hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 10:45:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

add test file for CWE-347

Browse Source 
Add a test file for CWE-347.
The HS256 algorithm is safe, but the none algorithm is unsafe.
This commit is contained in:
toufik-airane
2020-06-20 17:10:35 +02:00
parent 8a2a33459a
commit 7166d5422e
1 changed files with 11 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
javascript/ql/src/experimental/Security/CWE-347/examples/index.js Normal file
View File

@@ -0,0 +1,11 @@
const jwt = require("jsonwebtoken");
const secret = "buybtc";
var token = jwt.sign({ foo: 'bar' }, secret, { algorithm: "HS256" }) // alg:HS256
jwt.verify(token, secret, { algorithms: ["HS256", "none"] }) // pass
var token = jwt.sign({ foo: 'bar' }, secret, { algorithm: "none" }) // alg:none (unsafe)
jwt.verify(token, "", { algorithms: ["HS256", "none"] }) // detected
jwt.verify(token, undefined, { algorithms: ["HS256", "none"] }) // detected
jwt.verify(token, false, { algorithms: ["HS256", "none"] }) // detected