375:9:375:43 | secretKey | HardcodedCredentials.js:378:24:378:32 | secretKey |
+| HardcodedCredentials.js:375:9:375:43 | secretKey | HardcodedCredentials.js:378:24:378:32 | secretKey |
+| HardcodedCredentials.js:375:9:375:43 | secretKey | HardcodedCredentials.js:385:31:385:39 | secretKey |
+| HardcodedCredentials.js:375:9:375:43 | secretKey | HardcodedCredentials.js:385:31:385:39 | secretKey |
+| HardcodedCredentials.js:375:21:375:43 | "myHard ... ateKey" | HardcodedCredentials.js:375:9:375:43 | secretKey |
+| HardcodedCredentials.js:375:21:375:43 | "myHard ... ateKey" | HardcodedCredentials.js:375:9:375:43 | secretKey |
+| HardcodedCredentials.js:396:9:396:43 | secretKey | HardcodedCredentials.js:399:17:399:25 | secretKey |
+| HardcodedCredentials.js:396:9:396:43 | secretKey | HardcodedCredentials.js:399:17:399:25 | secretKey |
+| HardcodedCredentials.js:396:21:396:43 | "myHard ... ateKey" | HardcodedCredentials.js:396:9:396:43 | secretKey |
+| HardcodedCredentials.js:396:21:396:43 | "myHard ... ateKey" | HardcodedCredentials.js:396:9:396:43 | secretKey |
+| HardcodedCredentials.js:414:9:414:43 | secretKey | HardcodedCredentials.js:416:27:416:35 | secretKey |
+| HardcodedCredentials.js:414:9:414:43 | secretKey | HardcodedCredentials.js:416:27:416:35 | secretKey |
+| HardcodedCredentials.js:414:21:414:43 | "myHard ... ateKey" | HardcodedCredentials.js:414:9:414:43 | secretKey |
+| HardcodedCredentials.js:414:21:414:43 | "myHard ... ateKey" | HardcodedCredentials.js:414:9:414:43 | secretKey |
+| __tests__/HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' | __tests__/HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' |
+| __tests__/HardcodedCredentialsDemo.js:8:19:8:28 | 'hgfedcba' | __tests__/HardcodedCredentialsDemo.js:8:19:8:28 | 'hgfedcba' |
 #select
 | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | The hard-coded value "dbuser" is used as $@. | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | user name |
 | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | The hard-coded value "hgfedcba" is used as $@. | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | password |
@@ -477,7 +587,20 @@ edges
 | HardcodedCredentials.js:214:18:214:25 | 'sdsdag' | HardcodedCredentials.js:214:18:214:25 | 'sdsdag' | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` | authorization header |
 | HardcodedCredentials.js:215:18:215:25 | 'sdsdag' | HardcodedCredentials.js:215:18:215:25 | 'sdsdag' | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` | authorization header |
 | HardcodedCredentials.js:231:22:231:29 | 'sdsdag' | HardcodedCredentials.js:231:22:231:29 | 'sdsdag' | HardcodedCredentials.js:237:24:237:91 | 'Basic  ... ase64') | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:237:24:237:91 | 'Basic  ... ase64') | authorization header |
-| HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" | HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" | HardcodedCredentials.js:246:42:246:51 | privateKey | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:246:42:246:51 | privateKey | key |
+| HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" | HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" | HardcodedCredentials.js:246:42:246:51 | privateKey | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:246:42:246:51 | privateKey | jwt key |
+| HardcodedCredentials.js:248:21:248:42 | "myHard ... licKey" | HardcodedCredentials.js:248:21:248:42 | "myHard ... licKey" | HardcodedCredentials.js:249:23:249:31 | publicKey | The hard-coded value "myHardCodedPublicKey" is used as $@. | HardcodedCredentials.js:249:23:249:31 | publicKey | jwt key |
 | HardcodedCredentials.js:292:37:292:57 | `Basic  ... sdsdag` | HardcodedCredentials.js:292:37:292:57 | `Basic  ... sdsdag` | HardcodedCredentials.js:292:37:292:57 | `Basic  ... sdsdag` | The hard-coded value "Basic sdsdag:sdsdag" is used as $@. | HardcodedCredentials.js:292:37:292:57 | `Basic  ... sdsdag` | authorization header |
 | HardcodedCredentials.js:294:37:294:70 | `Basic  ... gbbbbb` | HardcodedCredentials.js:294:37:294:70 | `Basic  ... gbbbbb` | HardcodedCredentials.js:294:37:294:70 | `Basic  ... gbbbbb` | The hard-coded value "Basic sdsdag:aaaiuogrweuibgbbbbb" is used as $@. | HardcodedCredentials.js:294:37:294:70 | `Basic  ... gbbbbb` | authorization header |
 | HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' | HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' | HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' | The hard-coded value "iubfewiaaweiybgaeuybgera" is used as $@. | HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' | key |
+| HardcodedCredentials.js:308:22:308:44 | "myHard ... ateKey" | HardcodedCredentials.js:308:22:308:44 | "myHard ... ateKey" | HardcodedCredentials.js:309:34:309:43 | privateKey | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:309:34:309:43 | privateKey | jwt key |
+| HardcodedCredentials.js:316:22:316:44 | "myHard ... ateKey" | HardcodedCredentials.js:316:22:316:44 | "myHard ... ateKey" | HardcodedCredentials.js:317:27:317:62 | new Tex ... ateKey) | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:317:27:317:62 | new Tex ... ateKey) | jwt key |
+| HardcodedCredentials.js:319:18:321:29 | `-----B ... Y-----` | HardcodedCredentials.js:319:18:321:29 | `-----B ... Y-----` | HardcodedCredentials.js:323:27:323:35 | publicKey | The hard-coded value "-----BEGIN PUBLIC KEY-----\n    MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwhYOFK2Ocbbpb/zVypi9...\n    -----END PUBLIC KEY-----" is used as $@. | HardcodedCredentials.js:323:27:323:35 | publicKey | jwt key |
+| HardcodedCredentials.js:328:12:328:55 | 'whYOFK ... -6f...' | HardcodedCredentials.js:328:12:328:55 | 'whYOFK ... -6f...' | HardcodedCredentials.js:335:31:335:39 | publicKey | The hard-coded value "whYOFK2Ocbbpb_zVypi9SeKiNUqKQH0zTKN1-6f..." is used as $@. | HardcodedCredentials.js:335:31:335:39 | publicKey | jwt key |
+| HardcodedCredentials.js:344:21:344:43 | "myHard ... ateKey" | HardcodedCredentials.js:344:21:344:43 | "myHard ... ateKey" | HardcodedCredentials.js:349:21:349:29 | secretKey | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:349:21:349:29 | secretKey | jwt key |
+| HardcodedCredentials.js:344:21:344:43 | "myHard ... ateKey" | HardcodedCredentials.js:344:21:344:43 | "myHard ... ateKey" | HardcodedCredentials.js:360:21:360:52 | Buffer. ... ase64") | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:360:21:360:52 | Buffer. ... ase64") | jwt key |
+| HardcodedCredentials.js:375:21:375:43 | "myHard ... ateKey" | HardcodedCredentials.js:375:21:375:43 | "myHard ... ateKey" | HardcodedCredentials.js:378:24:378:32 | secretKey | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:378:24:378:32 | secretKey | jwt key |
+| HardcodedCredentials.js:375:21:375:43 | "myHard ... ateKey" | HardcodedCredentials.js:375:21:375:43 | "myHard ... ateKey" | HardcodedCredentials.js:385:31:385:39 | secretKey | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:385:31:385:39 | secretKey | jwt key |
+| HardcodedCredentials.js:396:21:396:43 | "myHard ... ateKey" | HardcodedCredentials.js:396:21:396:43 | "myHard ... ateKey" | HardcodedCredentials.js:399:17:399:25 | secretKey | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:399:17:399:25 | secretKey | jwt key |
+| HardcodedCredentials.js:414:21:414:43 | "myHard ... ateKey" | HardcodedCredentials.js:414:21:414:43 | "myHard ... ateKey" | HardcodedCredentials.js:416:27:416:35 | secretKey | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:416:27:416:35 | secretKey | jwt key |
+| __tests__/HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' | __tests__/HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' | __tests__/HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' | The hard-coded value "dbuser" is used as $@. | __tests__/HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' | user name |
+| __tests__/HardcodedCredentialsDemo.js:8:19:8:28 | 'hgfedcba' | __tests__/HardcodedCredentialsDemo.js:8:19:8:28 | 'hgfedcba' | __tests__/HardcodedCredentialsDemo.js:8:19:8:28 | 'hgfedcba' | The hard-coded value "hgfedcba" is used as $@. | __tests__/HardcodedCredentialsDemo.js:8:19:8:28 | 'hgfedcba' | password |

javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js

@@ -301,3 +301,117 @@
     require('crypto').createHmac('sha256', 'MyPassword'); // OK
     require('crypto').createHmac('sha256', 'iubfewiaaweiybgaeuybgera'); // NOT OK
 })();
+
+(function () {
+    const jwt_simple = require("jwt-simple");
+
+    var privateKey = "myHardCodedPrivateKey";
+    jwt_simple.decode(UserToken, privateKey); // NOT OK
+})();
+
+
+(async function () {
+    const jose = require("jose");
+
+    var privateKey = "myHardCodedPrivateKey";
+    jose.jwtVerify(token, new TextEncoder().encode(privateKey)) // NOT OK
+
+    const spki = `-----BEGIN PUBLIC KEY-----
+    MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwhYOFK2Ocbbpb/zVypi9...
+    -----END PUBLIC KEY-----`
+    let publicKey = await jose.importSPKI(spki, 'RS256')
+    jose.jwtVerify(token, publicKey) // NOT OK
+
+    const alg = 'RS256'
+    const jwk = {
+        kty: 'RSA',
+        n: 'whYOFK2Ocbbpb_zVypi9SeKiNUqKQH0zTKN1-6f...',
+        e: 'AQAB',
+    }
+    publicKey = await jose.importJWK(jwk, alg)
+    const jwt =
+        'eyJhbGciOiJSUzI1NiJ9.eyJ1cm46ZXhhbXBsZTpjbGFpbSI6dHJ1ZSwiaWF0IjoxNjY5MDU2NDg4LCJpc3MiOiJ1cm46ZXhhbXBsZTppc3N1ZXIiLCJhdWQiOiJ1cm46ZXhhbXBsZTphdWRpZW5jZSJ9.gXrPZ3yM_60dMXGE69dusbpzYASNA-XIOwsb5D5xYnSxyj6_D6OR_uR_1vqhUm4AxZxcrH1_-XJAve9HCw8az_QzHcN-nETt-v6stCsYrn6Bv1YOc-mSJRZ8ll57KVqLbCIbjKwerNX5r2_Qg2TwmJzQdRs-AQDhy-s_DlJd8ql6wR4n-kDZpar-pwIvz4fFIN0Fj57SXpAbLrV6Eo4Byzl0xFD8qEYEpBwjrMMfxCZXTlAVhAq6KCoGlDTwWuExps342-0UErEtyIqDnDGcrfNWiUsoo8j-29IpKd-w9-C388u-ChCxoHz--H8WmMSZzx3zTXsZ5lXLZ9IKfanDKg'
+
+    await jose.jwtVerify(jwt, publicKey, { // NOT OK
+        issuer: 'urn:example:issuer',
+        audience: 'urn:example:audience',
+    })
+})();
+
+(function () {
+    const expressjwt = require("express-jwt");
+
+    var secretKey = "myHardCodedPrivateKey";
+
+    app.get(
+        "/protected",
+        expressjwt.expressjwt({
+            secret: secretKey, algorithms: ["HS256"] // NOT OK
+        }),
+        function (req, res) {
+            if (!req.auth.admin) return res.sendStatus(401);
+            res.sendStatus(200);
+        }
+    );
+
+    app.get(
+        "/protected",
+        expressjwt.expressjwt({
+            secret: Buffer.from(secretKey, "base64"), // NOT OK
+            algorithms: ["RS256"],
+        }),
+        function (req, res) {
+            if (!req.auth.admin) return res.sendStatus(401);
+            res.sendStatus(200);
+        }
+    );
+
+})();
+
+(function () {
+    const JwtStrategy = require('passport-jwt').Strategy;
+    const passport = require('passport')
+
+    var secretKey = "myHardCodedPrivateKey";
+
+    const opts = {}
+    opts.secretOrKey = secretKey; // NOT OK
+    passport.use(new JwtStrategy(opts, function (jwt_payload, done) {
+        return done(null, false);
+    }));
+
+    passport.use(new JwtStrategy({
+        secretOrKeyProvider: function (request, rawJwtToken, done) {
+            return done(null, secretKey) // NOT OK
+        }
+    }, function (jwt_payload, done) {
+        return done(null, false);
+    }));
+})();
+
+(function () {
+    import NextAuth from "next-auth"
+    import AppleProvider from "next-auth/providers/apple"
+
+    var secretKey = "myHardCodedPrivateKey";
+
+    NextAuth({
+        secret: secretKey, // NOT OK
+        providers: [
+            AppleProvider({
+                clientId: process.env.APPLE_ID,
+                clientSecret: process.env.APPLE_SECRET,
+            }),
+        ],
+    })
+})();
+
+(function () {
+    const Koa = require('koa');
+    const jwt = require('koa-jwt');
+    const app = new Koa();
+
+    var secretKey = "myHardCodedPrivateKey";
+
+    app.use(jwt({ secret: secretKey })); // NOT OK
+})();

javascript/ql/test/query-tests/Security/CWE-798/__tests__/HardcodedCredentialsDemo.js

@@ -0,0 +1,33 @@
+(function () {
+    const pg = require('pg');
+
+    const client = new pg.Client({
+        user: 'dbuser',  // OK
+        host: 'database.server.com',
+        database: 'mydb',
+        password: 'hgfedcba',  // OK
+        port: 3211,
+    });
+    client.connect();
+})();
+
+(function () {
+    const JwtStrategy = require('passport-jwt').Strategy;
+    const passport = require('passport')
+
+    var secretKey = "myHardCodedPrivateKey";
+
+    const opts = {}
+    opts.secretOrKey = secretKey; // NOT OK
+    passport.use(new JwtStrategy(opts, function (jwt_payload, done) {
+        return done(null, false);
+    }));
+
+    passport.use(new JwtStrategy({
+        secretOrKeyProvider: function (request, rawJwtToken, done) {
+            return done(null, secretKey) // NOT OK
+        }
+    }, function (jwt_payload, done) {
+        return done(null, false);
+    }));
+})();