hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-27 09:45:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

move to new CWE-321 directory, make saparate query files for each JWT pkg, create a path query for jsonwebtoken package which is not work correctly

Browse Source
This commit is contained in:
amammad
2023-11-02 14:13:52 +01:00
parent ee4d87bd96
commit 9da815a5c0
7 changed files with 188 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

84
javascript/ql/test/query-tests/Security/CWE-321-noVerification/NoVerification.js
View File

@@ -1,44 +1,90 @@
const express = require('express')
const app = express()
const jwtJsonwebtoken = require('jsonwebtoken');
const {getSecret} = require('./Config.js');
const { getSecret } = require('./Config.js');
const jwt_decode = require('jwt-decode');
const jwt_simple = require('jwt-simple');
const jose = require('jose')
const port = 3000
async function startSymmetric(token) {
const {payload, protectedHeader} = await jose.jwtVerify(token, new TextEncoder().encode(getSecret()))
const { payload, protectedHeader } = await jose.jwtVerify(token, new TextEncoder().encode(getSecret()))
return {
payload, protectedHeader
}
}
app.get('/', (req, res) => {
app.get('/jose', (req, res) => {
const UserToken = req.headers.authorization;
// BAD: no verification
jwtJsonwebtoken.decode(UserToken)
jwtJsonwebtoken.verify(UserToken, false, {algorithms: ["HS256", "none"]})
// GOOD: use verify alone or use as a check,
// sometimes it seems some coders use both for same token
const UserToken2 = req.headers.authorization;
jwtJsonwebtoken.decode(UserToken2)
jwtJsonwebtoken.verify(UserToken2, getSecret())
// jwt-decode
// BAD: no verification
jwt_decode(UserToken)
// jose
// BAD: no verification
// BAD: no signature verification
jose.decodeJwt(UserToken)
// GOOD
// GOOD: with signature verification
startSymmetric(UserToken).then(result => console.log(result))
})
app.get('/jwtDecode', (req, res) => {
const UserToken = req.headers.authorization;
// jwt-decode
// BAD: no signature verification
jwt_decode(UserToken)
})
app.get('/jwtSimple', (req, res) => {
const UserToken = req.headers.authorization;
// jwt-simple
// no verification
// jwt.decode(token, key, noVerify, algorithm)
// BAD: no signature verification
jwt_simple.decode(UserToken, getSecret(), true);
// GOOD
})
app.get('/jwtSimple2', (req, res) => {
const UserToken = req.headers.authorization;
// jwt-simple
// jwt.decode(token, key, noVerify, algorithm)
// GOOD: with signature verification
jwt_simple.decode(UserToken, getSecret(), false);
jwt_simple.decode(UserToken, getSecret());
res.send('Hello World!')
})
app.get('/jwtSimple3', (req, res) => {
const UserToken = req.headers.authorization;
// jwt-simple
// jwt.decode(token, key, noVerify, algorithm)
// GOOD: first decode without signature verification and then verify the signature later
jwt_simple.decode(UserToken, getSecret(), true);
jwt_simple.decode(UserToken, getSecret());
})
app.get('/jwtJsonwebtoken', (req, res) => {
const UserToken = req.headers.authorization;
// BAD: no signature verification
jwtJsonwebtoken.decode(UserToken)
jwtJsonwebtoken.verify(UserToken, false, { algorithms: ["HS256", "none"] })
})
app.get('/jwtJsonwebtoken2', (req, res) => {
const UserToken = req.headers.authorization;
// GOOD: with signature verification
jwtJsonwebtoken.verify(UserToken, getSecret())
})
app.get('/jwtJsonwebtoken3', (req, res) => {
const UserToken = req.headers.authorization;
// GOOD: first decode without signature verification and then verify the signature later
jwtJsonwebtoken.decode(UserToken)
jwtJsonwebtoken.verify(UserToken, getSecret())
})
app.listen(port, () => {

43
javascript/ql/test/query-tests/Security/CWE-321-noVerification/jwtNoVerification.expected
View File

@@ -1,5 +1,38 @@
| NoVerification.js:20:28:20:36 | UserToken | This Token is Decoded in without signature validatoin |
| NoVerification.js:25:28:25:37 | UserToken2 | This Token is Decoded in without signature validatoin |
| NoVerification.js:29:16:29:24 | UserToken | This Token is Decoded in without signature validatoin |
| NoVerification.js:32:20:32:28 | UserToken | This Token is Decoded in without signature validatoin |
| NoVerification.js:37:23:37:31 | UserToken | This Token is Decoded in without signature validatoin |
nodes
| NoVerification.js:68:11:68:47 | UserToken |
| NoVerification.js:68:23:68:47 | req.hea ... ization |
| NoVerification.js:68:23:68:47 | req.hea ... ization |
| NoVerification.js:71:28:71:36 | UserToken |
| NoVerification.js:71:28:71:36 | UserToken |
| NoVerification.js:72:28:72:36 | UserToken |
| NoVerification.js:72:28:72:36 | UserToken |
| NoVerification.js:76:11:76:47 | UserToken |
| NoVerification.js:76:23:76:47 | req.hea ... ization |
| NoVerification.js:76:23:76:47 | req.hea ... ization |
| NoVerification.js:79:28:79:36 | UserToken |
| NoVerification.js:79:28:79:36 | UserToken |
| NoVerification.js:83:11:83:47 | UserToken |
| NoVerification.js:83:23:83:47 | req.hea ... ization |
| NoVerification.js:83:23:83:47 | req.hea ... ization |
| NoVerification.js:86:28:86:36 | UserToken |
| NoVerification.js:86:28:86:36 | UserToken |
| NoVerification.js:87:28:87:36 | UserToken |
| NoVerification.js:87:28:87:36 | UserToken |
edges
| NoVerification.js:68:11:68:47 | UserToken | NoVerification.js:71:28:71:36 | UserToken |
| NoVerification.js:68:11:68:47 | UserToken | NoVerification.js:71:28:71:36 | UserToken |
| NoVerification.js:68:11:68:47 | UserToken | NoVerification.js:72:28:72:36 | UserToken |
| NoVerification.js:68:11:68:47 | UserToken | NoVerification.js:72:28:72:36 | UserToken |
| NoVerification.js:68:23:68:47 | req.hea ... ization | NoVerification.js:68:11:68:47 | UserToken |
| NoVerification.js:68:23:68:47 | req.hea ... ization | NoVerification.js:68:11:68:47 | UserToken |
| NoVerification.js:76:11:76:47 | UserToken | NoVerification.js:79:28:79:36 | UserToken |
| NoVerification.js:76:11:76:47 | UserToken | NoVerification.js:79:28:79:36 | UserToken |
| NoVerification.js:76:23:76:47 | req.hea ... ization | NoVerification.js:76:11:76:47 | UserToken |
| NoVerification.js:76:23:76:47 | req.hea ... ization | NoVerification.js:76:11:76:47 | UserToken |
| NoVerification.js:83:11:83:47 | UserToken | NoVerification.js:86:28:86:36 | UserToken |
| NoVerification.js:83:11:83:47 | UserToken | NoVerification.js:86:28:86:36 | UserToken |
| NoVerification.js:83:11:83:47 | UserToken | NoVerification.js:87:28:87:36 | UserToken |
| NoVerification.js:83:11:83:47 | UserToken | NoVerification.js:87:28:87:36 | UserToken |
| NoVerification.js:83:23:83:47 | req.hea ... ization | NoVerification.js:83:11:83:47 | UserToken |
| NoVerification.js:83:23:83:47 | req.hea ... ization | NoVerification.js:83:11:83:47 | UserToken |
#select

2
javascript/ql/test/query-tests/Security/CWE-321-noVerification/jwtNoVerification.qlref
View File

@@ -1 +1 @@
Security/CWE-321-noVerification/jwtNoVerification.ql
Security/CWE-321-noVerification/JsonWebToken.ql