add a temporary Query file to demonstrate unsuccessful usage of two DataFlow configs

2026-04-25 16:55:19 +02:00 · 2023-11-22 08:30:59 +01:00
parent 0652afced3
commit 5cc4206e00
3 changed files with 127 additions and 0 deletions
--- a/javascript/ql/src/Security/CWE-347-noVerification/JsonWebTokenNotWorking.ql
+++ b/javascript/ql/src/Security/CWE-347-noVerification/JsonWebTokenNotWorking.ql
@@ -0,0 +1,66 @@
+/**
+ * @name This query is for seeing if we can have two taint config within on query file
+ * @description The application does not verify the JWT payload with a cryptographic secret or public key.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 8.0
+ * @precision high
+ * @id js/jwt-missing-verification-jsonwebtoken
+ * @tags security
+ *       external/cwe/cwe-347
+ */
+
+import javascript
+import DataFlow::PathGraph
+
+DataFlow::Node unverifiedDecode() {
+  result = API::moduleImport("jsonwebtoken").getMember("decode").getParameter(0).asSink()
+  or
+  exists(API::Node verify | verify = API::moduleImport("jsonwebtoken").getMember("verify") |
+    verify
+        .getParameter(2)
+        .getMember("algorithms")
+        .getUnknownMember()
+        .asSink()
+        .mayHaveStringValue("none") and
+    result = verify.getParameter(0).asSink()
+  )
+}
+
+DataFlow::Node verifiedDecode() {
+  exists(API::Node verify | verify = API::moduleImport("jsonwebtoken").getMember("verify") |
+    (
+      not verify
+          .getParameter(2)
+          .getMember("algorithms")
+          .getUnknownMember()
+          .asSink()
+          .mayHaveStringValue("none") or
+      not exists(verify.getParameter(2).getMember("algorithms"))
+    ) and
+    result = verify.getParameter(0).asSink()
+  )
+}
+
+class ConfigurationUnverifiedDecode extends TaintTracking::Configuration {
+  ConfigurationUnverifiedDecode() { this = "jsonwebtoken without any signature verification" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink = unverifiedDecode() }
+}
+
+class ConfigurationVerifiedDecode extends TaintTracking::Configuration {
+  ConfigurationVerifiedDecode() { this = "jsonwebtoken with signature verification" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink = verifiedDecode() }
+}
+
+from ConfigurationUnverifiedDecode cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where
+  cfg.hasFlowPath(source, sink) and
+  not exists(ConfigurationVerifiedDecode cfg2 | cfg2.hasFlowPath(source, _))
+select source.getNode(), source, sink, "Decoding JWT $@.", sink.getNode(),
+  "without signature verification"
--- a/javascript/ql/test/query-tests/Security/CWE-347-noVerification/JsonWebTokenNotWorking.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-347-noVerification/JsonWebTokenNotWorking.expected
@@ -0,0 +1,60 @@
+nodes
+| JsonWebToken.js:13:11:13:47 | UserToken |
+| JsonWebToken.js:13:23:13:47 | req.hea ... ization |
+| JsonWebToken.js:13:23:13:47 | req.hea ... ization |
+| JsonWebToken.js:16:28:16:36 | UserToken |
+| JsonWebToken.js:16:28:16:36 | UserToken |
+| JsonWebToken.js:20:11:20:47 | UserToken |
+| JsonWebToken.js:20:23:20:47 | req.hea ... ization |
+| JsonWebToken.js:20:23:20:47 | req.hea ... ization |
+| JsonWebToken.js:23:28:23:36 | UserToken |
+| JsonWebToken.js:23:28:23:36 | UserToken |
+| JsonWebToken.js:24:28:24:36 | UserToken |
+| JsonWebToken.js:24:28:24:36 | UserToken |
+| JsonWebToken.js:28:11:28:47 | UserToken |
+| JsonWebToken.js:28:23:28:47 | req.hea ... ization |
+| JsonWebToken.js:28:23:28:47 | req.hea ... ization |
+| JsonWebToken.js:31:28:31:36 | UserToken |
+| JsonWebToken.js:31:28:31:36 | UserToken |
+| JsonWebToken.js:35:11:35:47 | UserToken |
+| JsonWebToken.js:35:23:35:47 | req.hea ... ization |
+| JsonWebToken.js:35:23:35:47 | req.hea ... ization |
+| JsonWebToken.js:38:28:38:36 | UserToken |
+| JsonWebToken.js:38:28:38:36 | UserToken |
+| JsonWebToken.js:39:28:39:36 | UserToken |
+| JsonWebToken.js:39:28:39:36 | UserToken |
+| JsonWebToken.js:43:11:43:47 | UserToken |
+| JsonWebToken.js:43:23:43:47 | req.hea ... ization |
+| JsonWebToken.js:43:23:43:47 | req.hea ... ization |
+| JsonWebToken.js:46:28:46:36 | UserToken |
+| JsonWebToken.js:46:28:46:36 | UserToken |
+| JsonWebToken.js:47:28:47:36 | UserToken |
+| JsonWebToken.js:47:28:47:36 | UserToken |
+edges
+| JsonWebToken.js:13:11:13:47 | UserToken | JsonWebToken.js:16:28:16:36 | UserToken |
+| JsonWebToken.js:13:11:13:47 | UserToken | JsonWebToken.js:16:28:16:36 | UserToken |
+| JsonWebToken.js:13:23:13:47 | req.hea ... ization | JsonWebToken.js:13:11:13:47 | UserToken |
+| JsonWebToken.js:13:23:13:47 | req.hea ... ization | JsonWebToken.js:13:11:13:47 | UserToken |
+| JsonWebToken.js:20:11:20:47 | UserToken | JsonWebToken.js:23:28:23:36 | UserToken |
+| JsonWebToken.js:20:11:20:47 | UserToken | JsonWebToken.js:23:28:23:36 | UserToken |
+| JsonWebToken.js:20:11:20:47 | UserToken | JsonWebToken.js:24:28:24:36 | UserToken |
+| JsonWebToken.js:20:11:20:47 | UserToken | JsonWebToken.js:24:28:24:36 | UserToken |
+| JsonWebToken.js:20:23:20:47 | req.hea ... ization | JsonWebToken.js:20:11:20:47 | UserToken |
+| JsonWebToken.js:20:23:20:47 | req.hea ... ization | JsonWebToken.js:20:11:20:47 | UserToken |
+| JsonWebToken.js:28:11:28:47 | UserToken | JsonWebToken.js:31:28:31:36 | UserToken |
+| JsonWebToken.js:28:11:28:47 | UserToken | JsonWebToken.js:31:28:31:36 | UserToken |
+| JsonWebToken.js:28:23:28:47 | req.hea ... ization | JsonWebToken.js:28:11:28:47 | UserToken |
+| JsonWebToken.js:28:23:28:47 | req.hea ... ization | JsonWebToken.js:28:11:28:47 | UserToken |
+| JsonWebToken.js:35:11:35:47 | UserToken | JsonWebToken.js:38:28:38:36 | UserToken |
+| JsonWebToken.js:35:11:35:47 | UserToken | JsonWebToken.js:38:28:38:36 | UserToken |
+| JsonWebToken.js:35:11:35:47 | UserToken | JsonWebToken.js:39:28:39:36 | UserToken |
+| JsonWebToken.js:35:11:35:47 | UserToken | JsonWebToken.js:39:28:39:36 | UserToken |
+| JsonWebToken.js:35:23:35:47 | req.hea ... ization | JsonWebToken.js:35:11:35:47 | UserToken |
+| JsonWebToken.js:35:23:35:47 | req.hea ... ization | JsonWebToken.js:35:11:35:47 | UserToken |
+| JsonWebToken.js:43:11:43:47 | UserToken | JsonWebToken.js:46:28:46:36 | UserToken |
+| JsonWebToken.js:43:11:43:47 | UserToken | JsonWebToken.js:46:28:46:36 | UserToken |
+| JsonWebToken.js:43:11:43:47 | UserToken | JsonWebToken.js:47:28:47:36 | UserToken |
+| JsonWebToken.js:43:11:43:47 | UserToken | JsonWebToken.js:47:28:47:36 | UserToken |
+| JsonWebToken.js:43:23:43:47 | req.hea ... ization | JsonWebToken.js:43:11:43:47 | UserToken |
+| JsonWebToken.js:43:23:43:47 | req.hea ... ization | JsonWebToken.js:43:11:43:47 | UserToken |
+#select
--- a/javascript/ql/test/query-tests/Security/CWE-347-noVerification/JsonWebTokenNotWorking.qlref
+++ b/javascript/ql/test/query-tests/Security/CWE-347-noVerification/JsonWebTokenNotWorking.qlref
@@ -0,0 +1 @@
+Security/CWE-347-noVerification/JsonWebTokenNotWorking.ql
				`@@ -0,0 +1 @@`
				`Security/CWE-347-noVerification/JsonWebTokenNotWorking.ql`