From 4853b8a281e18c0e7ae3585b18df7ff1eb284c19 Mon Sep 17 00:00:00 2001 From: toufik-airane Date: Mon, 22 Jun 2020 13:26:13 +0200 Subject: [PATCH] Try to finish the PR - Add help documentation - Empty qll file - rename examples --- ...TMissingSecretOrPublicKeyVerification.help | 39 +++++++++++++++++++ ...WTMissingSecretOrPublicKeyVerification.qll | 1 - ...WTMissingSecretOrPublicKeyVerification.js} | 4 +- 3 files changed, 41 insertions(+), 3 deletions(-) rename javascript/ql/src/experimental/Security/CWE-347/examples/{index.js => JWTMissingSecretOrPublicKeyVerification.js} (96%) diff --git a/javascript/ql/src/experimental/Security/CWE-347/JWTMissingSecretOrPublicKeyVerification.help b/javascript/ql/src/experimental/Security/CWE-347/JWTMissingSecretOrPublicKeyVerification.help index e69de29bb2d..0a2d9e81f96 100644 --- a/javascript/ql/src/experimental/Security/CWE-347/JWTMissingSecretOrPublicKeyVerification.help +++ b/javascript/ql/src/experimental/Security/CWE-347/JWTMissingSecretOrPublicKeyVerification.help @@ -0,0 +1,39 @@ + + + + + +

The featured CodeQL query warns using of none algorithm in verify() functions imported from jsonwebtoken package developed by the auth0 organization.

+ +

Backend JavaScript applications handling JWT could be affected by the none algorithm misconfiguration due to misusing verify() functions imported by jsonwebtoken package. +Providing an empty string or a false value, instead of a secret or a key, enable the none algorithm to decode JWT payloads without signature verification. +Misconfigured backend JavaScript on a production environment could be impacted by exploitation violating the integration of a JWT.

+ + + +

+verify() functions should use a secret or a key to decode JWT payloads. +

+

+Use a a secret or a key to decode JWT payloads. +

+

+

+ + + + +

The example starts with a secret signing an object using the HS256 algorithm. +In the second case an empty string is provided, then an undefined value, and finally a false value. +These three misconfigued verify() functions is detected to be potentially a cybersecurity vulnerability. +

+ + + + + +
  • Auth0 Blog: Meet the "None" Algorithm.
    • +     +     \ No newline at end of file diff --git a/javascript/ql/src/experimental/Security/CWE-347/JWTMissingSecretOrPublicKeyVerification.qll b/javascript/ql/src/experimental/Security/CWE-347/JWTMissingSecretOrPublicKeyVerification.qll index 8b137891791..e69de29bb2d 100644 --- a/javascript/ql/src/experimental/Security/CWE-347/JWTMissingSecretOrPublicKeyVerification.qll +++ b/javascript/ql/src/experimental/Security/CWE-347/JWTMissingSecretOrPublicKeyVerification.qll @@ -1 +0,0 @@ - diff --git a/javascript/ql/src/experimental/Security/CWE-347/examples/index.js b/javascript/ql/src/experimental/Security/CWE-347/examples/JWTMissingSecretOrPublicKeyVerification.js similarity index 96% rename from javascript/ql/src/experimental/Security/CWE-347/examples/index.js rename to javascript/ql/src/experimental/Security/CWE-347/examples/JWTMissingSecretOrPublicKeyVerification.js index 9e0cc25b50f..02e93f83fa1 100644 --- a/javascript/ql/src/experimental/Security/CWE-347/examples/index.js +++ b/javascript/ql/src/experimental/Security/CWE-347/examples/JWTMissingSecretOrPublicKeyVerification.js @@ -1,10 +1,10 @@ const jwt = require("jsonwebtoken"); const secret = "buybtc"; - +// #1 var token = jwt.sign({ foo: 'bar' }, secret, { algorithm: "HS256" }) // alg:HS256 jwt.verify(token, secret, { algorithms: ["HS256", "none"] }) // pass - +// #2 var token = jwt.sign({ foo: 'bar' }, secret, { algorithm: "none" }) // alg:none (unsafe) jwt.verify(token, "", { algorithms: ["HS256", "none"] }) // detected jwt.verify(token, undefined, { algorithms: ["HS256", "none"] }) // detected