move jose SharedTaintStep to a local taint step, add more additional steps with test cases, update test cases and expected test results

2026-04-22 15:25:18 +02:00 · 2024-07-01 11:38:17 +02:00
parent 5a69bbf6b0
commit 65fdb8ccce
4 changed files with 121 additions and 87 deletions
--- a/javascript/ql/lib/semmle/javascript/frameworks/JWT.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/JWT.qll
@@ -56,18 +56,6 @@ private module JsonWebToken {
 * Provides classes and predicates modeling the `jose` library.
 */
 private module Jose {
-  /**
-   * A taint-step for `succ = await jose.importSPKI(pred, 'RS256')`.
-   */
-  private class ImportSpkiStep extends TaintTracking::SharedTaintStep, DataFlow::SharedFlowStep {
-    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
-      exists(API::Node n | n = API::moduleImport("jose").getMember("importSPKI") |
-        pred = n.getACall().getArgument(0) and
-        succ = n.getReturn().getPromised().asSource()
-      )
-    }
-  }
-
  /**
   * A taint-step for `succ = jose.base64url.encode(pred)` or `succ = jose.base64url.decode(pred)`.
   */
@@ -83,10 +71,12 @@ private module Jose {
  }

  /**
-   * The asymmetric key or symmetric secret for a JWT as a `CredentialsNode`.
+   * The asymmetric key or symmetric secret for verifying a JWT as a `CredentialsNode`.
   */
-  private class JwtKey extends CredentialsNode {
-    JwtKey() { this = API::moduleImport("jose").getMember("jwtVerify").getParameter(1).asSink() }
+  private class JwtVerifyKey extends CredentialsNode {
+    JwtVerifyKey() {
+      this = API::moduleImport("jose").getMember("jwtVerify").getParameter(1).asSink()
+    }

    override string getCredentialsKind() { result = "key" }
  }
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedCredentialsQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedCredentialsQuery.qll
@@ -35,5 +35,24 @@ class Configuration extends DataFlow::Configuration {
      trg = bufferFrom and
      src = bufferFrom.getArgument(0)
    )
+    or
+    exists(API::Node n |
+      n = API::moduleImport("jose").getMember(["importSPKI", "importPKCS8", "importX509"])
+    |
+      src = n.getACall().getArgument(0) and
+      trg = n.getReturn().getPromised().asSource()
+    )
+    or
+    exists(API::Node n |
+      n = API::moduleImport("jose").getMember(["importSPKI", "importPKCS8", "importX509"])
+    |
+      src = n.getACall().getArgument(0) and
+      trg = n.getReturn().getPromised().asSource()
+    )
+    or
+    exists(API::Node n | n = API::moduleImport("jose").getMember("importJWK") |
+      src = n.getParameter(0).getMember(["x", "y", "n"]).asSink() and
+      trg = n.getReturn().getPromised().asSource()
+    )
  }
 }