hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-09 12:40:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Try to finish the PR

Browse Source 
- Add help documentation
- Empty qll file
- rename examples
This commit is contained in:
toufik-airane
2020-06-22 13:26:13 +02:00
parent 7166d5422e
commit 4853b8a281
3 changed files with 41 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
javascript/ql/src/experimental/Security/CWE-347/JWTMissingSecretOrPublicKeyVerification.help
View File

@@ -0,0 +1,39 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>The featured CodeQL query warns using of none algorithm in verify() functions imported from jsonwebtoken package developed by the auth0 organization.</p>
<p>Backend JavaScript applications handling JWT could be affected by the none algorithm misconfiguration due to misusing verify() functions imported by jsonwebtoken package.
Providing an empty string or a false value, instead of a secret or a key, enable the none algorithm to decode JWT payloads without signature verification.
Misconfigured backend JavaScript on a production environment could be impacted by exploitation violating the integration of a JWT.</p>
</overview>
<recommendation>
<p>
verify() functions should use a secret or a key to decode JWT payloads.
</p>
<p>
Use a a secret or a key to decode JWT payloads.
</p>
<p>
</p>
</recommendation>
<example>
<p>The example starts with a secret signing an object using the HS256 algorithm.
In the second case an empty string is provided, then an undefined value, and finally a false value.
These three misconfigued verify() functions is detected to be potentially a cybersecurity vulnerability.
</p>
<sample src="examples/JWTMissingSecretOrPublicKeyVerification.js" />
</example>
<references>
<li>Auth0 Blog: <a href="https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/#Meet-the--None--Algorithm">Meet the "None" Algorithm</a>.</li>
</references>
</qhelp>

1
javascript/ql/src/experimental/Security/CWE-347/JWTMissingSecretOrPublicKeyVerification.qll
View File

@@ -1 +0,0 @@

4
javascript/ql/src/experimental/Security/CWE-347/examples/index.js → javascript/ql/src/experimental/Security/CWE-347/examples/JWTMissingSecretOrPublicKeyVerification.js
View File

@@ -1,10 +1,10 @@
const jwt = require("jsonwebtoken");
const secret = "buybtc";
// #1
var token = jwt.sign({ foo: 'bar' }, secret, { algorithm: "HS256" }) // alg:HS256
jwt.verify(token, secret, { algorithms: ["HS256", "none"] }) // pass
// #2
var token = jwt.sign({ foo: 'bar' }, secret, { algorithm: "none" }) // alg:none (unsafe)
jwt.verify(token, "", { algorithms: ["HS256", "none"] }) // detected
jwt.verify(token, undefined, { algorithms: ["HS256", "none"] }) // detected