remove noverification query

javascript/ql/src/Security/CWE-321-noVerification/Example.js

@@ -1,45 +0,0 @@
-const express = require('express')
-const app = express()
-const jwtJsonwebtoken = require('jsonwebtoken');
-const {getSecret} = require('./Config.js');
-const jwt_decode = require('jwt-decode');
-const jwt_simple = require('jwt-simple');
-const jose = require('jose')
-const port = 3000
-
-async function startSymmetric(token) {
-    const {payload, protectedHeader} = await jose.jwtVerify(token, new TextEncoder().encode(getSecret()))
-    return {
-        payload, protectedHeader
-    }
-}
-
-app.get('/', (req, res) => {
-    const UserToken = req.headers.authorization;
-    // BAD: no verification
-    jwtJsonwebtoken.decode(UserToken)
-    // GOOD: use verify alone or use as a check,
-    // sometimes it seems some coders use both for same token
-    const UserToken2 = req.headers.authorization;
-    jwtJsonwebtoken.decode(UserToken2)
-    jwtJsonwebtoken.verify(UserToken2, getSecret())
-    // jwt-decode
-    // BAD: no verification
-    jwt_decode(UserToken)
-    // jose
-    // BAD: no verification
-    jose.decodeJwt(UserToken)
-    // GOOD
-    startSymmetric(UserToken).then(result => console.log(result))
-    // jwt-simple
-    // no verification
-    jwt_simple.decode(UserToken, getSecret(), true);
-    // GOOD
-    jwt_simple.decode(UserToken, getSecret(), false);
-    jwt_simple.decode(UserToken, getSecret());
-    res.send('Hello World!')
-})
-
-app.listen(port, () => {
-    console.log(`Example app listening on port ${port}`)
-})

javascript/ql/src/Security/CWE-321-noVerification/jwtNoVerification.qhelp

@@ -1,34 +0,0 @@
-<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
-<qhelp>
-     <overview>
-          <p>
-               A JSON Web Token (JWT) is used for authenticating and managing users in an application.
-          </p>
-          <p>
-               Only Decoding JWTs without checking if they have a valid signature or not can lead to security vulnerabilities.
-          </p>
-
-     </overview>
-     <recommendation>
-
-          <p>
-               Don't use methods that only decode JWT, Instead use methods that verify the signature of JWT.
-          </p>
-
-     </recommendation>
-     <example>
-
-          <p>
-               The following code you can see an Example from a popular Library.
-          </p>
-
-          <sample src="Example.js" />
-
-     </example>
-     <references>
-          <li>
-               <a href="https://www.ghostccamm.com/blog/multi_strapi_vulns/#cve-2023-22893-authentication-bypass-for-aws-cognito-login-provider-in-strapi-versions-456">JWT claim had not been verified</a>
-          </li>
-     </references>
-
-</qhelp>

javascript/ql/src/Security/CWE-321-noVerification/jwtNoVerification.ql

@@ -1,27 +0,0 @@
-/**
- * @name JWT missing secret or public key verification
- * @description The application does not verify the JWT payload with a cryptographic secret or public key.
- * @kind problem
- * @problem.severity warning
- * @security-severity 7.0
- * @precision high
- * @id js/jwt-missing-verification
- * @tags security
- *       external/cwe/cwe-347
- */
-
-import javascript
-
-from DataFlow::Node sink
-where
-  sink = API::moduleImport("jsonwebtoken").getMember("decode").getParameter(0).asSink()
-  or
-  sink = API::moduleImport("jwt-decode").getParameter(0).asSink()
-  or
-  sink = API::moduleImport("jose").getMember("decodeJwt").getParameter(0).asSink()
-  or
-  exists(API::Node n | n = API::moduleImport("jwt-simple").getMember("decode") |
-    n.getParameter(2).asSink().asExpr() = any(BoolLiteral b | b.getBoolValue() = true) and
-    sink = n.getParameter(0).asSink()
-  )
-select sink, "This Token is Decoded in without signature validatoin"

javascript/ql/src/Security/CWE-347-HardCodedKey/jwtConstantKey.ql

@@ -7,7 +7,7 @@
  * @id javascript/jwt-hardcoded-key
  * @tags security
  *       experimental
- *       external/cwe/CWE-321
+ *       external/cwe/CWE-347
  */
 
 import javascript

javascript/ql/test/query-tests/Security/CWE-321-HardCodedKey/jwtConstantKey.qlref

@@ -1 +0,0 @@
-Security/CWE-321-HardCodedKey/jwtConstantKey.ql

javascript/ql/test/query-tests/Security/CWE-321-HardCodedKey/jwtNoVerification.js

@@ -1,19 +0,0 @@
-// jsonwebtoken
-const jwtJsonwebtoken = require('jsonwebtoken');
-const {getSecret} = require('./Config.js');
-const payloads = {foo: 'bar'}
-const token = jwtJsonwebtoken.sign(payloads, getSecret());
-// BAD: no verification
-jwtJsonwebtoken.decode(token)
-// jwt-decode
-// BAD: no verification
-const jwt_decode = require('jwt-decode');
-jwt_decode(token)
-// jose
-const jose = require('jose')
-// BAD: no verification
-jose.decodeJwt(token)
-// jwt-simple
-const jwt_simple = require('jwt-simple');
-// no verification
-jwt_simple.decode(token, getSecret(), false);

javascript/ql/test/query-tests/Security/CWE-321-noVerification/NoVerification.js

@@ -1,46 +0,0 @@
-const express = require('express')
-const app = express()
-const jwtJsonwebtoken = require('jsonwebtoken');
-const {getSecret} = require('./Config.js');
-const jwt_decode = require('jwt-decode');
-const jwt_simple = require('jwt-simple');
-const jose = require('jose')
-const port = 3000
-
-async function startSymmetric(token) {
-    const {payload, protectedHeader} = await jose.jwtVerify(token, new TextEncoder().encode(getSecret()))
-    return {
-        payload, protectedHeader
-    }
-}
-
-app.get('/', (req, res) => {
-    const UserToken = req.headers.authorization;
-    // BAD: no verification
-    jwtJsonwebtoken.decode(UserToken)
-    jwtJsonwebtoken.verify(UserToken, false, {algorithms: ["HS256", "none"]})
-    // GOOD: use verify alone or use as a check,
-    // sometimes it seems some coders use both for same token
-    const UserToken2 = req.headers.authorization;
-    jwtJsonwebtoken.decode(UserToken2)
-    jwtJsonwebtoken.verify(UserToken2, getSecret())
-    // jwt-decode
-    // BAD: no verification
-    jwt_decode(UserToken)
-    // jose
-    // BAD: no verification
-    jose.decodeJwt(UserToken)
-    // GOOD
-    startSymmetric(UserToken).then(result => console.log(result))
-    // jwt-simple
-    // no verification
-    jwt_simple.decode(UserToken, getSecret(), true);
-    // GOOD
-    jwt_simple.decode(UserToken, getSecret(), false);
-    jwt_simple.decode(UserToken, getSecret());
-    res.send('Hello World!')
-})
-
-app.listen(port, () => {
-    console.log(`Example app listening on port ${port}`)
-})

javascript/ql/test/query-tests/Security/CWE-321-noVerification/jwtNoVerification.expected

@@ -1,5 +0,0 @@
-| NoVerification.js:20:28:20:36 | UserToken | This Token is Decoded in without signature validatoin |
-| NoVerification.js:25:28:25:37 | UserToken2 | This Token is Decoded in without signature validatoin |
-| NoVerification.js:29:16:29:24 | UserToken | This Token is Decoded in without signature validatoin |
-| NoVerification.js:32:20:32:28 | UserToken | This Token is Decoded in without signature validatoin |
-| NoVerification.js:37:23:37:31 | UserToken | This Token is Decoded in without signature validatoin |

javascript/ql/test/query-tests/Security/CWE-321-noVerification/jwtNoVerification.qlref

@@ -1 +0,0 @@
-Security/CWE-321-noVerification/jwtNoVerification.ql

javascript/ql/test/query-tests/Security/CWE-347-HardCodedKey/jwtConstantKey.qlref

@@ -0,0 +1 @@
+Security/CWE-347-HardCodedKey/jwtConstantKey.ql