hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-03 04:39:29 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: Port experimental jwtDecodeWithoutVerification to ConfigSig

Browse Source
This commit is contained in:
Asger F
2024-11-28 11:31:51 +01:00
parent 7e162f5451
commit 72e522631d
2 changed files with 63 additions and 168 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerification.ql
View File

@@ -11,30 +11,29 @@
*/
import javascript
import DataFlow::PathGraph
import JWT
class ConfigurationUnverifiedDecode extends TaintTracking::Configuration {
ConfigurationUnverifiedDecode() { this = "jsonwebtoken without any signature verification" }
module UnverifiedDecodeConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
override predicate isSink(DataFlow::Node sink) { sink = unverifiedDecode() }
predicate isSink(DataFlow::Node sink) { sink = unverifiedDecode() }
}
class ConfigurationVerifiedDecode extends TaintTracking::Configuration {
ConfigurationVerifiedDecode() { this = "jsonwebtoken with signature verification" }
module UnverifiedDecodeFlow = TaintTracking::Global<UnverifiedDecodeConfig>;
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
module VerifiedDecodeConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
override predicate isSink(DataFlow::Node sink) { sink = verifiedDecode() }
predicate isSink(DataFlow::Node sink) { sink = verifiedDecode() }
}
from ConfigurationUnverifiedDecode cfg, DataFlow::PathNode source, DataFlow::PathNode sink
module VerifiedDecodeFlow = TaintTracking::Global<VerifiedDecodeConfig>;
import UnverifiedDecodeFlow::PathGraph
from UnverifiedDecodeFlow::PathNode source, UnverifiedDecodeFlow::PathNode sink
where
cfg.hasFlowPath(source, sink) and
not exists(ConfigurationVerifiedDecode cfg2 |
cfg2.hasFlowPath(any(DataFlow::PathNode p | p.getNode() = source.getNode()), _)
)
UnverifiedDecodeFlow::flowPath(source, sink) and
not VerifiedDecodeFlow::flow(source.getNode(), _)
select source.getNode(), source, sink, "Decoding JWT $@.", sink.getNode(),
"without signature verification"