move jose SharedTaintStep to a local taint step, add more additional steps with test cases, update test cases and expected test results

2026-05-04 05:05:12 +02:00 · 2024-07-01 11:38:17 +02:00
parent 5a69bbf6b0
commit 65fdb8ccce
4 changed files with 121 additions and 87 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js
+++ b/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js
@@ -316,13 +316,26 @@
    var privateKey = "myHardCodedPrivateKey";
    jose.jwtVerify(token, new TextEncoder().encode(privateKey)) // NOT OK

-
    const spki = `-----BEGIN PUBLIC KEY-----
-    MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwhYOFK2Ocbbpb/zVypi9
-    ...
+    MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwhYOFK2Ocbbpb/zVypi9...
    -----END PUBLIC KEY-----`
-    const publicKey = await jose.importSPKI(spki, 'RS256')
+    let publicKey = await jose.importSPKI(spki, 'RS256')
    jose.jwtVerify(token, publicKey) // NOT OK
+
+    const alg = 'RS256'
+    const jwk = {
+        kty: 'RSA',
+        n: 'whYOFK2Ocbbpb_zVypi9SeKiNUqKQH0zTKN1-6f...',
+        e: 'AQAB',
+    }
+    publicKey = await jose.importJWK(jwk, alg)
+    const jwt =
+        'eyJhbGciOiJSUzI1NiJ9.eyJ1cm46ZXhhbXBsZTpjbGFpbSI6dHJ1ZSwiaWF0IjoxNjY5MDU2NDg4LCJpc3MiOiJ1cm46ZXhhbXBsZTppc3N1ZXIiLCJhdWQiOiJ1cm46ZXhhbXBsZTphdWRpZW5jZSJ9.gXrPZ3yM_60dMXGE69dusbpzYASNA-XIOwsb5D5xYnSxyj6_D6OR_uR_1vqhUm4AxZxcrH1_-XJAve9HCw8az_QzHcN-nETt-v6stCsYrn6Bv1YOc-mSJRZ8ll57KVqLbCIbjKwerNX5r2_Qg2TwmJzQdRs-AQDhy-s_DlJd8ql6wR4n-kDZpar-pwIvz4fFIN0Fj57SXpAbLrV6Eo4Byzl0xFD8qEYEpBwjrMMfxCZXTlAVhAq6KCoGlDTwWuExps342-0UErEtyIqDnDGcrfNWiUsoo8j-29IpKd-w9-C388u-ChCxoHz--H8WmMSZzx3zTXsZ5lXLZ9IKfanDKg'
+
+    await jose.jwtVerify(jwt, publicKey, { // NOT OK
+        issuer: 'urn:example:issuer',
+        audience: 'urn:example:audience',
+    })
 })();

 (function () {